state-of-california_ccpa-compliance
Blog Post

How to Maintain CCPA Compliance in the Cloud

As more organizations find themselves under scrutiny for the way they collect and use consumer data, maintaining CCPA compliance has never been more important. CCPA has been introduced to give control back to consumers, however, this effort is only as good as organizations’ ability to comply. And before organizations can comply, they need to find and secure the data they’re looking for — which presents unique challenges on its own. 

In our cloud-based world, where the average company manages 162.9 terabytes of data scattered amongst multiple applications, organizations’ ability to maintain CCPA compliance is largely dependent on the strength of their data retention and discovery controls. In this article, we’ll dive into the specifics of what CCPA is and how you can remain compliant while operating in the cloud.

What is CCPA compliance?

The California Consumer Privacy Act or CCPA became effective on January 1, 2020 and is the first data privacy law of its kind to be enacted in the United States. Despite being a state-level law to protect consumer privacy, CCPA compliance applies to for-profit businesses anywhere in the world that manage California citizens’ personal information. Although there is no federal-level equivalent of CCPA, the regulation, alongside Europe’s similar General Data Protection Regulation or GDPR, are widely considered benchmarks for federal legislation. In fact, it’s likely to become a blueprint for future laws in other states.

CCPA aims to give consumers greater control over their personal information that gets collected during business operations like marketing activities and sales transactions. To adhere to CCPA compliance, businesses must grant these four fundamental rights to all residents of California:

ccpa-law_ccpa-compliance

The CCPA also defines three thresholds of businesses that need to comply. If your company falls into one or more of the following categories, it must adhere to CCPA compliance:

business-requirements-for-ccpa_ccpa-compliance

Companies must address any violations that regulators notify them of within 30 days or face fines of up to $7,500 per record compromised. Data breaches and leaks often comprise up to thousands of stolen records, so it’s not hard to see how quickly these fines can add up.

The major differences between CCPA and GDPR

CCPA compliance is often compared to GDPR compliance, but there are some big differences between the two. Perhaps the biggest difference is that GDPR requires businesses to have consumers’ consent prior to the collection and usage of their data, whereas CCPA only requires businesses to let consumers opt-out of collection and usage. Another major difference is that GDPR defines personal data as any kind of information relating to an identified or identifiable individual, whereas CCPA defines personal data as any personal information pertaining to an individual’s characteristics, including biometric data and physical and genetic characteristics. When developing a plan for CCPA compliance, it’s important to keep these in mind. 

How to maintain CCPA compliance in the cloud

Almost every business is now using the cloud, and the benefits of doing so are without question. But the advantage of the cloud’s remote accessibility is also its greatest vulnerability. Anyone with the necessary credentials can access a system bearing sensitive data, at which point businesses risk serious data breaches and privacy violations. This isn’t helped by the fact that organizations have little to no control over the physical security of the cloud-hosted systems they use, particularly in the case of the public cloud.

security-in-the-cloud_ccpa-compliance

The lack of interoperability between many popular cloud apps and in-house systems is also to blame. It’s much harder to apply security and privacy measures at the massive scale required when all apps have their own unique capabilities and limitations. Managing user permissions and security measures across so many apps and devices is rarely a simple process but is necessary for maintaining CCPA compliance. Here are a few tips to get your organization on track.

1. Change your mindset

It’s easy to think of CCPA compliance as a costly burden, however, changing your mindset is the first step towards compliance success. Think of it instead as something that can add value to your organization by reducing risk, strengthening reputation, and even opening up new lines of business. Preparing your systems and processes for compliance now, even if you’re not yet required to do so by law, will help future-proof your organization when similar regulations start to crop up.

2. Unify your data governance processes

To gain visibility and control over your data, you need to consolidate it. This doesn’t necessarily mean bringing everything back in-house or even restricting yourself to a handful of vendors – it simply means uniting it under a centralized management platform. It’s a good idea to look for a platform that leverages artificial intelligence and machine learning to identify and classify sensitive information. By implementing a solution like this, you can simplify your data governance processes enormously, and maintain CCPA compliance with less friction.

3. Protect against unauthorized access

Cloud security and privacy revolve around various domains, but one of the most important is identity and access management (IAM) or managing user access privileges. It’s imperative that companies take every necessary step to protect their data (and consumers’ data) behind multiple layers of security, including multi-factor authentication and encryption. While you might not have control over the physical security of assets stored in the cloud, any reputable cloud provider follows a shared responsibility model, which should clearly outline the security and privacy responsibilities for both parties. When thinking about CCPA compliance, or any regulation for that matter, this is a core security model that should be worked into your IT system as a whole.

4. Set a process for responding to Data Subject Access Requests or DSARs

CCPA gives consumers the right to request that any personal data of theirs an organization is holding be erased. If this happens, the said organization must respond within 45 days (although an extension of up to 90 days may be allowed in specific cases). These requests are called data subject access requests (DSARs) and if you don’t know where your data lives,  the process can be complicated to say the least. 

To avoid this pitfall, we recommend a) developing a strong data retention policy so you know what data has been retained, archived, or deleted b) identifying the systems where consumer data lives as well as their owners who you’ll need to collaborate with, and c) implementing a solution that will unify, protect, index, and classify data from all of your applications in one place. By taking these initiatives, finding consumer data upon request will be much easier, which in turn will make maintaining CCPA compliance a less painful process.

Finding the data you need in disparate cloud applications is already a challenge without the pressures of CCPA compliance. However, the privacy landscape is rapidly evolving and laws are bound to get even more complex, so the sooner organizations are prepared to comply, the better. 

Curious how Onna can help you identify sensitive PII like social security numbers, passports, and keywords containing sensitive language across your apps? Check out our compliance features or book a demo to see the platform in action.