California Consumer Protection Act (CCPA) and cloud computing

March 17, 2020

A blog post by By David Linthicum, chief cloud strategy officer, Deloitte Consulting LLP

The California Consumer Protection Act (CCPA) took effect on January 1 with the purpose of securing new privacy rights for California consumers. Businesses are subject to the CCPA if one or more of the following are true:

• Has gross annual revenues in excess of $25 million
• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
• Derives 50 percent or more of annual revenues from selling consumers’ personal information a range of entities that do business in California and also collect personal information about California consumers

CCPA is not specifically targeted at cloud providers. However, providers have to supply compliance tools to their existing and future customers to help them adhere to the CCPA’s requirements. While most of these tools are available today, including security management, data governance, and encryption, providers also want to offer their customers frameworks and guidance to help comply with CCPA.

From what I have seen, providers see new regulatory requirements as an opportunity to attract new subscribers and are pitching their tools and services as the most cost effective and fastest way to comply. Before you listen to provider pitches, here are a few things that businesses affected by the CCPA should consider:

• Understand CCPA at the detail level. It’s up to you to figure out what’s relevant to your business and how to comply.
• Understand your metadata. Since this is about the care of data from encryption to deletion, you need to understand what the data means. Which data is affected by the CCPA, and which is not?
• Review and update internal policies. For instance, current data retention policies may now be declared non-compliant, and those polices must change. Staff also needs to understand the new policies.
• Need for absolute deletion. If you think items deleted on public cloud providers go away that exact instant, you would be in for a surprise. Backup and recovery activities, as well as duplicate data created for use by applications, routinely creates private data that may not go away when the delete button is pressed. Cloud providers do offer completely unrecoverable deletion services, but you’ll have to understand how each service pulls it off to make certain it’s CCPA-compliant.
• Need to update security. If your business falls within the parameters of the new CCPA regulations, your entity’s on premises and public cloud security systems need to be reevaluated. Some of this may take longer and cost more than you think. This is a good time to understand the impact, even mitigating noncompliance.

Your heart rate may be spiking right now from the potential expense and disruption of what I outlined. But before you panic, remember that compliance issues are not new. CCPA is just another set of procedures and policies that the affected entities must now adhere to in addition to the compliance requirements that are in place.

If you’re new to compliance requirements, this is a good time to connect with your legal and compliance colleagues to understand how IT–and specifically cloud–fit into the organization’s overall regulatory and compliance strategy. You can expect that audits will be part of the approach, as well as continual process updates as regulations like CCPA evolve.

Keeping up with regulatory and compliance issues is now a fundamental fact of IT life. I wonder how long it will take most colleges and universities to realize the need for student instruction in this discipline?