California GDPR: Preparing Your Data Center for CCPA Compliance

By: Ernest Sampera on February 11, 2020

After the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, a growing number of governments have begun to review their own data privacy standards and consider how to best strengthen them to protect the privacy of their citizens. In the United States, California has positioned itself among the vanguard of this movement with the passage of the California Consumer Privacy Act (CCPA), which went into effect in January of 2020.

While it’s often referred to as the “California GDPR law” or “California’s GDPR,” it’s helpful to understand CCPA on its own terms, how it impacts companies in the business of data collection, and how it differs from the GDPR.

What is CCPA? Understanding the “California GDPR Law”

Passed by the California legislature in 2018, the California Consumer Privacy Act represents the first major attempt by a US state to establish a statewide standard regarding citizens’ data privacy rights. Prior to the passage of CCPA, companies were not legally obligated to inform people about what data they’re collecting or how they’re using it for business purposes. While the law still permits organizations to make use of data in public government documents, they cannot use other sources to collect data that could be used to identify or characterize California residents and sell that data without consent. This could range from social media data and internet browsing history to biometric information and location-based data. In addition to opting out of the sale of personally identifiable data, the law also allows Californians to request the deletion of that data.

But the impact of the CCPA compliance extends far beyond the borders of California. While many of the rights outlined in the law apply specifically to residents of California, the fact that nearly 40 million people (roughly one out of eleven Americans) live in the state means that most companies are choosing to treat the law as a de facto national compliance standard. Rather than developing policies for each state, it’s far more cost-effective for organizations to simply base their data privacy policies on the strictest guidelines they’re likely to encounter. With other states developing CCPA-like regulations in the continued absence of a true national standard, using the law as a foundational baseline will make it easier to meet additional requirements.

CCPA vs GDPR: Are They Really the Same?

The California Consumer Privacy Act was destined to be compared to the European Union’s GDPR standard. While there are some similarities between the two, the CCPA is not as strict as its European counterpart in the way it regulates data collection. The GDPR requires companies to obtain consent prior to collecting data of any kind. By contrast, the CCPA doesn’t prevent the collection of data, only the sale of it. The GDPR also has a number of measures in place to force companies to minimize the amount of data they gather in the first place. More importantly, the GDPR imposes its strict requirements on any organization that collects data for any reason, whereas CCPA compliance focuses primarily on the actions of for-profit businesses that met very specific characteristics.

Another important difference has to do with the penalties for non-compliance. In general, GDPR fines are much more proactive because regulators can impose fines for simply failing to comply with the law regardless of whether or not there were damages involved. GDPR fines can reach a maximum of $22 million euros or four percent of the violating company’s global revenue, whichever is higher. CCPA takes a more reactive approach, only handing down fines after a data breach occurs. While pre-existing violations related to the breach can be fined individually after a breach occurs and consumers retain the right to individually sue the responsible party, no fines can be imposed in the absence of a breach.

Under CCPA guidelines, organizations can still make use of personal data even after people opt out if they take steps to anonymize that data and strip it of any identifiable information. Critics of the law have pointed to this allowance (and the law’s lax approach to smaller companies) as a loophole that allows companies to continue to profit from selling personal data.

CCPA Compliance Checklist

There are a few important steps every company should take to ensure that it has the best data controls in place to protect its operations from falling outside the scope of CCPA guidelines.

1. Map Data Flow

If an organization is collecting any data at all from existing or potential customers, it needs to know where that data is located at all times and how it moves through an IT environment. By mapping out the flow of data, companies can account for how that information is being handled and prevent any oversights that could result in a data breach and a crippling fine or legal action.

2. Strengthen Data Security Controls

This should be a priority for any organization to begin with, but the heightened awareness created by CCPA is a good opportunity to review and reassess information security policies, update encryption protocols, and manage access lists. A thorough information security audit based on ISO 27001 standards can help to expose any potential vulnerabilities.

3. Store Consent Records

Keeping clearly defined records of who has opted-out of having their data sold and who has consented is critically important. Under CCPA guidelines, someone who has opted-out may not be invited to opt-in again for 12 months. Having this data readily available will also make it easier to demonstrate compliance in the future.

4. Update Privacy Policies

From a legal standpoint, organizations are required to inform users about their obligations under the law and the rights afforded to users under CCPA. Updated privacy policies should be made available on public-facing websites as well as physical stores. The CCPA also contains provisions regarding consent for minors, so age verification may need to be added to some websites.

5. Educate Employees

Like any other change in data security policy, organizations must take additional steps to educate employees about what new guidelines are in place, why they’re important, and how they function. By raising awareness about the requirements and scope of CCPA compliance, companies can keep confusion to a minimum and adapt to the new standards with minimal disruption.

CCPA Guidelines and Your Data Center

Organizations that have outsourced their data center infrastructure to a colocation provider will continue to have a leg up on their competitors when it comes to data security compliance. While the responsibility to build and maintain a secure IT environment still falls to them, a colocation data center offers the resources and visibility needed to manage data effectively. These facilities already have compliance in mind, especially after the rush to meet the exacting standards of the GDPR in recent years.

Rather than struggling to adapt outdated on-premises infrastructure to meet the data management requirements of CCPA, organizations can turn to colocated environments and trust that their IT partners will be able to meet the same standards. With more changes likely to come in the years following the rollout of CCPA guidelines, having that peace of mind in place can help companies focus on growing their business instead of constantly worrying about compliance violations.

Speak to an Expert About Your Company's Specific Data Center Needs