The enforcement deadline for the California Consumer Privacy Act (CCPA) passed a couple of weeks ago, so for all intents and purposes it’s now in effect. The CCPA was modeled after the European Union’s General Data Protection Regulation (GDPR) that requires companies to share how personal data gets collected and gives consumers the option to have their data deleted. While the California law may result in greater penalties for businesses that aren’t careful with consumer data, it will also create a safer and more transparent environment for businesses and consumers that makes digital innovation possible.
The CCPA, much like GDPR, sets the rules of the road for data collection and security so consumers feel comfortable sharing personal information when necessary and companies have a clear understanding of what practices to follow. These rules help ensure that people will feel safe using technology that requires personal information. Without these protections, companies that adopt the most unscrupulous data storage processes could undermine the sense of trust that supports most activity online today.
How To Handle Personal Data
The CCPA and GDPR are fairly similar, but there’s an important difference in the way backups are handled. Essentially, the CCPA regulations do not apply to information stored as a backup or archive. However, as soon as that data gets restored, companies need to remove personal information that a user has asked the business to delete. While this difference doesn’t have a meaningful effect on the way the law works for consumers, it’s important for businesses to consider when reviewing their backup strategy.
At first glance, the exemption appears to let companies ignore the issue entirely when it comes to backup data, but it’s not that simple. Companies have to find a way to delete the personal information they were asked to remove, yet still have a way to recover back to an older copy of their data. So for companies to comply with the California law, they must make sure that when that backup data gets restored, they remove the personal data again, or they need to find a way to delete specific personal information from backup data copies on demand.
Many organizations don’t have the ability to search through data copies after they’re put in a backup system. And even when companies can search specific backup copies and remove personal information, they may not have a way to track where all those copies are stored across the enterprise. Having multiple backup systems might look like a good way to add extra layers of protection against data loss, but with the privacy law, each backup copy could present itself as potential violation in waiting. Data transparency that lets companies easily understand what data gets stored, no matter what location, offers the best path to compliance with the new law.
Take A Comprehensive Approach to Data Management
Mapping out the CCPA’s effect on day-to-day business underscores why organizations need to take a comprehensive approach to data management no matter where the data gets stored, including backups and archiving. Although it’s often easy and inexpensive to create and store data copies, these additional copies can create problems down the line without a system in place that tracks and manages all the accumulated data. Strong data governance policies and procedures can help avoid an incident down the line that’s much more costly to address later and could cause irreparable harm to your company’s brand. While the Covid-19 period has slowed down many privacy bills in state legislatures across the country, expect these measures to get passed in more states once the country returns to normal operations and state legislatures starting meeting again.
Steve Grewal, CTO Federal and Eastern US, Cohesity