Understanding the CCPA in a global context
The California Consumer Privacy Act is a broadly scoped statutory law that provides certain rights and remedies to California residents, called consumers. Some refer to it as the first comprehensive privacy law in the United States, although it does not directly align with the issues addressed by the GDPR. The CCPA addresses some consumer rights that the GDPR does not include, such as the right to prohibit the sale of their information and a prohibition on discrimination for consumers exercising their rights. However, the CCPA does not distinguish controllers and processors like the GDPR does, opting instead to recognize entities and their service providers. Also unlike the GDPR, it does not prescribe obligations for controllers and processors regarding personal information. Furthermore, the CCPA applies only to businesses that exceed certain revenue and data quantity requirements that are far in excess of the more limited exceptions of the GDPR.
The differences in these two legal requirements, however, do not necessarily require two separate programs for compliance. Similarities between the laws, based on fundamental privacy principles, mean that systems and processes used to identify personal information are useful in a legal compliance program that addresses both laws. For example, both laws state that data subjects have a right to access, correct, delete, and obtain information about disclosure of their personal information. Data management that includes the ability to identify, locate, and act upon such access requests by the data subject benefit both CCPA and GDPR compliance. Other CCPA requirements, such as the ability to respect a consumer’s instructions to refrain from selling personal information and to provide services in a nondiscriminatory manner, may require processes in addition to those designed for GDPR compliance.
NetApp and the CCPA
NetApp is committed to respecting the privacy rights of all individuals. Headquartered in Silicon Valley, California, NetApp recognizes the importance of the CCPA as the premier law in the United States that addresses consumers’ rights regarding their personal information. We are committed to respecting these rights and operating in ways designed to comply with the CCPA.
NetApp does not sell personal information. This means that many of the CCPA requirements to respect consumers’ rights to avoid the sale of their personal information do not require changes to our current processes for handling personal information. Similarly, since we don’t sell personal information, we are in no danger of treating customers in a discriminatory manner, because we are able to provide the same products and services to all of our customers, without concern for whether we are able to monetize their information.
One of the most challenging aspects of the CCPA is how quickly it is evolving. The California legislature and the state attorney general’s office continue to release clarifications, changes, and guidance. Although keeping up with this evolution requires continual effort, we are confident that our underlying values and the privacy principles that are built on those values provide a solid foundation that support agile privacy practices.
Frequently asked questions
How does NetApp manage personal information to comply with the CCPA?
NetApp also maintains practices for securing personal information and responding to data subject access requests that are designed to meet the requirements of both the GDPR and CCPA.
How do NetApp products and services address CCPA requirements?
Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for GDPR compliance are also used to comply with the CCPA. These practices include features in NetApp products and services that either have built-in functionality or provide the ability to be configured in a manner that empowers our customers to comply with the CCPA. For example, consumers’ rights to access, delete, and modify the information that NetApp has collected can, in some cases, be through self-service access to NetApp services.
Some rights granted under the CCPA, such as the right to prohibit the sale of personal information, are not applicable because NetApp does not sell this information as part of its business model. Additionally, not only is it against our policy to discriminate against consumers exercising their rights under the CCPA, there is also no business reason to do so, because our revenue model is not based on the sale of personal information.
Does NetApp make commitments to customers regarding the CCPA?
If I have a GDPR compliance program, do I need to worry about complying with the CCPA?
However, the GDPR and CCPA do have significant similarities, particularly in the area of individuals’ rights regarding their personal information. Both laws recognize the rights of individuals to access and delete personal information collected from them, and both require transparent disclosures regarding how that information is collected and used. Therefore, underlying systems to identify, track, and maintain personal information for the purposes of compliance with the GDPR may also be useful in complying with similar obligations under the CCPA.
Can NetApp help my organization comply with the CCPA?
Every entity is different in its products, services, operations, risk profile, and preferences. A comprehensive CCPA compliance program depends on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. Therefore, you need to work with your legal and business advisors to determine the best strategy for your company to comply with the CCPA.
Once you have determined your strategy, NetApp offers a variety of products and services with tools that can help implement it and that can be used in your privacy operations and CCPA compliance program. These products and services include the Cloud Compliance service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, Cloud Insights to annotate data to indicate the presence and treatment of personal information, and NetApp Policy for privacy operations and policy enforcement.