red and blue cubes

NetApp and the CCPA

Earning trust through principled privacy operations and transparency

The California Consumer Privacy Act (CCPA) is the premier law in the United States that addresses individuals’ rights to control their personal information. With a state-level economy greater than many nations, compliance with the CCPA is a practical necessity for most global businesses—even those not headquartered in California.

Understanding the CCPA in a global context

The California Consumer Privacy Act (CCPA) is a broadly scoped statutory law providing certain rights and remedies to California residents, called consumers. While some refer to it as the first comprehensive privacy law in the United States, it is not a direct overlap with the comprehensive issues addressed by GDPR. The CCPA addresses consumer rights, such as the right to prohibit the sale of their information and a prohibition on discrimination for consumers exercising their rights, that the GDPR does not include. But the CCPA also does not distinguish controllers and processors like the GDPR does, opting instead to recognize entities and their service providers. Also unlike the GDPR, it does not prescribe obligations regarding personal information in terms of controllers and processors. Furthermore, the CCPA only applies to businesses that exceed certain revenue and data quantity requirements that are far in excess of the more limited exceptions of the GDPR.

The differences in these two legal requirements, however, do not necessarily require two separate programs for compliance. Similarities between the laws, based on fundamental privacy principles, mean that systems and processes used to identify personal information are useful in a legal compliance program addressing both laws. For example, both laws provide for rights of data subjects to be able to access, correct, delete, and obtain information about disclosures of their personal information. Data management that includes the ability to identify, locate, and act upon such access requests by data subject will benefit both CCPA and GDPR compliance. Other requirements, such as the ability to respect a consumer’s instructions to refrain from selling personal information and to provide services in a non-discriminatory manner may require processes in addition to GDPR-designed processes.

NetApp and the CCPA

NetApp is committed to respecting the privacy rights of all individuals. Headquartered in Silicon Valley, California, NetApp recognizes the importance of the CCPA as the premier law in the United States that addresses consumers’ rights regarding their personal information. We are committed to respecting these rights and operating in manners designed to comply with the CCPA.

NetApp does not sell personal information. This means that many of the CCPA requirements to respect consumers’ rights to avoid the sale of their personal information do not require changes to our current processes for handling personal information. Similarly, since we don’t sell personal information we are in no danger of treating customers in a discriminatory manner, as we are able to provide the same products and services to all of our customers, without concern for whether we will be able to monetize their information .

The CCPA also has specific requirements for not only what we disclose about the personal information we collect and use, but also how we disclose that information. Our updated Privacy Policy addresses this by providing new items such as “categories of information collected” and “categories of sources of information.” Because the categories and sources of information may vary depending on the context in which consumers interact with NetApp, our updated Privacy Policy also addresses the different contexts in which we might collect and use personal information.

One of the most challenging aspects of the CCPA is how quickly it is evolving. The California legislature and the Attorney’s General Office continue to release clarifications, changes, and guidance. While keeping up with the evolution of the CCPA will require continuous effort, we have confidence that our underlying values and Privacy Principles provide a solid foundation capable of supporting agile privacy practices.

Frequently asked questions

How does NetApp manage personal information in light of the CCPA?

Like most companies, NetApp has access to a variety of categories of personal information from a variety of different sources. The information collected and where it is collected from vary based on the context of the interaction between NetApp and a consumer. Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for compliance with the GDPR also manage personal information under the CCPA. For example, we keep our Privacy Policy up to date to address GDPR and CCPA notification requirements, and we will continue to update it as new laws come into place.

NetApp also maintains practices for securing personal information and responding to data subject access requests that are designed to meet the requirements of both the GDPR and CCPA.

How do NetApp products and services address CCPA requirements?

Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for compliance with the GDPR also manage personal information under the CCPA. This includes features and functionality of NetApp products and services that have either built-in functionality or the capability of being configured in a manner that empowers our customers to comply with the CCPA. For example, consumers’ rights to access, delete, and modify the information that NetApp has collected can, in some cases, be through self-service access to NetApp services.

Some rights granted under the CCPA, such as the right to prohibit the sale of personal information, are not applicable because NetApp does not sell this information as part of its business model. Additionally, it is not only against our policy to discriminate against consumers exercising their rights under the CCPA, there is also no business reason to do so, because our revenue model is not based on the sale of personal information.

Does NetApp make commitments to customers regarding the CCPA?

Yes. Our commitments to compliance with the CCPA vary based on whether we are collecting your personal information or acting as a service provider to customers who are collecting personal information. When NetApp is collecting your personal information, our commitments are in our Privacy Policy. When NetApp is a service provider under the CCPA to customers who collect personal information, we also make commitments regarding how we process personal information in our customer contracts, including our Customer Data Processing Agreement. These contractual commitments are backed by processes and policies designed to comply with the CCPA and developed from our core values and our corporate Code of Conduct.

If I have a GDPR compliance program, do I need to worry about complying with the CCPA?

The CCPA is often compared to the GDPR, but the two laws are not the same. In addition to the obvious differences in jurisdiction and rules of legal interpretation that exist between those jurisdictions, they have a number of substantive statutory differences. For example, the definition of consumer in the CCPA is broader than the definition of data subject under the GDPR, as it includes identifiable households as well as individuals. The CCPA also restricts activities such as selling personal information, that GDPR does not, and has specific requirements for privacy policy disclosures that a GDPR-compliance privacy policy does not necessarily meet.

However, the GDPR and CCPA do have significant similarities, particularly in the area of individuals’ rights regarding their personal information. Both laws recognize individuals’ rights to access and delete personal information collected from them and require transparent disclosures regarding how that information is collected and used. In this manner, underlying systems to identify, track, and maintain personal information for the purposes of compliance with the GDPR may also be useful in complying with similar obligations under the CCPA.

Can NetApp help my organization comply with the CCPA?

Every entity is different in its products, services, operations, risk profile, and preferences. So, you will want to work with your legal and business advisors to determine the best strategy for your company to comply with the CPA.

Once you have that strategy, NetApp provides a variety of products and services with tools that can help implement that strategy and be used in your privacy operations and Cloud Compliance service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, Cloud Insights to annotate data to indicate the presence and treatment of personal information, and NetApp FPolicy for privacy operations and policy enforcement.

A comprehensive CCPA compliance program, however, is dependent on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. No two entities are alike. NetApp strives to provide all our customers with tools and capabilities to empower them in their efforts, regardless of the scope and nature of their GDPR compliance programs.

abstract shapes