The California Consumer Privacy Act (CCPA) is the premier law in the United States that addresses individuals’ rights to control their personal information. With a state-level economy greater than many nations, compliance with the CCPA is a practical necessity for most global businesses—even those not headquartered in California.
The California Consumer Privacy Act (CCPA) is a broadly scoped statutory law providing certain rights and remedies to California residents, called consumers. While some refer to it as the first comprehensive privacy law in the United States, it is not a direct overlap with the comprehensive issues addressed by GDPR. The CCPA addresses consumer rights, such as the right to prohibit the sale of their information and a prohibition on discrimination for consumers exercising their rights, that the GDPR does not include. But the CCPA also does not distinguish controllers and processors like the GDPR does, opting instead to recognize entities and their service providers. Also unlike the GDPR, it does not prescribe obligations regarding personal information in terms of controllers and processors. Furthermore, the CCPA only applies to businesses that exceed certain revenue and data quantity requirements that are far in excess of the more limited exceptions of the GDPR.
The differences in these two legal requirements, however, do not necessarily require two separate programs for compliance. Similarities between the laws, based on fundamental privacy principles, mean that systems and processes used to identify personal information are useful in a legal compliance program addressing both laws. For example, both laws provide for rights of data subjects to be able to access, correct, delete, and obtain information about disclosures of their personal information. Data management that includes the ability to identify, locate, and act upon such access requests by data subject will benefit both CCPA and GDPR compliance. Other requirements, such as the ability to respect a consumer’s instructions to refrain from selling personal information and to provide services in a non-discriminatory manner may require processes in addition to GDPR-designed processes.
NetApp is committed to respecting the privacy rights of all individuals. Headquartered in Silicon Valley, California, NetApp recognizes the importance of the CCPA as the premier law in the United States that addresses consumers’ rights regarding their personal information. We are committed to respecting these rights and operating in manners designed to comply with the CCPA.
NetApp does not sell personal information. This means that many of the CCPA requirements to respect consumers’ rights to avoid the sale of their personal information do not require changes to our current processes for handling personal information. Similarly, since we don’t sell personal information we are in no danger of treating customers in a discriminatory manner, as we are able to provide the same products and services to all of our customers, without concern for whether we will be able to monetize their information .
One of the most challenging aspects of the CCPA is how quickly it is evolving. The California legislature and the Attorney’s General Office continue to release clarifications, changes, and guidance. While keeping up with the evolution of the CCPA will require continuous effort, we have confidence that our underlying values and Privacy Principles provide a solid foundation capable of supporting agile privacy practices.
NetApp also maintains practices for securing personal information and responding to data subject access requests that are designed to meet the requirements of both the GDPR and CCPA.
Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for compliance with the GDPR also manage personal information under the CCPA. This includes features and functionality of NetApp products and services that have either built-in functionality or the capability of being configured in a manner that empowers our customers to comply with the CCPA. For example, consumers’ rights to access, delete, and modify the information that NetApp has collected can, in some cases, be through self-service access to NetApp services.
Some rights granted under the CCPA, such as the right to prohibit the sale of personal information, are not applicable because NetApp does not sell this information as part of its business model. Additionally, it is not only against our policy to discriminate against consumers exercising their rights under the CCPA, there is also no business reason to do so, because our revenue model is not based on the sale of personal information.
However, the GDPR and CCPA do have significant similarities, particularly in the area of individuals’ rights regarding their personal information. Both laws recognize individuals’ rights to access and delete personal information collected from them and require transparent disclosures regarding how that information is collected and used. In this manner, underlying systems to identify, track, and maintain personal information for the purposes of compliance with the GDPR may also be useful in complying with similar obligations under the CCPA.
Every entity is different in its products, services, operations, risk profile, and preferences. So, you will want to work with your legal and business advisors to determine the best strategy for your company to comply with the CPA.
Once you have that strategy, NetApp provides a variety of products and services with tools that can help implement that strategy and be used in your privacy operations and Cloud Compliance service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, Cloud Insights to annotate data to indicate the presence and treatment of personal information, and NetApp FPolicy for privacy operations and policy enforcement.
A comprehensive CCPA compliance program, however, is dependent on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. No two entities are alike. NetApp strives to provide all our customers with tools and capabilities to empower them in their efforts, regardless of the scope and nature of their GDPR compliance programs.
How we collect, use, process, store, transfer, and disclose personal information.
Terms, conditions, and other information related to the use of NetApp products and services.
Core values of NetApp that define who we are as a company and what we can expect from each other.
An infrastructure monitoring tool that enables you to monitor, troubleshoot, and optimize all your resources including public clouds and private datacenters
Support compliance with the GDPR, California Consumer Privacy Act (CCPA), and other data privacy regulations through personal information discovery and management.
Streamline your backup management with application-consistent backup and clone management.