How to Meet California Consumer Privacy Act (CCPA) Requirements with AWS

On January 1, 2020, the rules that apply to the way businesses collect, store, and use personal information about consumers will change dramatically. That’s the date on which the California Consumer Privacy Act (CCPA) goes into effect. CCPA fundamentally changes the dynamic between consumers and the businesses they transact with. 

Many companies are scrambling to ensure they will comply with the new law on its effective date, yet much uncertainty remains, particularly about how to ensure CCPA compliance for the data they store on Amazon Web Services. This primer explains the features in AWS that help companies confirm their cloud data will be in full compliance with CCPA at the start of the new year.

CCPA Explained

California’s new privacy regulations add many responsibilities for businesses that collect private information about their customers:

• Businesses must provide to consumers who request it the private data the business collects from them, the categories of information being collected, the categories of sources of the information, and what purpose the company uses the data for.
  

• Businesses must also reveal to consumers upon request the categories and identities of any third parties the company sells their private data to, or with whom the organization shares the information “for a business purpose.”
  

• Businesses are required to honor “verified” requests made by consumers to delete the personal information the company has collected about them.
  

• Businesses must also allow consumers to opt out of having their private information collected, and firms are prohibited from discriminating against any customers who choose not to share their personal data. This includes a prohibition against charging extra or substituting a different quality of products and services to such customers, unless the charge is “reasonably related to value provided by the consumer’s data.”

CCPA applies to any for-profit business that is based in or does business in California, so long as it meets at least one of three criteria, as Forbes explains:

• It records gross annual revenue of $25 million or more. 
• It receives or shares personal information about more than 50,000 consumers.
• It earns at least half of its annual revenue by selling private information about California consumers.

Much of the uncertainty surrounding a qualifying business’s responsibilities regarding CCPA is due to questions about what constitutes “personal information” subject to the law. The Data Protection Report outlines the categories of data CCPA applies to:

• Search and browser histories, data relating to a consumer’s interaction with a site’s ads or other content, and any other “electronic network activity.”
• Any unique personal identifier, including the consumer’s IP address.
• Any “audio, electronic, visual, thermal, and olfactory information” about consumers.
• All geolocation data.
  

More broadly, CCPA’s definition of private information includes all “inferences drawn” from the data that are used to create a profile of the consumer that includes the person’s “characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Violations of CCPA’s regulations include civil fines of $2,500 for each time a company fails to honor a consumer’s request to remove private information within 30 days of receiving the request. Intentional violations of the statute may lead to penalties up to $7,500 per violation as a result of suits filed by the California Attorney General’s office, as Clarity in Privacy explains. Consumers may file suit independently under CCPA and may be rewarded from $100 to $750 per consumer per incident, or actual damages if they exceed the per-incident cap.‍

How AWS Helps Support the Requirements of CCPA

To comply with CCPA, businesses must first identify the personal information they collect from consumers, determine where the data is stored, and with whom it is shared. The International Association of Privacy Professionals (IAPP) highlights the challenges of determining whether a company’s data-sharing falls under the CCPA’s definition of a “transfer for a business purpose.”
Any use of personal information “for the operational purpose of the business or its service provider” is subject to CCPA regulations if it is “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.”  A broad interpretation of this section of the statute makes all data a business stores on Amazon Web Services (AWS) subject to CCPA.

In July 2018, AWS issued a white paper entitled “Preparing for the California Consumer Privacy Act” that outlines the impact of the law on the service’s business customers. In the AWS Shared Responsibility Model, responsibility for security is shared between AWS and its customers: AWS “operates, maintains, and controls the infrastructure,” from the host OS and virtualization layer to the physical security of the facilities the service operates. AWS customers are responsible for managing the guest OS, including patches and updates, as well as “associated application software” and configuration of the security group firewall provided by AWS.

In the AWS Shared Responsibility Model, security “of” the cloud is the responsibility of AWS, while security “in” the cloud is the responsibility of customers. Source: Amazon Web Services‍

Among the AWS services that help with data collection are Amazon Simple Storage Service (S3), DynamoDB, and Redshift:

• S3 is used to identify and manage access to personal information via object metadata, object tagging, and lifecycle management, all three of which allow AWS customers to securely collect personally identifiable information (PII) upon request.
  

• For data retrieval and deletion, AWS services such as S3, Elastic MapReduce (EMR), Glue, Athena, and QuickSight allow you to crawl, catalog, and query AWS content to retrieve specific consumer data. Customers can also visualize the data they retrieve and make deletions using CloudTrail, CloudWatch, Lambda, and Config.
  

• To support data awareness, AWS services help notify and inform consumers about their personal information that is subject to CCPA requirements: Config, Simple Email Service (SES), Connect, and Lex, all of which can notify consumers via a hosted application or by telephone.

Work with an AWS Partner to Understand CCPA’s Implications for Your Business

Companies face serious financial penalties should they fail to comply with CCPA requirements for safeguarding the private information of consumers and responding to consumer requests relating to their personal data. Yet the costs of ensuring compliance in time and resources are not trivial. 

As the clock winds down to the new year, companies should work to ensure their IT systems will be in full compliance by the January 1, 2020, deadline. To become compliant, businesses need to work through five key steps, as:described in Information Management:

• Conduct a data and systems inventory.
• Evaluate and rework external privacy notices and policies.
• Put a process in place for consumer rights requests.
• Create a “do not sell my personal information” button.
• Document the company’s compliance with consumer requests not to sell their private data.
  

Meeting the requirements of CCPA means much more than simply avoiding potential fines for violations. As so many businesses have learned the hard way, once you’ve lost the trust of your customers, it’s incredibly difficult—and expensive—to win it back. When it comes to maintaining the confidence of consumers, an ounce of prevention is worth much, much more than a pound of cure.