December 3, 2019
The Advantages of AWS Control Tower
On January 1, 2020, the rules that apply to the way businesses collect, store, and use personal information about consumers will change dramatically. That’s the date on which the California Consumer Privacy Act (CCPA) goes into effect. CCPA fundamentally changes the dynamic between consumers and the businesses they transact with.
Many companies are scrambling to ensure they will comply with the new law on its effective date, yet much uncertainty remains, particularly about how to ensure CCPA compliance for the data they store on Amazon Web Services. This primer explains the features in AWS that help companies confirm their cloud data will be in full compliance with CCPA at the start of the new year.
California’s new privacy regulations add many responsibilities for businesses that collect private information about their customers:
CCPA applies to any for-profit business that is based in or does business in California, so long as it meets at least one of three criteria, as Forbes explains:
Much of the uncertainty surrounding a qualifying business’s responsibilities regarding CCPA is due to questions about what constitutes “personal information” subject to the law. The Data Protection Report outlines the categories of data CCPA applies to:
More broadly, CCPA’s definition of private information includes all “inferences drawn” from the data that are used to create a profile of the consumer that includes the person’s “characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Violations of CCPA’s regulations include civil fines of $2,500 for each time a company fails to honor a consumer’s request to remove private information within 30 days of receiving the request. Intentional violations of the statute may lead to penalties up to $7,500 per violation as a result of suits filed by the California Attorney General’s office, as Clarity in Privacy explains. Consumers may file suit independently under CCPA and may be rewarded from $100 to $750 per consumer per incident, or actual damages if they exceed the per-incident cap.
To comply with CCPA, businesses must first identify the personal information they collect from consumers, determine where the data is stored, and with whom it is shared. The International Association of Privacy Professionals (IAPP) highlights the challenges of determining whether a company’s data-sharing falls under the CCPA’s definition of a “transfer for a business purpose.”
Any use of personal information “for the operational purpose of the business or its service provider” is subject to CCPA regulations if it is “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” A broad interpretation of this section of the statute makes all data a business stores on Amazon Web Services (AWS) subject to CCPA.
In July 2018, AWS issued a white paper entitled “Preparing for the California Consumer Privacy Act” that outlines the impact of the law on the service’s business customers. In the AWS Shared Responsibility Model, responsibility for security is shared between AWS and its customers: AWS “operates, maintains, and controls the infrastructure,” from the host OS and virtualization layer to the physical security of the facilities the service operates. AWS customers are responsible for managing the guest OS, including patches and updates, as well as “associated application software” and configuration of the security group firewall provided by AWS.
In the AWS Shared Responsibility Model, security “of” the cloud is the responsibility of AWS, while security “in” the cloud is the responsibility of customers. Source: Amazon Web Services
Companies face serious financial penalties should they fail to comply with CCPA requirements for safeguarding the private information of consumers and responding to consumer requests relating to their personal data. Yet the costs of ensuring compliance in time and resources are not trivial.
As the clock winds down to the new year, companies should work to ensure their IT systems will be in full compliance by the January 1, 2020, deadline. To become compliant, businesses need to work through five key steps, as:described in Information Management:
Meeting the requirements of CCPA means much more than simply avoiding potential fines for violations. As so many businesses have learned the hard way, once you’ve lost the trust of your customers, it’s incredibly difficult—and expensive—to win it back. When it comes to maintaining the confidence of consumers, an ounce of prevention is worth much, much more than a pound of cure.