January 2021
The California Consumer Privacy Act (CCPA) is the premier law in the United States that addresses individuals’ rights to control their personal information. With a state-level economy greater than many nations, compliance with the CCPA is a practical necessity for most global businesses, even those that are not headquartered in California.
The California Consumer Privacy Act is a broadly scoped statutory law that provides certain rights and remedies to California residents, called consumers. Some refer to it as the first comprehensive privacy law in the United States, although it does not directly align with the issues addressed by the GDPR. The CCPA addresses some consumer rights that the GDPR does not include, such as the right to prohibit the sale of their information and a prohibition on discrimination for consumers exercising their rights. However, the CCPA does not distinguish controllers and processors like the GDPR does, opting instead to recognize entities and their service providers. Also unlike the GDPR, it does not prescribe obligations for controllers and processors regarding personal information. Furthermore, the CCPA applies only to businesses that exceed certain revenue and data quantity requirements that are far in excess of the more limited exceptions of the GDPR.
The differences in these two legal requirements, however, do not necessarily require two separate programs for compliance. Similarities between the laws, based on fundamental privacy principles, mean that systems and processes used to identify personal information are useful in a legal compliance program that addresses both laws. For example, both laws state that data subjects have a right to access, correct, delete, and obtain information about disclosure of their personal information. Data management that includes the ability to identify, locate, and act upon such access requests by the data subject benefit both CCPA and GDPR compliance. Other CCPA requirements, such as the ability to respect a consumer’s instructions to refrain from selling personal information and to provide services in a nondiscriminatory manner, may require processes in addition to those designed for GDPR compliance.
NetApp is committed to respecting the privacy rights of all individuals. Headquartered in Silicon Valley, California, NetApp recognizes the importance of the CCPA as the premier law in the United States that addresses consumers’ rights regarding their personal information. We are committed to respecting these rights and operating in ways designed to comply with the CCPA.
NetApp does not sell personal information. This means that many of the CCPA requirements to respect consumers’ rights to avoid the sale of their personal information do not require changes to our current processes for handling personal information. Similarly, since we don’t sell personal information, we are in no danger of treating customers in a discriminatory manner, because we are able to provide the same products and services to all of our customers, without concern for whether we are able to monetize their information.
The CCPA also has specific requirements for what we disclose about the personal information we collect and use, and also for how we disclose that information. Our updated Privacy Policy addresses these requirements with new items such as “categories of information collected” and “categories of sources of information.” Because the categories and sources of information can vary depending on the context in which consumers interact with NetApp, our updated Privacy Policy also addresses the different contexts in which we might collect and use personal information.
One of the most challenging aspects of the CCPA is how quickly it is evolving. The California legislature and the state attorney general’s office continue to release clarifications, changes, and guidance. Although keeping up with this evolution requires continual effort, we are confident that our underlying values and the privacy principles that are built on those values provide a solid foundation that support agile privacy practices.
Like most companies, NetApp has access to a variety of categories of personal information from many different sources. The information collected and where it is collected from vary based on the context of the interaction between NetApp and a consumer. Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for GDPR compliance are also used to manage personal information under the CCPA. For example, we keep our Privacy Policy up to date to address GDPR and CCPA notification requirements, and we will continue to update it as new laws come into place.
NetApp also maintains practices for securing personal information and responding to data subject access requests that are designed to meet the requirements of both the GDPR and CCPA.
Many of the requirements of the CCPA share underlying principles with the GDPR, and practices implemented by NetApp for GDPR compliance are also used to comply with the CCPA. These practices include features in NetApp products and services that either have built-in functionality or provide the ability to be configured in a manner that empowers our customers to comply with the CCPA. For example, consumers’ rights to access, delete, and modify the information that NetApp has collected can, in some cases, be through self-service access to NetApp services.
Some rights granted under the CCPA, such as the right to prohibit the sale of personal information, are not applicable because NetApp does not sell this information as part of its business model. Additionally, not only is it against our policy to discriminate against consumers exercising their rights under the CCPA, there is also no business reason to do so, because our revenue model is not based on the sale of personal information.
Yes. Our commitments to comply with the CCPA vary based on whether we are collecting your personal information or acting as a service provider to customers who are collecting personal information. When NetApp collects your personal information, our commitments are in our Privacy Policy. When NetApp is a service provider under the CCPA to customers who collect personal information, we make commitments in our customer contracts, including our Customer Data Processing Agreement, about how we process personal information. We back these contractual commitments with processes and policies designed to comply with the CCPA that were developed based on our core values as delineated in our corporate Code of Conduct.
The CCPA is often compared to the GDPR, but the two laws are not the same. In addition to the obvious differences in jurisdiction and rules of legal interpretation that exist between those jurisdictions, they have a number of substantive statutory differences. For example, the definition of consumer in the CCPA is broader than the definition of data subject under the GDPR, because it includes identifiable households as well as individuals. The CCPA also restricts activities that the GDPR does not, such as selling personal information, and it has specific requirements for privacy policy disclosures that a GDPR-compliance privacy policy does not necessarily meet.
However, the GDPR and CCPA do have significant similarities, particularly in the area of individuals’ rights regarding their personal information. Both laws recognize the rights of individuals to access and delete personal information collected from them, and both require transparent disclosures regarding how that information is collected and used. Therefore, underlying systems to identify, track, and maintain personal information for the purposes of compliance with the GDPR may also be useful in complying with similar obligations under the CCPA.
Every entity is different in its products, services, operations, risk profile, and preferences. A comprehensive CCPA compliance program depends on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. Therefore, you need to work with your legal and business advisors to determine the best strategy for your company to comply with the CCPA.
Once you have determined your strategy, NetApp offers a variety of products and services with tools that can help implement it and that can be used in your privacy operations and CCPA compliance program. These products and services include the Cloud Data Sense service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, Cloud Insights to annotate data to indicate the presence and treatment of personal information, and FPolicy for privacy operations and policy enforcement.
Automated, AI-driven data privacy controls support compliance with the GDPR, the California Consumer Privacy Act (CCPA), and other data privacy regulations.
