California Consumer Privacy Act (CCPA) is the new privacy law in California that affects a lot of organizations due to its extraterritorial effect. We have already covered CCPA with a high-level overview, covering what is it about, who is bounded to comply with it, what are the penalties and what technical safeguards need are required. Here we want to give a deeper dive into the regulation and how our products help you be compliant.
Our CEO and Solutions Architect Bozhidar Bozhanov recently published a technical guide to CCPA which we recommend reading. As stated there, CCPA is focused primarily on users’ rights and limitations on the sale of personal data. The law does not have data confidentiality requirements because, as argued in the law itself, this is subject to different legislation. So many of the best practices that we have been recommending to customers are outside the scope of CCPA. Not all, however, is about what text should be present on which page in order to allow users to exercise their rights.
There are still subtle and not-so-subtle technical requirements that either is directly spelled out or immediately follow from the regulation. Below is a table that demonstrates some of these most challenging requirements and how to cover them using our products: SentinelDB – the secure database with per-record encryption, and SentinelTrails – a blockchain-protected, secure audit trail.
|CCPA requirements||How SentinelDB and SentinelTrails cover them|
|Right of access to personal data – consumers must be provided with all personal data that a company has collected about them||SentinelDB lets you connect each Record with a User profile, thus allowing automatic export of all personal data for a given user without additional effort, making it possible to fulfill such requests in a timely manner.|
|Deletion of data – consumers can request their data be deleted||SentinelDB supports “forget user” functionality out of the box. Furthermore, the system leaves tamper-evident digital evidence of this action.|
|Data lineage – a company has to keep track of where it has sent data and where has data come from||SentinelDB allows you to set any metadata on a given Record and User object, allowing you to specify the source and target of each data exchange and then query by this metadata.
SentinelTrails (which is also fully integrated with SentinelDB) makes traceability easy for every action concerning sending/receiving data, giving information like the exact time when it happened, where it happened, and how it happened.
|Tracking all consumer rights requests||SentinelDB has out of the box functionality for logging data protection rights requests as well as their details and results.
SentinelTrails keeps logs of all incoming consumer rights requests, who took care of them and what is their progress.
|Pseudonymization – you are allowed to share pseudonymized data (e.g. for research purposes) where the identifying data is replaced with a pseudonym that can only be revealed if you possess some secret||SentinelDB offers out of the box flexible pseudonymization functionality to allow for exporting pseudonymized data and subsequently importing the result of operations carried out outside the organization on the data.|
|Audit log – because companies need to demonstrate that they have complied with user requests and that they know their data flows, an audit log of all modifications, exports, and user requests has to be kept||SentinelTrails offers full provable traceability of all operations, concerning consumer data. SentinelTrails’ advanced event logging can be used as forensic evidence or just a source of information in terms of auditing.|
We believe that a good privacy-preserving datastore has to not only properly encrypt data and authenticate access to data, but also be regulation-friendly by offering sophisticated compliance features. This has been one of our driving factors when designing our secure database SentinelDB and it’s rather easy to support the requirements of CCPA with that foundation.