CCPA: Salesforce Administrators Must Rethink Backup

The California Consumer Privacy Act (CCPA) went into effect starting January 1, 2020. Salesforce administrators must re-examine the way personally identifiable information (PII) is processed.

The CCPA lists Salesforce as a service provider. A for-profit entity that processes a customer’s personal information on behalf of another business (your business), which uses customer data for commercial purposes.

That said, Salesforce is not responsible for the personal information — it’s you, and only you. According to the new Salesforce Data Processing Addendum (DPA):

Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which customer acquired personal data. Customer specifically acknowledges that its use of the services will not violate the rights of any data subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.

You had 18 months to prepare since the time CCPA was signed into law. Time’s up!

Still unsure about the new compliance regulation? In that case, let’s start with defining CCPA.

CCPA empowers residents of the sunshine state to know exactly what personal information of theirs is collected and used by businesses. It gives people the right to delete personal information gathered by the business.

CCPA considers the following as personal information:

  • Demographic information (i.e. name, address, email)
  • A unique identifier, such as an IP address
  • Account or Social Security Number
  • Driver’s license or passport
  • Personal property records
  • Online activity
  • Biometric, geolocation, employment, and education data

Examples of personally identifiable information as defined by the California Consumer Privacy Act (CCPA).

If any of these is compromised, your business will be slapped with civil penalties up to $7500 for each violation, and the maximum fine for other violations is $2500 per violation. 

Salesforce Administrators Must Rethink Backup

Backed up data is treated somewhat differently under the California Consumer Privacy Act. If a business stores personal information on a backup system, it can delay compliance with the customer’s deletion request, until the next time the backup system is accessed.   

However, backed up data is very much covered by the CCPA law. Businesses subject under CCPA need a strategy on how to handle CCPA deletions of personal information in backup systems. 

Let’s say you have personal information of a customer stored in your Salesforce backup system. The customer wants to delete the data which can be done under the CCPA. Once you remove the data, you’ll need to work with an updated version of backup data. But, if you recover to a point before the deletion, you’d be restoring a backup version that includes the information that was supposed to be deleted. 

You just violated CCPA without even knowing it, and the penalties will apply to your business. 

Spanning Backup allows Salesforce administrators to know the state of the most recent backups that ensure CCPA compliance. Get a granular view of your backups, that includes counts of changes for most important object types, Salesforce API, along with backup and recovery notifications — straight from a single customizable Spanning dashboard. 

DISCLAIMER: This publication has been prepared by Spanning Backup to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Spanning Backup does not provide legal advice. 

Learn More About Spanning Backup for Salesforce

*** This is a Security Bloggers Network syndicated blog from Spanning authored by Dave Wallen. Read the original post at: