Protecting your privacy rights
Personal data protection laws exist to protect your rights, and to give you control over what
others can and can’t do with your personal data. Many countries have, or will soon, enforce
legislation that makes it clear how organizations must deal with personal data.
Since GDPR (General Data Protection Regulation) came into effect in the EU in 2018, other
parts of the world are following with their own personal data protection frameworks. California is
the first US state to roll out a comprehensive data protection regulation, called the California
Consumer Privacy Act (CCPA). CCPA takes effect on January 1, 2020, and will start to be
enforced from mid 2020. Other countries are following suit, such as Brazil, with its General Data
Protection Law (GDPL) in February 2020, and Hong Kong which published its New Ethical
Accountability Framework in May 2019.
Similar to GDPR, CCPA protects the data privacy rights of its residents, and will affect business
globally who deal with California residents. Complying with CCPA not only helps build trust and
cooperation with your customers, it also provides an opportunity to improve your data handling
processes and security. Non-compliance can come with a hefty cost – businesses can be fined
between $100 and $750 per consumer per incidence. CCPA also grants a private right of action
for certain types of data security breaches, which is expected to generate a significant number
of class actions. Even if data privacy regulation fines don’t apply to your organization, GDPR
and CCPA still provide an opportunity to improve your data protection practices.
What is CCPA and who does it affect?
CCPA applies to businesses that collect or use personal information of California residents
(even if the business is not in California), and meet certain thresholds: $25m gross revenue,
deals with records of 50,000 or more individuals, or their main business model is selling (>50%
of revenue) personal information. CCPA defines consumers as all California residents,
regardless of their role to the business. There is still some debate as to whether employees and
B2B contacts fall under this, which is expected to be clarified in the next few months. For
comparison, the UK’s Information Commissioner’s Office (ICO), in charge of enacting GDPR in
the UK, clearly states that B2B contacts do fall under GDPR.
Privacy rights granted by CCPA include: the right to know how a business collects and uses
personal data, the right to access and deletion, right of equal service and price regardless of
whether a person exercise their rights under CCPA, and the right to opt-out of release of
personal data to a third party. You will need to take a number of steps to ensure your
organization complies with CCPA.
What your business needs to do to comply with CCPA
Make an inventory of the personal data you collect and use, including: how you collect it, for
what purpose, where you store it, how long you keep it, who you share it with. Do this across
your entire organization, including human resources, sales and customer service teams.
Review your data inventory against CCPA, to ensure you are using personal information in a
way that is compliant. If you intend to keep data for a limited period of time, make sure your
systems are set up to delete or de-identify personal data (including backups). If you share
personal data with third parties, put data processing agreements in place, and make sure the
third parties delete that personal data when needed.
Include a checkpoint for CCPA compliance in your procurement and change management
processes to ensure you stay compliant while your business develops.
Make sure individuals are informed on how you collect and use their data (e.g., in your privacy
policy), and get their consent where required. Set up processes to deal with the specific rights of
individuals under CCPA, such as data deletion, data access, portability, and opting out, and
train the relevant staff.
CCPA for Salesforce
Salesforce is the trusted platform for many businesses to store the personal data they collect
and use. While Salesforce provides the basic platform tools to comply with CCPA, it is up to
each business to ensure compliance with CCPA for the data they put in Salesforce. There are a
number of things to consider that can help you comply with CCPA on Salesforce.
Identify where personal data is stored in Salesforce
Personal information includes anything that identifies, relates to, describes, is capable of being
associated with, or could be reasonably linked, directly or indirectly, with a particular consumer
or household. In Salesforce, this data can be in a lot of places. Consider standard Salesforce
objects, such as Leads, Cases, Contacts, Accounts, Individuals and Users, custom objects for
your organization, and objects in managed packages. You can also expect to find personal data
in related objects, such as Tasks, Events, Chatter, Notes, Attachments and Content
Documents. Pay attention to custom fields, in particular free-text fields where your users might
write personal data. While there is some ongoing debate whether certain types of information
comprises personal data (e.g., IP addresses), better be on the safe side and include these data
Use the Salesforce Individual object
Use the Salesforce Individual object to track the key properties of an individual’s personal data:
when and where did you collect it, are there any processing restrictions in place (e.g., a sale
opt-out), what is the retention period, and whether consent was obtained. You may well need to
deal differently with different individuals, depending on how and why you got their data, e.g., a
Lead that came from your website contact form may have seen a privacy notice, while a Lead
that came through LinkedIn may not, and likely you will retain your customers’ Contact data
longer than your prospects’ Leads.
CCPA imposes penalties for data leaks due to inadequate security measures. This is not just
about hackers breaking into your systems; data can fall into the wrong hands in many different
ways, e.g., an employee that sends information to the wrong recipient, or a third party that is
granted access to data it shouldn’t have. So it is important to ensure your access settings are up
to date. The least privilege principle is is a good model to follow; only grant read or edit access
for objects to those users who need that access to do their work.
Under CCPA, businesses must only collect the personal data they need, and not keep that data
longer than necessary, except if they fall under other legislations that require longer retention.
Make sure you have a documented data retention policy, and implement a process to deal with
data that reaches the end of its retention period. A Salesforce report with criteria for records that
have reached the end of their retention period would be a good start. You could clear or
de-identify personal data on those records, or simply delete them. If you keep a lot of personal
data on Salesforce, you may consider automating your data retention process.
Access and Deletion Requests
It is not unlikely that individuals exercising their rights under CCPA are well aware of the rules,
and may themselves be CCPA experts in their professional life, so you’ll want to handle access
and deletion requests smoothly.
When a customer asks you to remove their personal data, you (and third parties you shared the
data with) must do so, except if you have other overriding reasons to keep their data. You can
clear, or de-identify data, or delete the records in Salesforce. Clearing or de-identifying data
while leaving the records in place is more effort than simply deleting records, but is also less
intrusive to your operations (e.g., reports will be less affected). Either way, make sure you know
where personal data is stored in Salesforce, and that you handle all the relevant objects.
Typically your customer-facing staff will not have the administrative permissions needed to
de-identify or delete all personal data, so get your Salesforce administrator involved to ensure
all data is handled.
Individuals can ask you for an extract of their personal data. Establish the individual’s identity
before sharing any data with them, and review their information before you send it: don’t include
unnecessary data (e.g., commercially sensitive data that is not personal data) and don’t disclose
another person’s data (doing so could itself be a breach of CCPA). CCPA stipulates that you
should provide the data in a portable format where technically feasible, so you may consider
sending larger volumes of data on the same individual as CSV files, e.g., using Salesforce Data
Staying compliant with privacy legislation is an ongoing process, as the legislations and the
businesses they apply to continue to develop. With a few months left until CCPA comes into
effect, many organizations are reviewing their personal data processing practises to ensure they
will be compliant with CCPA. For organizations that deal with individuals in both California and
the EU, and already comply with GDPR, CCPA is a good opportunity to review and improve
their overall personal data handling processes.
While Salesforce provides their customers with the basic platform tools to comply with data
privacy regulations, businesses using Salesforce will still need a deep dive into their own data
processing practises, as well as significant technical Salesforce expertise to ensure they are
compliant. The main challenges are around identifying where personal data is stored, setting the
right access, and building robust and automated processes that ensure ongoing compliance.
Trivacy is a Salesforce AppExchange App that allows you to easily manage personal data on
Salesforce. Trivacy automates the laborious process of locating, viewing, exporting,
anonymizing and deleting personal data in your Salesforce organisation, and overcomes the
main technical challenges around the Salesforce data and access security model. The Trivacy
App brings together all personal data for an individual in one place, and allows you to handle
access requests, data obfuscation and de-identification in a few easy steps. Trivacy comes
pre-configured with a full personal data inventory for Salesforce, including hard-to-reach and
easy-to-miss objects, such as field tracking history, Chatter, emails and more. With Trivacy, you
can comply with various privacy legislations, such as GDPR and CCPA, in a few clicks.