How will CCPA compliance affect your backup storage?

The California Consumer Privacy Act, or CCPA, is generally focused on ensuring consumers are informed about the data collected on them and how that data is used. It also enables consumers to opt out. In addition, CCPA has specific verbiage around organizations taking measures to ensure data isn't breached or stolen.

CCPA goes into effect Jan. 1, 2020, and affects California residents but, like GDPR, may be a precursor to other data privacy and protection regulations in the country and the world.

In general, CCPA compliance doesn't sound like it's important to backups. But there are some specific ramifications it has on backups and backup storage.

• Service availability: CCPA empowers consumers to be able to inquire about the consumer data an organization holds. Organizations are given a reasonable amount of time to respond to requests for CCPA compliance. All this implies the applications and systems storing said data are up and running. Now, consider that these applications may not be critical to the business, such as a marketing automation platform. Sure, it's important to marketing, but it's not necessarily mission-critical. The impact on backups is a reduction of both the recovery time objective and recovery point objective for these applications. This will result in greater backup storage requirements.
• Security availability: One of the implications of CCPA putting penalties in place should a data breach happen is an organization must continually maintain security. So, the entirety of your security configuration that affects the systems and applications hosting consumer data must be backed up. This includes directory service accounts and security at the OS, application and file system levels. Like service availability, this work for CCPA compliance may result in more backups necessary to ensure an organization can bring security back to a known-good state.
• Forgotten data: Should consumers request removal from an organization's databases, which they can under CCPA, once they are removed, backups of that new state of the data are necessary, as they will be the earliest the organization can go back to. Think about it: If you were to recover to a point earlier than the deletion, you'd be working with a version of the database that now reincludes the forgotten consumer. You can't do that under CCPA, so removals of data may require additional backups.

The question remains: How much will CCPA compliance impact backup storage? It really depends on what your backups look like today. I can see some organizations realigning business processes and backups to ensure adherence to CCPA without needing to materially increase backup storage. However, I also believe that, to be compliant, some new backup data sets and frequencies will need to be established.