CCPA and Fastly: we've got you covered
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, and provides California consumers with new rights over how their personal data is collected and used, as well as mechanisms to limit the sale of their data. The CCPA will mean different things to different businesses depending on what they do with personal data.
The CCPA is intended to protect personal data and empower consumers to control what happens with it. When it comes to disclosing end-user personal information, the CCPA differentiates between sharing data with service providers and all other third parties. Third parties are companies that may use personal information for their own benefit. The CCPA gives consumers the right to opt-out of having their personal information shared with third parties. Service providers, on the other hand, are companies like Fastly that receive personal data from a business like yours and process that data in accordance with the terms of a written contract like Fastly’s Terms of Service. A service provider cannot retain, disclose, or use that personal information for any purpose other than for meeting the terms of that contract.
At Fastly, we work hard to stay ahead of changes in the law so you can stay confident and compliant. We did it for GDPR, and now we’re doing it for CCPA. So what does the CCPA mean for you, and more importantly, what do you need to do to keep your use of Fastly running smoothly? We believe you don’t need to do anything when it comes to CCPA and Fastly. The promises we make to our customers already encompass what they need to be compliant — no need to make amendments, add clauses, or anything like that.
The CCPA seems a lot like the GDPR. Do we need a CCPA-specific data processing agreement?
You don’t need a new data processing agreement with Fastly, but it’s important to understand why.
When the GDPR rolled out, it imposed numerous new contractual requirements (for example, rules around sub-processing, duration of processing, dealing with data subject requests, and supervisory authority inquiries) that needed to be set out between a “controller” and a “processor.” We addressed the GDPR’s requirements in our post about GDPR compliance and our data processing terms. While the CCPA and GDPR share some similarities, the contractual requirements for a “service provider” under the CCPA are much simpler than for a “controller” under the GDPR. The CCPA requires only that your contract with your service provider prohibits the provider from retaining, using, or disclosing personal information other than for performing the services as set forth in the parties’ contract.
Because we’ve always valued your control over your end users’ data, and we’ve worked hard to make our existing contractual terms reflect that, when it comes to CCPA, you don’t need to take action on your Fastly contract.
Fastly is a service provider, and we only process data as outlined in our written agreement with our customers. We don’t sell, rent, or distribute our customers’ data to third parties. Our standard Terms of Service (Section 3.5) expressly limit us from making use of all of your data (not just personal data contained within it) except for the purposes set forth in our contract with you. We’ve recently added a CCPA Compliance Statement to our website to restate this commitment. There are no “gotchas” here. Our terms are intended to reflect our belief that you control your data. That belief, and our commitment to privacy, is also reflected in things like our Code of Business Conduct and Ethics where, in Section IV, we talk about how we use our technology with care and caution, especially as it relates to data governance.
We’re committed to putting customers in control of their data
From day one, we’ve cared about privacy and security. We’ve never been in the business of exploiting your or your end users’ data. Our features were built to empower our customers and facilitate compliance with regulations and standards. Real-time logging, for example, lets you monitor site performance and troubleshoot issues as they arise. We put the power in your hands to capture the information you want. But on our end, we do not store those logs. It’s just one way we’ve built our offerings to give you authority over your data — not us. Or take Instant Purge, which enables you to invalidate content (whether stale or problematic) in 150 milliseconds, on average as of March 31, 2019, across our global network. And rapid configuration deployments let you make changes quickly when business or compliance needs dictate. That’s how our philosophy of customer empowerment actually plays out on the ground.
To sum up, if you’ve got a contract with Fastly (and if you’re using our services, you do), that contract is already compliant with CCPA’s service provider rules. And if you’re thinking about signing up for Fastly, you’ll be covered when you sign up, too.
We know that when new changes roll out, it can cause some uncertainty. As always, we’re here to help should you have questions or concerns. But we hope this helps alleviate some of the confusion about CCPA. We’re in this together with you, and we’ve got you covered.