Salesforce Data Privacy and CCPA

Organizations and businesses that use the Salesforce platform want their customers’ data privacy and security set up in compliance with the different international and global privacy requirements. This compliance journey includes the European Union’s GDPR, the US’s healthcare-focused privacy law (HIPAA), the Brazilian privacy law (LGDP), the APEC privacy framework, or the new California’s privacy law (CCPA).

In this article, we will focus on the California Consumer Privacy Act (CCPA). The United States doesn’t have any comprehensive privacy law that applies to different sectors and categories of personal data but complies with different federal laws that address it per business, individual, and activities. For example, the HIPAA is made for the health care industry, the GLBA is made for financial related data collection, and the CAN-SPAM Act for email marketing.

Like different businesses and organizations in the United States, Salesforce also wishes for a national privacy law to be created similar to the GDPR in ran EU that would enable companies to manage personal data in the entire country instead of per state.

  1. CCPA and your Organization
    • CCPA regulates the collection, use, and disclosure of personal information that belongs to a natural person who is a California resident and applies to any business or organization (service providers like Salesforce and other third parties) that operates within the state of California. These residents also include those that are temporarily out of state. CCPA does not impose special requirements on any business for the transfer of personal information outside of California or the United States.
  1. CCPA and Businesses
    • Business in the CCPA law is defined as any for-profit entity that collects and determines the purposes and means of processing, California consumers’ personal information while doing business in California and that: (1) has annual gross revenues over $25 million; (2) processes the personal information of 50,000 or more consumers, households, or devices, for its own commercial purposes; or (3) earns more than half of its annual revenue from “selling” consumers’ personal information
  1. CCPA and Service Providers
    • Under CCPA, a service provider is any for-profit entity that processes personal information on behalf of another business, which discloses the personal information for a business purpose. A service provider must have a written contract with their clients to process data accordingly to the purpose they’re hired to do.
  1. CCPA and Salesforce
    • Salesforce is a perfect example of a Service provider under the CCPA. Salesforce offers a Data Processing Addendum containing CCPA specific terms that Salesforce clients can refer to. This is one of the agreements a client signs when taking the services of Salesforce. You can find it HERE.
    • This addendum contains the necessities to address the CCPA requirements. However, legal counsel is advised still for all Salesforce Clients to particularly determine that all provisions stipulated in the Addendum coincides with their business structure in compliance with CCPA.

As a business, you must cover the CCPA Salesforce requirements that should meet the needs of various industries you accommodate. To know more about CCPA, its provisions, and requirements. You can access the CCPA HERE.

How to use Salesforce to comply with CCPA?


Data Deletion
  • When a consumer request for a data you collected of them to be deleted or when it’s no longer necessary for you to keep it. You can do the following:
    • Delete the data not just from the Production Environment but also from your Sandbox Environment. You can easily refresh your sandbox to mirror your production environment or manually delete the data from there.
    • If an employee requested for data deletion, you can remove their org access but also expire their passwords, revoke activation status, remove user sessions, end usage tracking of their connected apps.
    • Make sure to delete data that is also associated with the contact record, e.g. Tasks, calendar events, voicemail messages, orders, and invoices.
Data Copy Requests
  • To comply with the CCPA, you may be required to provide consumer’s personal data and make it available to them when requested. You can do this by exporting the file out of Salesforce with the following options:
    • You can consider exporting some data from the backup files generated by Salesforce of your organization. Usually Salesforce does this on a weekly basis.
    • When a consumer requests all data associated with their record, make sure to check your org’s security policy as to the size limit you have in exporting data. Temporary increase the limit of your policy’s Apex code when necessary.
    • You can make use of the API return instance data’s unique identifier to locate and export your customer’s record
    • Make use of the Data Loader export wizard to extract the data from Salesforce
Opting Out of Sale
  • Consumers have the right to opt out of the sale of their personal data. Here are some points to consider:
    • Make sure to advise your customers to consult with their legal counsel on the definitions of the terms “sale” and “personal information” because Salesforce will be unable to provide legal advice on these definitions.
    • Connect with your org’s legal counsel to help you define what is considered as a “sale”.
      • Make use of API based tools to help you comply with the Do Not Sell request of your consumers.

Note: This article discusses the California Consumer Privacy Act (“CCPA”) as an overview in relation to the available tools that Salesforce offers as a provider and does not equate to a legal advice. Kindly contact your own legal counsel who you can disclose your organization’s privacy requirements.