Zscaler and the CCPA
Introduction
The right to privacy is specifically protected by the California Constitution.
The California Consumer Privacy Act (CCPA) is a law that went into effect as of January 1, 2020 and grants new privacy rights to California residents. The CCPA is the most comprehensive privacy law in the US. This landmark piece of legislation signifies a substantial change in how businesses collect, store, and process the personal information of California residents as well as how they share, disclose, or make available this personal information to third parties. California Consumer Privacy Rights Act (CPRA), effective as of January 1, 2023, is substantially amending the CCPA by regulating the use of dark patterns, further expanding consumer rights (i.e. right to correct), and imposing additional compliance obligations and restrictions related to the personal information about California residents, bringing California law closer to the European GDPR. The CPRA also established a new California enforcement agency, which is expected to lead to increased enforcement.
The CCPA’s primary concerns are increasing transparency between businesses and individuals about whether or not a “business” “sells” the “personal information” of California “consumers” (as those terms are defined under the CCPA) and ultimately giving those consumers rights with respect to business or commercial transactions involving their personal information. Under the CCPA, a business does not sell the personal information of California consumers if it discloses, shares, or otherwise transfers that personal information to a “service provider” (as that term is defined under the CCPA).
Zscaler is committed to our customers’ success, including compliance with the CCPA. The CCPA will require a close partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the CCPA and has made necessary enhancements and/or revisions to our services, products, documentation, and/or contracts (as applicable) to support our own compliance with the CCPA. In addition, Zscaler is dedicated to assisting our customers with their CCPA compliance efforts.
Zscaler Compliance with the CCPA
As a security-as-a-service provider, data protection is at the core of Zscaler’s business and something Zscaler takes very seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Zscaler’s compliance with several of the key areas of the CCPA:
• When acting as a service provider, Zscaler will only retain, disclose, store, or use personal information for the specific business purpose of performing the services specified in the written contract with our customers.
• Zscaler expects that its customers, as the business, will inform their Californian employees and users (i.e., the consumers) about their collection of personal information in accordance with the CCPA including without limitation informing consumers of the categories and specific pieces of information being collected, the business or commercial purpose for which the personal information has been or will be collected, the categories of third parties with whom they share personal information with, and the consumers’ rights under the CCPA.
• Zscaler ensures the confidentiality and security of the personal information it retains, discloses, stores, or uses and that reasonable security procedures and practices have been implemented and will be maintained.
• Except as required by law, Zscaler does not retain, disclose, use, or store any personal information that is not needed for the specific business purpose of performing the services specified in our contract with our customers.
• Zscaler will be responsible and liable for the performance of any of its sub-processors. Zscaler maintains an up-to-date sub-processor list here.
• Zscaler will make available to its customers any information reasonably necessary for our customers to demonstrate their compliance with the CCPA.
CCPA FAQs
We have put together the below FAQs in order to address the most common questions that we receive from customers and partners regarding our platform.
(1) What personal data does Zscaler retain, disclose, use, or store?
Zscaler processes and stores a limited amount of personal information (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory).
Zscaler support personnel will not access any personal information except for the specific purpose of performing the services specified in the contract with our customers. Additionally, customers have the option to obfuscate their user IDs from ever being seen by their own administrators.
For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
For Zscaler Client Connector software, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
Customer Transaction Logs (Customer Logs) are never stored in clear text and are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
2) How does Zscaler protect the personal information that it retains, discloses, uses, or stores?
Zscaler implements and maintains reasonable security procedures and practices in accordance with the CCPA. Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2, Type II standards and is audited annually by a third party to ensure its ongoing compliance with these certifications. Zscaler regularly tests, assesses and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide Customer with a copy of its most recent ISO 27001 certificate and/or SOC 2, Type II report. For more information, please visit https://www.zscaler.com/company/compliance.
(3) What is pseudonymization versus anonymization of data? And can I elect to have my company’s data fully anonymized instead of pseudonymized?
Pseudonymization of data makes it so that the data can be reattributed to a system, individual, or organization. In contrast, anonymization of data makes it so the data can never be reattributed to a system, individual, or organization.
For cyber security, organizations need the ability to reattribute data in the event the organization must conduct an investigation, remediation, or recovery after a security vulnerability or breach (such as isolating a targeted phishing attack). In providing our products to customers, we give customers the option to obfuscate or pseudonymize their personal data so that our customers have the option to report on what devices should be remediated after a security breach or vulnerability. Zscaler uses the “tokenization” methodology to perform pseudonymization of personal data.
(4) Does enabling SSL inspection change the types of personal information that Zscaler retains, discloses, uses, or stores?
No. Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users.
(5) Does Zscaler use sub-processors to provide its services?
Yes. As is the case with every cloud vendor, Zscaler does use a limited number of sub-processors to provide its services. Zscaler will provide customers with advance written notice of any changes to its sub-processor list. Zscaler will be responsible and liable for the performance of its sub-processors. Zscaler maintains a current list of its sub-processors at https://www.zscaler.com/legal/subprocessors.
(6) Can Zscaler assist with a consumer request?
Yes. Zscaler has an internal process for responding to consumer requests. However, it’s important to remember that as the business, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A consumer request should only be made if a consumer (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a consumer request directly from a customer employee or user, we will redirect the person to our customer to validate and respond.
NOTE: While this site is designed to help organizations understand the CCPA in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the CCPA.