Does my organization need to
comply with the CCPA?

Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States. The CCPA is applicable to your company if:

  • tickIt collects/processes personal data of California residents.
  • tickYour organization falls under any of the following thresholds:
    • a) Has at least $25 million in annual revenue.
    • b) Can be of any size, but collects personal data of at least 50,000 California residents.
    • c) Collects more than half its revenue from the sale of personal data.

Consumer rights under the CCPA

The CCPA focuses on giving power back to the consumers. To achieve this, the regulation guarantees ten basic rights to all California residents. Businesses need to keep these in mind while preparing for their compliance journey. 

Consumers will gain these rights under the CCPA:

  • Right to know all personal data
    collected.
  • Right to say no to the sale of
    your information.
  • Right to sue companies in the event
    of a data breach.
  • Right to delete personal data collected
    by organizations.
  • Right not to be discriminated against upon
    exercising any right under the CCPA.
  • Right to be informed of what categories
    of data will be collected.
  • Mandated opt-in before the sale of data
    belonging to children under sixteen.
  • Right to know the categories of third parties
    your data is shared with.
  • Right to know the categories of sources
    your data was collected from.
  • Right to know the purpose of data
    collection.

What does this mean for my organization? 

If you haven't already begun preparing for the CCPA, it's high time you started reviewing your systems and processes to become compliant. These are some of the basic steps organizations will need to take to begin their compliance journey: 

  •  Provide users the means to request access to their data and have the information on how you have used their data ready.
  •   Update your privacy policy with all the information on what data you collect, where you collect it from, who will have access to the data, and how you plan to use it.
  •  Provide users with a "Do Not Sell My Information" option to prevent the sale of their information. 
  •  Review and update your software, systems, and processes to meet the CCPA's requirements.
  •  Implement "reasonable security practices," as mandated by the CCPA, to protect against potential vulnerabilities and attacks. 
  •  Start training your employees and teams regarding your updated privacy program.

How can IT help in preparing for the CCPA? 

The CCPA's requirements may seem confusing or daunting at first, but the right solutions and configurations can greatly simplify your organization's compliance journey. Although there is no single solution that can address the entire regulation, there are many stipulations in the CCPA that can be made easier with the right processes and IT tools.  

01

Data discovery
and security

Data discovery and security

  • Get insights into the personal data your company holds, including the type, location, and amount of personal data stored in each file.
  • Keep your inventory of personal data updated with an automated file discovery feature, which scans your entire Windows file system at regular intervals.
  • Keep personal and corporate data separate on mobile devices using containerization and encrypt corporate data stored on mobile devices.
  • Update and regularly patch servers, endpoints, operating systems, and legacy and third-party applications.
  • Blacklist anonymous or unsecured apps, restrict app downloads from third party stores, and restrict data sharing between apps to prevent data leaks.
  • Employ security configuration management to detect and remediate any security misconfigurations that pose a data leakage threat.
  • Secure internet-facing devices like web servers that act as a gateway to your organization's network.
  • Enforce browser security policies to circumvent browser-based attacks that can potentially lead to data leaks.
  • Restrict the use of devices with access to critical data within a geographical fence. Enable remote wipe on all corporate devices to remotely erase all data on a device in case it's lost or stolen.
03

Change auditing

Change auditing

  • Audit changes to personal data (e.g. modification, deletion, renaming, or even permission changes).
05

Log management
and analysis

Log management and analysis

  • Centralize and correlate security data from different sources to identify potential data breaches instantly and avoid data loss.
  • Watch out for unauthorized access attempts and anomalies in user activities on systems and services that store personal data.
  • Perform in-depth analysis of firewall security logs to gain critical network intelligence about attempts to breach security and attacks.
02

Access management

Access management

  • Manage, monitor, and audit administrative access to systems and applications that handle personally identifiable information.
  • Monitor who accesses personal data, including when and where that data is used.
  • Prevent unauthorized users from exploiting privileged access to personal data repositories.
  • Detect when users access personal data without proper permissions.
  • Audit permission change events to identify illegal or unauthorized permission changes related to personal data.
04

File integrity
monitoring

File integrity monitoring

  • Ensure the integrity of confidential files and folders to generate instant notifications whenever critical file changes happen.
06

Breach detection
and prevention

Breach detection and prevention

  • Detect any data breach in your network instantly.
  • Detect and contain known attack patterns such as denial-of-service (DoS), distributed denial-of-service (DDoS), SQL injections, and ransomware attacks.
  • Use custom correlation rules and alert profiles for detecting unknown attack patterns, keeping personal data safe.
  • Use an intelligent lo search engine to perform forensic analysis and determine when a breach occurred, its source, which data and systems were affected, and the responsible parties.
  • Make your users reset their passwords immediately following phishing or brute-force attacks to avoid data breaches.
  • Block unwanted executables, prohibit software in your network, and prevent remote code executions.
  • Restrict the use of USB devices, in order to protect data from insider threats.

CCPA vs GDPR

Learn how the USA's new privacy regulation measures up against the GDPR.

Learn More

Resources

Learn how to stay CCPA compliant using the
right tools.

Learn More

Disclaimer: Fully complying with the CCPA requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with some of the CCPA's requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions help achieve and sustain CCPA compliance. This material is provided for informational purpose only and should not be considered as legal advice for CCPA compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material

Download E-BookEnquire Now
Thank you for downloading the e-book!