Skip to Main Content

The Step-by-Step Guide to CCPA Compliance

California is just one in a string of many states to enact legislation that puts the responsibility of privacy in the hands of businesses. The CCPA, in particular, impacts for-profit businesses with consumers in California that meet one of three requirements: they must have more than $25 million in annual revenues, possess personal information for more than 50,000 California residents, or get more than half of their annual revenues from the sale of personal information. 

It got everyone’s attention as the next big privacy regulation in the US, and for good reason: initial compliance will cost businesses around $55 billion – and that doesn’t include ongoing compliance. But even if you don’t do business in California at the moment, don’t let this one fool you. Now that California is on the regulatory train, other states are likely to follow and enact similar regulations, so it only benefits you to start thinking about this one now. 

If that wasn’t enough, CCPA enforcement officially began on July 1, 2020, and COVID-19 has added new, unexpected layers to the implementation of the compliance controls organizations must put in place to get and stay compliant.

Below, we cut through the jargon to help you figure out just what steps to take to get up to standard when it comes to CCPA, during the pandemic and beyond.

Step 1: Identify Your Sensitive Data 

You can’t protect what you can’t see, so the first thing you need to do is identify the data you have. It likely spans multiple systems, applications and databases. It could also be living in spreadsheets or PDF files in cloud storage systems like Box or Microsoft OneDrive.  

Step 2: Minimize the Data You Store 

Is the data you are storing actually needed? Data minimization is a best practice in today’s privacy regulation landscape, so you should go ahead and remove any of that data that doesn’t have use or otherwise spark joy. This means less of an attack surface if and when a data breach does happen.  

Step 3: Identify Who Has Access 

There should be a clear understanding of who actually has access to all those systems that hold the data you’re trying to protect. Should the people with the keys to those systems have that access? Know the answer to that question and correct any shortfalls ahead of time. 

Step 4: Strictly Control Access 

Are you practicing least privilege? If not, start now. From here on out, access should only be granted when absolutely necessary and should not simply be given by default just because someone is on your network or looks like they should have the same access as another user. 

Step 5: Maintenance is Your Friend 

Like a good chef, cleaning as you go is the way to avoid chaos, save time in the long run and make sure you’re following the recipe for success. With a strong identity program in place, you’re automating a lot of the processes that help you stay compliant not just with CCPA but a litany of other regulations. From provisioning and deprovisioning accounts to making more intelligent decisions around who gets access to what, identity gets you to compliance and then keeps you going.   

We know this can be quite overwhelming, which is why we are here to help! Get the full guide on CCPA compliance or hear one of our customers share how they are getting compliant with SailPoint.  


Discussion