Originally passed into law in June 2018 and in effect since January 2020, the California Consumer Privacy Act (CCPA) regulates business’ collection and sale of consumer data, aiming to protect California residents’ sensitive personal information and providing consumers with control over how that information is used.
The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreemets to ensure the secure collection, use and disposal of consumer information. While largely identical to the CCPA, the CPRA:
This post examines key requirements in CCPA, who it applies to, and how organizations can ensure their third parties are protecting their customer data. For simplicity, this post refers to both regulations – CCPA and CPRA – as the CCPA.
Let’s start with how “personal information” is defined. The CCPA defines sensitive personal information as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA requires companies to inform California residents about data being collected prior to collecting the data. It allows consumers to access all personal data held by a company and receive information about individuals or organizations with whom that data has been shared. It also allows consumers to opt out and prevent their personal data from being sold or shared with a third party.
While the CCPA is technically California state law, its reach is felt far beyond the borders of the Golden State. CCPA oversight is not limited to businesses headquartered in California, or even to businesses physically operating in California—the CCPA applies to consumer data collected from any resident of California.
Given the fact that California is home to about 40 million people and would be the 5th largest economy in the world if it were its own country, the odds are good that if your business is collecting consumer data, you have collected the data of a California resident. In fact, many businesses opt to treat every consumer as if they were a California resident, and therefore prepare for CCPA compliance across their businesses.
If a business is found to be liable for a civil penalty under the CCPA, the penalty can reach $7,500 per intentional violation and $2,500 per unintentional violation. The court may also order statutory damages for consumers.
Section 1798.100 of the CCPA states that a business that collects a consumer’s personal information and sells or shares it with a third party must enter into an agreement with that third party that “obligates the third party, service provider, or contractor to comply” with the CCPA’s privacy regulations. Organizations should therefore ensure that their third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks via a thorough security assessment. CCPA Section 1798.185 (15) speaks to, “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to conduct annual cybersecurity audits and submit to the California Privacy Protection Agency a risk assessment. Specific provisions in the CCPA that organizations should examine include:
1798.81.5 (b), implementing and maintaining reasonable security procedures and practices |
For any regulatory standard, organizations must ensure that they measure the correct risks and apply the correct controls. In the case of CCPA, that could mean leveraging the Center for Internet Security (CIS) Critical Security Controls as a framework. Look for a solution that assesses not only third-party privacy controls, but also broader third-party risks using a large library of auditor-approved assessments. |
1798.100 (d), enter into an agreement that obligates the third party to comply with applicable obligations |
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts, including workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Prevalent, procurement and legal teams have a single solution to enforce vendor contract provisions and KPIs, and simplify management and review. |
1798.140 (c), ongoing manual reviews and automated scans and regular assessments, audits |
To avoid reputational and operational risk and business disruptions, organizations should ensure that their partners and third parties adhere to reasonable security measures. However, attempting to conduct third-party assessments using manual questionnaires and spreadsheets is inconsistent and unscalable. Look for third-party risk management platforms that automate regular assessments with continuous monitoring for a complete view of a vendor’s risk. |
1798.185 (a) perform a cybersecurity audit on an annual basis; and (b) submit a regular risk assessment to the CCPA |
Most risk assessment surveys focus on general controls and policies. Complying with the CCPA requires a technical understanding of data processing – specifically with the CIS Critical Security Controls, which are suggested as a framework to ensure proper security over data. Look for solutions that map third-party assessment answers to the CIS Critical Security Controls to ensure complete coverage for the CCPA and help distinguish properly designed systems from “bolt-on” security and privacy features to ensure full compliance. Look for effective reporting to satisfy CCPA audit and compliance requirements, as well as to present findings to the board and senior management. |
The CCPA Third-Party Compliance Checklist
Read this report to understand third-party considerations in the California Consumer Privacy Act (CCPA) and discover how to assess your vendors for CCPA compliance.
Only once your business has identified the third parties to which you sell consumer data can you begin to take steps to ensure CCPA compliance, such as updating your legal agreements with the third party or opening channels of communication in case of a breach. Then, as part of that process extend your discover out to 4th and Nth parties. Identifying relationships between your organization and third parties and their third parties will discover dependencies and visualize information paths, making the process of reporting much simpler.
Prevalent provides businesses with a comprehensive solution to manage your third-party relationships for CCPA compliance. Our third-party risk management platform makes it easy to:
For more details on how Prevalent can help organizations assess their third-party data security controls to support CCPA requirements, read the white paper, The CCPA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to other privacy regulations, download The Third-Party Compliance Handbook: Data Privacy Regulations.
Uncover key changes in the Standard Information Gathering (SIG) Questionnaire for 2025 and learn what these...
12/16/2024
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024