Hero compliance ccpa

CCPA and CPRA Compliance

CCPA, CPRA and Third-Party Risk Management

The California Consumer Privacy Act regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used. The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreements to ensure the secure collection, use and disposal of consumer information.

The CCPA and CPRA apply to consumer data collected from any resident of California - whether by a company headquartered there or just doing business there. If a business is found to be liable for a civil penalty under the CCPA, the penalty can reach $7,500 per intentional violation and $2,500 per unintentional violation. The court may also order statutory damages for consumers.

Organizations should therefore ensure that their third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks via a thorough security assessment.

Relevant Regulations

  • 1798.81.5 (b) “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

  • 1798.100 (d) “A business…shall enter into an agreement with such third party, service provider, or contractor, that: … Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title; Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title."

  • 1798.140(c) “Permits, subject to agreement with the contractor [or service provider], the business to monitor the contractor’s [or service provider’s] compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.”

  • 1798.185 (a) “Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.”

  • 1798.185 (b) "Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information."

The CCPA Third-Party Compliance Checklist

Read this report to understand third-party considerations in the California Consumer Privacy Act (CCPA) and discover how to assess your vendors for CCPA compliance.

Read Now
Feature ccpa checklist

Meeting CCPA TPRM Requirements

Here's how Prevalent can help you address CCPA third-party risk management best practices:

CCPA Best Practices How We Help

Discovery & Data Mapping

Prevalent supports scheduled assessments to identify data flows between relationships, identifying where data exists, where it flows, and who it is shared with outside the organization using a unique relationship mapping capability. Automatically generates a risk register highlighting key risk areas to bring visibility into data.

Self-Assessments

Prevalent conducts a Privacy Impact Assessment (PIA) targeted on the most sensitive business and privacy-related data and business processes with the highest risk. Evaluates the origin, nature and severity of the potential risk, and provides recommendations to mitigate identified risks ensuring future compliance with privacy regulations.

Vendor Risk Assessments

Prevalent assesses vendor data privacy controls against CCPA using the Prevalent Compliance Framework (PCF). Specific questionnaire content helps to identify, and map risks identified during the assessment to controls for a clear view of potential hot spots.

Risk Response

Prevalent automates risk identification based on thresholds set in the platform. Accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.

Compliance Tracking & Reporting

Prevalent reports against CCPA using the Prevalent Compliance Framework that automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to bring visibility to data security.

Breach Event Notification Monitoring

Prevalent provides access a database containing 10+ years of data breach history for thousands of companies around the world. It includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Subject Access Requests

Prevalent enables vendors and business users to trigger subject access request (SAR) workflows based on requests they receive, using a proactive assessment to capture the relevant data. Leveraging the relationship map, risk and privacy teams can visualize who data is shared with and who is exposed to that vendor’s data.

Vendor Contract Management

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts, including workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With Prevalent, procurement and legal teams have a single solution to enforce vendor contract provisions and KPIs, and simplify management and review.

Align Your TPRM Program with CCPA, GDPR, HIPAA and More

Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook privacy
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo