Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions
Originally passed into law in June 2018 and in effect since January 2020, the California Consumer Privacy Act (CCPA) regulates business’ collection and sale of consumer data, aiming to protect California residents’ sensitive personal information and providing consumers with control over how that information is used.
In January 2023, the CCPA will be updated through the California Privacy Rights Act (CPRA) and apply to personal information collected by a covered business on or after January 1, 2022. While largely identical to the CCPA, the CPRA:
This post examines key requirements in CCPA, who it applies to, and how organizations can ensure their third parties are protecting their customer data. For simplicity, this post refers to both regulations – CCPA and CPRA – as the CCPA.
Let’s start with how “personal information” is defined. The CCPA defines sensitive personal information as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA requires companies to inform California residents about data being collected prior to collecting the data. It allows consumers to access all personal data held by a company and receive information about individuals or organizations with whom that data has been shared. It also allows consumers to opt out and prevent their personal data from being sold or shared with a third party.
While the CCPA is technically California state law, its reach is felt far beyond the borders of the Golden State. CCPA oversight is not limited to businesses headquartered in California, or even to businesses physically operating in California—the CCPA applies to consumer data collected from any resident of California.
Given the fact that California is home to about 40 million people and would be the 5th largest economy in the world if it were its own country, the odds are good that if your business is collecting consumer data, you have collected the data of a California resident. In fact, many businesses opt to treat every consumer as if they were a California resident, and therefore prepare for CCPA compliance across their businesses.
Section 1798.100 of the CCPA states that a business that collects a consumer’s personal information and sells or shares it with a third party must enter into an agreement with that third party that “obligates the third party, service provider, or contractor to comply” with the CCPA’s privacy regulations. Organizations should therefore ensure that their third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks via a thorough security assessment. CCPA Section 1798.185 (15) speaks to, “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to conduct annual cybersecurity audits and submit to the California Privacy Protection Agency a risk assessment. Specific provisions in the CCPA that organizations should examine include:
1798.81.5 (b), implementing and maintaining reasonable security procedures and practices
For any regulatory standard, organizations must ensure that they measure the correct risks and apply the correct controls. In the case of CCPA, that could mean leveraging the Center for Internet Security (CIS) Critical Security Controls as a framework.
Look for a solution that assesses not only third-party privacy controls, but also broader third-party risks using a large library of auditor-approved assessments.
1798.140 (c), ongoing manual reviews and automated scans and regular assessments, audits
To avoid reputational and operational risk and business disruptions, organizations should ensure that their partners and third parties adhere to reasonable security measures. However, attempting to conduct third-party assessments using manual questionnaires and spreadsheets is inconsistent and unscalable.
Look for third-party risk management platforms that automate regular assessments with continuous monitoring for a complete view of a vendor’s risk.
1798.185 (a) perform a cybersecurity audit on an annual basis; and (b) submit a regular risk assessment to the CCPA
Most risk assessment surveys focus on general controls and policies. Complying with the CCPA requires a technical understanding of data processing – specifically with the CIS Critical Security Controls, which are suggested as a framework to ensure proper security over data.
Look for solutions that map third-party assessment answers to the CIS Critical Security Controls to ensure complete coverage for the CCPA and help distinguish properly designed systems from “bolt-on” security and privacy features to ensure full compliance. Look for effective reporting to satisfy CCPA audit and compliance requirements, as well as to present findings to the board and senior management.
The CCPA Third-Party Compliance Checklist
Read this report to understand third-party considerations in the California Consumer Privacy Act (CCPA) and discover how to assess your vendors for CCPA compliance.
Only once your business has identified the third parties to which you sell consumer data can you begin to take steps to ensure CCPA compliance, such as updating your legal agreements with the third party or opening channels of communication in case of a breach. Then, as part of that process extend your discover out to 4th and Nth parties. Identifying relationships between your organization and third parties and their third parties will discover dependencies and visualize information paths, making the process of reporting much simpler.
Prevalent provides businesses with a comprehensive solution to manage your third-party relationships for CCPA compliance. Our third-party risk management platform makes it easy to:
For more details on how Prevalent can help organizations assess their third-party data security controls to support CCPA requirements, read the white paper, The CCPA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.
Prevalent offers a complete framework for policy management, auditing and reporting related to third-party risk and...
Here are best practices for aligning with proposed requirements from the U.S. Federal Reserve System, U.S...
MAS has established detailed requirements for managing third-party outsourcing and non-outsourcing relationships. Read how you can...