Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero compliance ccpa

CCPA Compliance

CCPA and Third-Party Risk Management

The California Consumer Privacy Act regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used. The CCPA will be updated in 2023 with greater enforcement penalties through the California Privacy Rights Act.

The CCPA applies to consumer data collected from any resident of California - whether by a company headquartered there or just doing business there.

Organizations should therefore ensure that their third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks via a thorough security assessment.

Relevant Regulations

  • 1798.81.5 (b) “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

  • 1798.140(c) “Permits, subject to agreement with the contractor [or service provider], the business to monitor the contractor’s [or service provider’s] compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.”

  • 1798.185 (a) “Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.”

  • 1798.185 (b) "Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information."

The CCPA Third-Party Compliance Checklist

Read this report to understand third-party considerations in the California Consumer Privacy Act (CCPA) and discover how to assess your vendors for CCPA compliance.

Read Now
Feature ccpa checklist

Meeting CCPA TPRM Requirements

Here's how Prevalent can help you address CCPA third-party risk management best practices:

CCPA Best Practices How We Help

Discovery & Data Mapping

Prevalent supports scheduled assessments to identify data flows between relationships, identifying where data exists, where it flows, and who it is shared with outside the organization using a unique relationship mapping capability. Automatically generates a risk register highlighting key risk areas to bring visibility into data.


Prevalent conducts a Privacy Impact Assessment (PIA) targeted on the most sensitive business and privacy-related data and business processes with the highest risk. Evaluates the origin, nature and severity of the potential risk, and provides recommendations to mitigate identified risks ensuring future compliance with privacy regulations.

Vendor Risk Assessments

Prevalent assesses vendor data privacy controls against CCPA using the Prevalent Compliance Framework (PCF). Specific questionnaire content helps to identify, and map risks identified during the assessment to controls for a clear view of potential hot spots.

Risk Response

Prevalent automates risk identification based on thresholds set in the platform. Accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.

Compliance Tracking & Reporting

Prevalent reports against CCPA using the Prevalent Compliance Framework that automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to bring visibility to data security.

Breach Event Notification Monitoring

Prevalent provides access a database containing 10+ years of data breach history for thousands of companies around the world. It includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Subject Access Requests

Prevalent enables vendors and business users to trigger subject access request (SAR) workflows based on requests they receive, using a proactive assessment to capture the relevant data. Leveraging the relationship map, risk and privacy teams can visualize who data is shared with and who is exposed to that vendor’s data.

Align Your TPRM Program with CCPA, GDPR, HIPAA and More

Download this guide to review specific requirements from 5 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook privacy
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo