Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!

Hero compliance ccpa

CCPA Compliance

CCPA and Third-Party Risk Management

The California Consumer Privacy Act was signed into law on June 28, 2018. The law aims to enhance privacy rights and consumer protection by regulating businesses’ collection and sale of consumer data. The law establishes the rights of both the California Attorney General and private California residents to take legal action against businesses if they fail to comply.

While the CCPA is technically California state law, its reach will be felt far beyond the borders of that state. This outsized impact is due to the nature of the law itself; CCPA oversight is not limited to businesses headquartered in California, or even to businesses physically operating in California—the CCPA applies to consumer data collected from any resident of California. Given the fact that California is home to about 40 million people and would be the 5th largest economy in the world if it was its own country, the odds are good that if a business is collecting consumer data, they have collected the data of a California resident.

Due to the fluid nature of state residency in the United States, and the massive undertaking involved in tracking the residency of each and every consumer from whom data is collected, some firms are making the decision to treat every consumer as if they were a California resident, and are therefore preparing for blanket CCPA compliance across their businesses. But while these internal preparations are important, ensuring a business’s compliance is not enough—organizations must ensure that their relationships with third parties fall in line with the CCPA.

Relevant Regulations

  • 1798.115(d) – “A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to 1798.120.”

  • 1798.120(a) – “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.”

  • 1798.120(b) – “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.”

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Download the Paper
Featured resource compliance white paper

Meeting CCPA TPRM Requirements

Here's how Prevalent can help you address CCPA third-party risk management best practices:

CCPA Best Practices How We Help

Discovery & Data Mapping

Prevalent supports scheduled assessments to identify data flows between relationships, identifying where data exists, where it flows, and who it is shared with outside the organization using a unique relationship mapping capability. Automatically generates a risk register highlighting key risk areas to bring visibility into data.


Prevalent conducts a Privacy Impact Assessment (PIA) targeted on the most sensitive business and privacy-related data and business processes with the highest risk. Evaluates the origin, nature and severity of the potential risk, and provides recommendations to mitigate identified risks ensuring future compliance with privacy regulations.

Vendor Risk Assessments

Prevalent assesses vendor data privacy controls against CCPA using the Prevalent Compliance Framework (PCF). Specific questionnaire content helps to identify, and map risks identified during the assessment to controls for a clear view of potential hot spots.

Risk Response

Prevalent automates risk identification based on thresholds set in the platform. Accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.

Compliance Tracking & Reporting

Prevalent reports against CCPA using the Prevalent Compliance Framework that automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to bring visibility to data security.

Subject Access Requests

Prevalent enables vendors and business users to trigger subject access request (SAR) workflows based on requests they receive, using a proactive assessment to capture the relevant data. Leveraging the relationship map, risk and privacy teams can visualize who data is shared with and who is exposed to that vendor’s data.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo