Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aim’s to increase consumer rights by giving California residents greater control over the use of their personal data.
The CCPA heavily regulates the use of any data that could potentially link to the identity of a consumer or household, either directly or indirectly. This could include IP address identification or the collection of cookies on social media websites, such as Linkedin.
The problem with such a broad definition of sensitive data is that it increases the chances of regulatory noncompliance across all entities processing consumer data, including your third-party vendors.
To learn how to adjust your Third-Party Risk Management Program to comply with the CCPA, read on.
For an in-depth overview of all CCPA requirements, read this post.
Important: The provisions of the CCPA have been amended and expanded in the California Privacy Rights Act (CPRA). To learn about the CPRA, read this post.
Learn how UpGuard streamlines Vendor Risk Management >
CCPA Compliance Requirements for Third-Party Vendors and Service Providers
The following compliance checklist will help you comply with the data privacy laws and privacy regulations of the CCPA.
1. Identify all Third-Parties Involved in Data Collection and Data Processing
The CCPA summarizes its obligations when a business collects consumer data in section 1798:100 (b).
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
The CCPA defines which data processing activities fall in the “business purpose” category in Section 1798.140 (4):
“Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
The first step toward privacy protection compliance is identifying all third-party relationships involved in selling, buying, and processing consumer data. This is most efficiently achieved with third-party risk assessments.
Track CCPA compliance with this free template >
How UpGuard can help
UpGuard’s extensive risk assessment library includes an assessment specifically designed for the CCPA. After all, entities involved in consumer data processing are identified, their specific data security standards can be further scrutinized with custom questionnaires designed for each vendor's unique cybersecurity context.
Click here for a free 7-day trial of UpGuard.
Don’t Forget about your Fourth Parties.
The consumer data processing standards regulated by the CCPA do not end at your third-party network. Thanks to digital transformation, the impact on consumer data security now extends to the entire supply chain, including the fourth and even n-th party network. Identifying fourth party entities included in the consumer data transactions is complicated with risk assessments alone.
This is best achieved with the support of an attack surface monitoring solution capable of mapping your ecosystem to its third and fourth-party vendors.
Once all third and fourth parties have been identified, written contracts should then be updated to include the following details:
- Expected data protection responses in the event of a data breach.
- A requirement for vendors to share their data inventory details.
- An agreement to complete due diligence questionnaires promptly.
- An agreement of onsite auditing.
- An agreement to map the consumer data processing lifecycle to all entities involved in the purchase and selling of the data.
- An agreement to oblige with consumer requests for data deletion and access.
Learn how UpGuard simplifies Attack Surface Management >
2. Identify all Vendor Risks and Security Vulnerabilities Threatening Consumer Data Safety
With a solution in place for promptly identifying security risks threatening the safety of consumer data, you’ll establish a strong foundation for complying with all the third-party risk requirements of the CCPA.
The automation of attack surface monitoring allows you to scale the assessment of open-source vendor data to identify potential cyber threats placing consumer data at risk. With a continuous monitoring solution in place, the due diligence requirements of section 1798.140 (4)(2) will be satisfied:
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity
How UpGuard Can Help
The UpGuard platform includes an attack surface monitoring solution and a third-party data leak detection engine to help shut down critical exposure threatening the integrity of all consumer data.
Learn the difference between a data leak and a data breach >
3. Perform Annual Audits for all Entities Threatening Consumer Data Safety
According to CCPA section 1798.185 (15), after vendors presenting a significant risk to consumer data safety have been identified, an annual cybersecurity audit should be implemented for these vendors.
(15) Issuing regulations requiring businesses whose processing of consumers' personal information presents a significant risk to consumers' privacy or security to:
(A) Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing results in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.
An independent party should complete these audits. As a separate requirement to these audits, a risk assessment evaluating the efficacy of each vendor’s data security controls should be submitted to the California Privacy Protection Agency regularly.
Learn how to communicate third-party risk to the Board >
How UpGuard Can Help
UpGuard’s executive summary feature includes a risk matrix to help stakeholders quickly identify vendors posing the greatest threat to your security posture.
By dividing vendors involved with consumer data processing across tiering categories increasing in criticality, this risk matrix could further improve communication of your state of third-party consumer data security to the California Privacy Protection Agency.
