A CCPA and CPRA Compliance Checklist for Third-Party Risk Management

Originally passed into law in June 2018 and in effect since January 2020, the California Consumer Privacy Act (CCPA) regulates business’ collection and sale of consumer data, aiming to protect California residents’ sensitive personal information and providing consumers with control over how that information is used.

The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreemets to ensure the secure collection, use and disposal of consumer information. While largely identical to the CCPA, the CPRA:

• Adds content to align it more closely with the EU’s General Data Protection Regulation (GDPR)
• Increases penalties for violations
• Authorizes the creation of the California Privacy Protection Agency

This post examines key requirements in CCPA, who it applies to, and how organizations can ensure their third parties are protecting their customer data. For simplicity, this post refers to both regulations – CCPA and CPRA – as the CCPA.

How Does the CCPA Define Personal Information?

Let’s start with how “personal information” is defined. The CCPA defines sensitive personal information as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

What Does the CCPA Require Companies (and Their Third Parties) to Do?

The CCPA requires companies to inform California residents about data being collected prior to collecting the data. It allows consumers to access all personal data held by a company and receive information about individuals or organizations with whom that data has been shared. It also allows consumers to opt out and prevent their personal data from being sold or shared with a third party.

Who Does the CCPA Apply To?

While the CCPA is technically California state law, its reach is felt far beyond the borders of the Golden State. CCPA oversight is not limited to businesses headquartered in California, or even to businesses physically operating in California—the CCPA applies to consumer data collected from any resident of California.

Given the fact that California is home to about 40 million people and would be the 5th largest economy in the world if it were its own country, the odds are good that if your business is collecting consumer data, you have collected the data of a California resident. In fact, many businesses opt to treat every consumer as if they were a California resident, and therefore prepare for CCPA compliance across their businesses.

What Are the Penalties for CCPA Non-Compliance?

If a business is found to be liable for a civil penalty under the CCPA, the penalty can reach $7,500 per intentional violation and $2,500 per unintentional violation. The court may also order statutory damages for consumers.

What About 4^th and Nth Parties?

Only once your business has identified the third parties to which you sell consumer data can you begin to take steps to ensure CCPA compliance, such as updating your legal agreements with the third party or opening channels of communication in case of a breach. Then, as part of that process extend your discover out to 4^th and Nth parties. Identifying relationships between your organization and third parties and their third parties will discover dependencies and visualize information paths, making the process of reporting much simpler.

How Prevalent Can Help

Prevalent provides businesses with a comprehensive solution to manage your third-party relationships for CCPA compliance. Our third-party risk management platform makes it easy to:

• Discover and map data between third, 4^th
  and Nth party relationships
• Perform self-assessments to understand the maturity of internal processes, as well as data owners
• Assess third parties for data privacy controls
• Automate risk response when third-party answers don’t line up with expectations
• Report on CCPA compliance with built-in reporting
• Receive automated data breach notifications to understand possible risks to your customers’ data
• Centralize the distribution, discussion, retention, and review of vendor contracts

For more details on how Prevalent can help organizations assess their third-party data security controls to support CCPA requirements, read the white paper, The CCPA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to other privacy regulations, download The Third-Party Compliance Handbook: Data Privacy Regulations.