CCPA, CPRA and Third-Party Risk Management
The California Consumer Privacy Act regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used. The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreements to ensure the secure collection, use and disposal of consumer information.
The CCPA and CPRA apply to consumer data collected from any resident of California – whether by a company headquartered there or just doing business there. If a business is found to be liable for a civil penalty under the CCPA, the penalty can reach $7,500 per intentional violation and $2,500 per unintentional violation. The court may also order statutory damages for consumers.
Organizations should therefore ensure that their third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks via a thorough security assessment.
Relevant Regulations
- 1798.81.5 (b) “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
- 1798.140(c) “Permits, subject to agreement with the contractor [or service provider], the business to monitor the contractor’s [or service provider’s] compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
- 1798.185 (b) “Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information.”
- 1798.100 (d) “A business…shall enter into an agreement with such third party, service provider, or contractor, that: … Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title; Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.”
- 1798.185 (a) “Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.”
Meeting CCPA TPRM Requirements
Here’s how Prevalent can help you address CCPA third-party risk management best practices:
CCPA Best Practices
How We Help
Discovery & Data Mapping
Prevalent supports scheduled assessments to identify data flows between relationships, identifying where data exists, where it flows, and who it is shared with outside the organization using a unique relationship mapping capability. Automatically generates a risk register highlighting key risk areas to bring visibility into data.
供应商风险评估
Prevalent assesses vendor data privacy controls against CCPA using the Prevalent Compliance Framework (PCF). Specific questionnaire content helps to identify, and map risks identified during the assessment to controls for a clear view of potential hot spots.
Risk Response
Prevalent automates risk identification based on thresholds set in the platform. Accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.
Compliance Tracking & Reporting
Prevalent reports against CCPA using the Prevalent Compliance Framework that automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to bring visibility to data security.
Breach Event Notification Monitoring
Prevalent provides access a database containing 10+ years of data breach history for thousands of companies around the world. It includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.
Subject Access Requests
Prevalent enables vendors and business users to trigger subject access request (SAR) workflows based on requests they receive, using a proactive assessment to capture the relevant data. Leveraging the relationship map, risk and privacy teams can visualize who data is shared with and who is exposed to that vendor’s data.
Vendor Contract Management
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts, including workflow capabilities to automate the contract lifecycle from onboarding to offboarding.
With Prevalent, procurement and legal teams have a single solution to enforce vendor contract provisions and KPIs, and simplify management and review.
