The California Consumer Privacy Act of 2018 (CCPA) aims to protect the personal information of California residents by ensuring this personal data is responsibly collected and shared. The regulation imposes certain rules on your organization if it uses or transfers personal data collected from residents in the state.

‍

Your approach to third-party risk management (TPRM) is essential for CCPA compliance, especially if you let any of your vendors access California residents’ personal data as part of their services. In this guide, we’ll go over the third-party risk management (TPRM) requirements of the CCPA to make it easier for you to meet them.

‍

Who is affected by the CCPA?

The CCPA doesn’t only affect California-based businesses. Your organization must comply with it regardless of its location if it collects personal information of the state’s residents, is for-profit, and meets any of the following criteria:

‍

• Has over $25 million in gross annual revenue.
• Earns at least 50% of its revenue through the selling of California residents’ personal information.
• Buys, sells, or shares the personal data of at least 50,000 California households or residents.

‍

If a third party you’re working with meets any of the above criteria, they must also comply with the CCPA in full.

‍

{{cta_withimage20="/cta-modules"}}

‍

Who is considered a third party under the CCPA?

The CCPA defines a "third party" as any entity outside your business that receives the personal information of a California resident through its partnership with you. For example, a marketing or advertising partner to whom you disclose customer information becomes a qualified third party.

‍

However, this excludes contractors and service providers that process customers' personal information on behalf of the organization, provided there’s a written contract prohibiting them from selling, retaining, using, or disclosing the data.

‍

The CCPA was amended by the California Privacy Rights Act (CPRA) of 2023 which adds new requirements to ensure you negotiate strict data protection agreements with third parties that secure customer information from you. These amendments also show alignments between  CCPA and the EU's GDPR.

‍

It’s also worth noting that there are many state-level privacy regulations similar to CCPA, so complying with it may help you adhere to similar laws across the U.S. 

TPRM-focused CCPA provisions you should know about

To manage third-party risk in accordance with the CCPA, you need to familiarize yourself with the following provisions:

‍

1. 1798.81.5 (b) and (c): Reasonable security procedures and practices
2. 1798.100 (d): Agreements with third parties
3. 1798.140 (j) (1) (C): Reviews, assessments, and audits
4. 1798.185 (15) (a) and (b): Cybersecurity audits and annual risk assessments

‍

We’ll discuss each provision in more detail below and provide the most effective TPRM tips to meet the necessary requirements.

‍

1798.81.5 (b) and (c): Reasonable security procedures and practices

According to Section 1798.81.5 (b), any business that owns, maintains, or licenses the personal information of a California resident is obligated to implement reasonable security procedures to safeguard it.

‍

Paragraph (c) extends this requirement to third parties. It mandates that an organization disclosing information to a third party must contractually obligate it to implement the necessary security measures.

‍

To meet this requirement, you need to identify all third parties that can access the data governed by the CCPA and then ensure your business contracts or SLAs account for these guidelines. You should ensure your agreement imposes necessary penalties to address compliance gaps.

‍

If you’re new to CCPA compliance, you can create a unified inventory of all third parties and use a standardized security questionnaire to assess each party’s data protection practices. You can consult with your legal team to map out remediation strategies (e.g., updating the contract or ending the partnership) for non-compliant third parties.

‍

{{cta_withimage11="/cta-modules"}} | The US Data Privacy Checklist

‍

1798.100 (d): Agreements with third parties

As per Section 1798.100 (d), a business that sells or shares personal information with a third party, including a contractor or service provider, must enter into an agreement with them that outlines the following:

‍

• A disclosure that the information was shared for a limited, specific purpose.
• Obligation to comply with the relevant CCPA requirements.
• Obligation to notify the business when it can no longer comply with the requirements.
• Rights of the business to ensure that a third party follows the contracted guidelines.
• Rights of the business to remediate unauthorized or improper use of the shared information.

Tracking if all CCPA guidelines in third-party agreements are honored can be challenging due to extensive evidence gathering. The good news is that you can centralize the process with a compliance solution that enables you to gather this information effortlessly.

‍

1798.140 (j) (1) (C): Reviews, assessments, and audits

Section 1798.140 (j) discusses an organization’s relationship with a contractor. The noteworthy paragraph here is (1) (C), which requires a business to monitor a contractor’s compliance with the applicable CCPA regulations through various activities, such as:

‍

• Manual reviews
• Automated scans
• Assessments and audits

The above activities should occur at least once a year, though you’ll want to perform them more frequently. Typically, less-frequent assessments and audits put a greater burden on the business to detect potential non-compliance issues triggered during the gap.

‍

To avoid this, consider setting up continuous monitoring mechanisms through automated risk assessments and security reviews. Continuous monitoring, when formalized with capable software, enables a streamlined overview of your compliance status.

‍

1798.185 (15) (a) and (b): Cybersecurity audits and annual risk assessments

Section 1798.185 (15) requires organizations whose data processing activities pose “significant risk” to a consumer’s security and privacy to take the following two steps:

‍

1. Perform annual cybersecurity audits.
2. Submit a risk assessment to the California Privacy Protection Agency (CPPA) annually, along with compliance certification by a designated auditor. The assessment should outline elements like:some text
   1. Details of personal information processed
   2. Purpose of collecting the information
   3. Risk mitigation strategies

‍

“Significant risk” isn’t precisely defined by the CCPA, so it can be determined on a case-by-case basis.

‍

Conducting cybersecurity audits to assess your third party’s attack surface can take a lot of time and effort. You can expedite the process through risk assessment questionnaires and templates, or leverage a dedicated compliance management solution to increase efficiency.

‍

{{cta_withimage5="/cta-modules"}} | How to minimize third-party risk with vendor management guide

‍

Ensure end-to-end CCPA/CPRA compliance with Vanta

Vanta is a complete compliance management platform that helps you meet regulatory guidelines faster with several products, like the CCPA/CPRA suite.

‍

It offers pre-built workflows to streamline your compliance journey, as well as guidance to fulfill compliance gaps. Features like automated evidence collection and policy builder help you complete internal work before audits faster. Plus, you can access Vanta’s exclusive US Data Privacy framework that keeps you compliant with several major privacy laws including and beyond CCPA/CPRA.

‍

You can also leverage Vanta’s Vendor Risk Management product to enhance your TPRM program through features like:

‍

• Centralized vendor inventory
• Risk auto-scoring based on predetermined or custom parameters
• Comprehensive vendor dashboard
• Shadow IT discovery 
• Security review tracking

‍

These features automate a majority of tasks involved in compliance frameworks — schedule a custom demo and get product insights tailored to your needs. 

‍

{{cta_simple5="/cta-modules"}} | Vendor Risk Management product page 

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

‍