CCPA/CPRA Vendor Risk Management Checklist
An important milestone in US data protection legislation occurred in 2018, when the California Consumer Privacy Act (CCPA) was enacted. In addition to enhancing consumer rights, it presented a dramatic shift towards more stringent data privacy controls for California residents. With the CCPA, consumers gained unprecedented control over their personal information through novel concepts such as “right to access,” “right to delete,” and “right to opt out.”
The California Privacy Rights Act (CPRA), introduced in 2020 and approved by the public ballot initiative in November of that year, two years after the CCPA was established. The law was planned to become active in January 2023, but has been postponed until March 2024. By introducing several critical amendments that further extend the protection of personal data of California residents, this amended law expands and refines its predecessor.
Contractors, Service Providers and Third Parties Under The CPRA
Under the CPRA, a service provider and a contractor are treated virtually the same in terms of the requirements that apply, but they are defined differently.
Service Provider
According to the CPRA, a service provider is a party “that processes personal information on behalf of a [covered] business and that receives from or on behalf of [that] business [a] consumer’s personal information for a business purpose pursuant to a written contract.”
Essentially, they are vendors (or data processors) who receive a consumer’s personal information either directly from or on behalf of their customers (covered businesses).
Contractor
A contractor is a party “to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract.”
This definition of a contractor is broader than that of a service provider. Contractors receive consumer information from their customers (covered businesses) while service providers process it on behalf of businesses. Many organizations that you previously treated as service providers under the CCPA may now be classified as contractors under the CPRA. In addition, contractors may only receive personal information directly from covered businesses, i.e., they cannot collect the information on their behalf.
Third Party
In ordinary language, both contractors and service providers might be considered “third parties,” but the CPRA defines “third parties” differently.
A third party is anything that is not a covered business, a service provider, or a contractor.
Under the CPRA, covered businesses are also required to implement certain contractual requirements when they share or sell personal information with a third party. While these requirements are less extensive than those for service providers or contractors, it is the first time we have seen a US jurisdiction require certain contractual obligations for third parties who are not providing a service to the covered business.
How can a covered business tell if a party with whom it is sharing data is a contractor or service provider?
In general, if the party is collecting the information on your behalf, they are a service provider. If you provide personal information to them, you must examine the situation more closely to determine whether they are service providers or contractors.
Vendor Risk Management & New Requirements Under the CPRA
Several new provisions in the CPRA strengthen consumer privacy rights in comparison to the CCPA. In addition to expanding consumer rights in terms of opt-out requirements and consumer privacy requests, a few key developments in the CPRA indicate a stronger emphasis on enforcing data privacy laws, such as:
The CPRA created the California Privacy Protection Agency (CPPA), the first agency dedicated to enforcing privacy laws in the US
Penalties for mishandling children’s personal information have tripled to $7,500, up from $2,500 under the CCPA
Contractual clauses and other safeguards are required by the CPRA to ensure supply chain security and privacy risks are addressed, ensuring a more dynamic and responsive supply chain.
Organizations storing data that could present a significant risk to consumer privacy and security must perform annual cybersecurity audits and submit them to the CPPA
Regular risk assessments are required if processing PII presents a significant risk to consumer privacy and security
It is imperative for organizations to conduct risk assessments and audits of their vendors in order to understand their data privacy risks. The significant risks associated with third parties when it comes to data privacy and security make it impossible to accurately assess and mitigate potential data privacy risks without visibility into them. So how can you still do it right?
CPRA Vendor Risk Management Checklist
First, to ensure compliance with the CPRA, one must identify all third parties that sell, buy, or process consumer data. Vendor risk assessments are the most effective way to accomplish this goal.
hoggo provides a free vendor directory, called Trust Hub, where you can look up your vendors, view their Privacy Passport and ensure you only engage with trustworthy ones.
Having a vendor risk management solution can help you have a clear overview of your vendors, see who is using them, for what purposes and what personal information they have access to.
It’s crucial to have an updated list of all the vendors you are using and the types of data you are sharing with them. This can easily be done by using vendor management tools like “My Vendors“.
CPRA Vendor Risk Management – Map Your Supply Chain
Second, you need to map your fourth-party vendors and the entire supply chain.
CPRA vendor risk management requirements extend beyond your third-party network. Thanks to digital transformation, the impact on consumer data security now extends to the entire supply chain. Your vendors’ service providers might risk your customers’ data, and you should assess them during the initial vendor risk assessment.
CPRA Vendor Risk Management – Contractual Obligations
Section 1798.100 of the CCPA states that a business that collects a consumer’s personal information and sells or shares it with a third party must enter into an agreement with that third party that “obligates the third party, service provider, or contractor to comply” with the CCPA’s privacy regulations.
It is imperative for a covered business to ensure that its third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks. It is recommended to document such risks.
The contract should address the following:
- Specifies that the personal information (PI) is sold or disclosed by the business only for limited and specified purposes;
- Obligates the recipient party to comply with applicable obligations under the CCPA/CPRA and to provide the same level of privacy protections to the data as the law requires;
- Grants the covered business the right to take reasonable and appropriate steps to ensure that the other party uses the PI in a manner consistent with the businesses’ obligations under the law;
- Requires the other party to notify the business if it determines that it can no longer meet its obligations under California privacy law;
- Grants the covered business the right to take reasonable and appropriate steps (in compliance with the CCPA/CPRA) to stop and remediate any unauthorized use of personal information.
CPRA Vendor Risk Management – Monitoring & Annual Audit
According to CCPA section 1798.185 (15), after vendors presenting a significant risk to consumer data safety have been identified, an annual cybersecurity audit should be implemented for these vendors.
There is no exact definition of “significant risk“. There are several factors for determining if a business’ processing constitutes a “significant risk,” including if the business: (1) derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; (2) processes personal information of an excessive amount of consumers; (3) processes sensitive personal information; (4) knowingly processed information for consumers under 13 years of age;
Keep in mind that to conduct a successful annual audit, you need vendor monitoring in place. This could alert you to any changes to your vendors’ policies which you can include in the annual audit documentation.
How hoggo can help?
hoggo provides businesses with a comprehensive solution to manage your third-party vendor relationships which can assist in achiving CPPA/CPRA compliance.
With hoggo you can:
Assess your third-party vendors’ data practices in minutes (and for free)
Spot high-risk vendors and find low-risk alternatives
Assess third parties for data security controls
Manage your third-party vendors’ relationships
Have a clear overview of your vendors, who is using them, for what purposes and what personal data they have access to
Perform self-assessments to understand the maturity of internal processes, as well as data owners
Get automated vendor monitoring and data breach notifications to understand possible risks to your customers’ data
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.