• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
  • TPRM by ThirdPartyTrust
  • Beacon by ThirdPartyTrust
  • Solutions
  • Risk Assessment Automation
  • Security Questionnaire Automation
  • Shadow IT Management
  • Zero Day Remediation
  • Integrations
  • Industries
    • Financial
    • Energy
    • Healthcare and Hospitals
    • Legal
    • Life Sciences
    • Manufacturing Industry
    • Retail
    • Technology
    • Other Industries
  • Pricing
  • Resources
  • Blog
  • Strategy Guides
  • Case Studies
  • Data Sheets
  • Webinars
  • Dictionary
  • API
  • Company
  • About us
  • Careers
  • Partners
  • Partners Login
  • Product Security
  • Privacy Policy

How does CCPA impact Third-Party Risk Management?

Published by Sabrina Pagnotta on February 13, 2020
Categories
  • Blog
Tags
  • Industry Regulation

On January 1, 2020 the California Consumer Privacy Act (CCPA) of 2018 came into effect. Although it impacts thousands of businesses across the country, with stiff financial penalties, many business leaders are still unsure about what it means. This blog looks at some key points of the law and its impact on third-party risk management.

Reach

The law applies to all businesses that interact with California residents and match one of the following criteria – regardless of where the business is located:

  • Have annual gross revenues above $25 million
  • Handle data of 50k+ consumers, households or devices annually
  • Collect 50% or more of annual revenue from selling personal information

Rights to consumers

CCPA, enacted by Assembly Bill No. 375, allows any California consumer to access the information a company has saved on them, as well as a full list of all the third-parties that data is shared with.

In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can’t find out how their information has been collected or get copies of that information.

⠀⠀⠀⠀⠀⠀⠀⠀⠀

ccpa-tprm

What does CCPA mean to organizations?

It adds a new layer of complexity in terms of data protection, as organizations have to communicate to all of their third-parties when a consumer exercises their rights. Thus, they will need to implement technical measures to ensure they can identify records and who that data has been shared with on a continuous basis.

There’s another aspect where things could get tricky and disrupt a lot of data-driven business relationships. Because of the broad definition of “selling” data under CCPA, organizations will really have to review their vendor/partner relationships to determine who they may be “selling” data to and if they will need to add the “Opt Out” feature to their website.

It’s important to understand that “selling” may also include transactions that don’t involve monetary payment. Let’s say you share information about your email subscribers to a third-party analytics organization to get detailed demographic insights. The third-party can use or allow usage of that data to other customers, and will provide the insights in exchange. Therefore, this would fall under the “selling to third-party” umbrella as defined by the CCPA, despite no money being involved.While a company cannot refuse users equal service, it can offer incentives to users to provide personal information through discounts.

In addition, CCPA implies having a data tracking system in place. If there isn’t one, companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. This might not be set in stone, but it’s definitely worth considering at your next board meeting.

How does CCPA impact Third-Party Risk Management?

Companies must allow consumers to choose not to have their data shared with third parties. This poses a challenge, as companies will have to separate the data they collect according to the users’ privacy choices. Therefore, Security teams will need to work closely with database administrators to understand the data tagging process.

In order to comply, it’s necessary to identify third-parties, define the relationships within contracts, and implement processes to comply with the new opt-out rules. Although CCPA doesn’t delimit roles like “controller” or “processor” (unlike GDPR), it may help to identify these roles in contracts so you know who is the decision maker when it comes to the data being shared.

To that end, it might be helpful to ask: Can the third party use the data only for the purposes of providing your organization with designated services, or are they able to act as a controller and determine what can be done with the data?

How does CCPA compare to GDPR and other state laws?

CCPA is quite similar to GDPR in the following aspects:

  • It grants customers much greater access to their data records.
  • Customers have to be able to choose not to have their data shared with third-parties.

However, one major difference is the absence in CCPA of a requirement to designate a Data Protection Officer. That is, the person who coordinates and oversees all activities related to the protection of data within a business, which was a mandatory figure in GDPR.

Also, CCPA will impact many businesses that were too small or local to be affected by GDPR.

In order to prevent costly compliance issues later, you should start preparing now! Understanding third-party relationships, mapping data, and implementing process change for on-boarding is a great place to start.




For more on how ThirdPartyTrust can help you assess and monitor third-party risk, request your demo now:


Request Demo
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • BLOG
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT