Free CCPA Vendor Questionnaire Template (2024 Edition)

Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aims to protect the personal information rights of Californian-based employees, contractors, customers, and vendors. The inclusion of third-party vendors means your Vendor Risk Management program needs to be updated to include CCPA compliance tracking, not only during due diligence but through the entire vendor security posture management process.

While, ideally, a CCPA-specific security questionnaire should be used to evaluate CCPA compliance comprehensively, this free template will help you achieve a high-level understanding of each vendor’s degree of alignment with the CCPA’s standards. Because this security assessment examines how vendors protect their customer data, only the CCPA standards related to third-party risk management are included in this template.

Learn how UpGuard streamlines Vendor Risk Management >

CCPA Third-Party Compliance Checklist Template

1798.100

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

1. Can you provide documentation outlining your data collection practices?
2. What is your policy for informing consumers about these collection practices at the point of collection?
3. What categories of personal information do you collect (phone numbers, credit cards, biometrics, etc)?
4. What measures are in place to ensure your consumers are aware of the personal data you are collecting?
5. What information security practices do you follow to ensure collected personal data is protected?
6. Describe the security controls you have in place for preventing illegal access to collected personal data.
7. Describe how you ensure consumers' personal information is protected from unauthorized modification, use, or disclosure.
8. Can you provide evidence that your data collection practices align with the standards in Section 1798.81.5?
9. Can you demonstrate the efficacy of your security measures for preventing data breaches?
10. What steps do you take to ensure your security measures and policies are kept up-to-date with the evolving cyber threat landscape?
11. What is your protocol for notifying impacted consumers in the event of a security breach?
12. How often are your security practices and incident response plans reviewed and updated?
13. Do you have a dedicated data security and CCPA compliance team?
14. What is your protocol for keeping staff aware of their data protection responsibilities for ensuring CCPA compliance?
15. Can you provide evidence of your commitment to ensuring the data security practices of your third-party vendors comply with the CCPA?

Watch this video to learn how UpGuard streamlines risk assessment workflows.

1798.81.5

(b)A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

1. Do you have ownership, license, or store (in apps, etc.) any personal information about California residents?
2. After your business collects personal data, describe your protocol for ensuring its protection through the data storage lifecycle.
3. Explain how these security protocols are tailored to each sensitive data category.
4. What processes and security controls are in place to protect personal data from unauthorized access, destruction, use, modification, and disclosure?
5. Explain how these security measures are maintained to ensure they remain updated.
6. Can you provide examples of how these security measures have prevented or reduced the impact of data breach events?
7. Describe how you ensure your security practices are continuously improving.
8. What is your estimated timeframe for notifying consumers impacted by a breach?
9. How do you ensure your third-party vendors are continuously adhering to CCPA standards?
10. Explain how security procedures supporting CCPA compliance are integrated into your data management and business strategy.
11. How do you adjust your security measures to changes in personal information volume?

UpGuard’s attack surface monitoring solution can help you identify internal and third-party security risks that could impact compliance with the CCPA and other regulations.

Learn about UpGuard’s attack surface monitoring solution >

1798.140

(j) “Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:

(c) Permits, subject to agreement with the contractor, the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

1. Do your business contracts clearly define how you manage the consumer’s personal information?
2. Do your third-party vendor contracts stipulate how your vendors should manage the consumer’s personal information?
3. How do you monitor and ensure compliance with these contract stipulations?
4. Do you incorporate any review processes of your data security standards as part of contract compliance checks (i,e, risk assessments, audits, automated scans, etc.)?
5. Do these compliance checks occur during every 12-month period?
6. Can you provide evidence of these compliance checks?
7. What are your processes for responding to discovered compliance gaps during these checks?
8. Can you provide examples of when you adjusted your security practices based on feedback from compliance checks?
9. How do you ensure uninterrupted protection of personal data during compliance checks?
10. Do you have a specific person or team responsible for managing compliance checks?
11. Is this responsible party also responsible for implementing changes based on compliance check findings?
12. Can you provide any third-party audit reports confirming vendor compliance with CCPA standards?
13. What proactive steps do you take between compliance checks to ensure ongoing alignment with contract terms?
14. How do you ensure contract requirement changes don’t violate CCPA compliance?
15. How does your contract address potential legal or regulatory changes affecting data privacy and CCPA compliance?
16. How do you communicate the results of these checks with business partners and stakeholders?
17. How do you communicate your plans for addressing issues detected in compliance checks with business partners and stakeholders?

With UpGuard’s reporting feature, you can instantly generate reports outlining compliance efforts and security posture improvement evidence for stakeholders and business partners.

Learn how to choose security questionnaire automation software >

Watch this video to learn about UpGuard’s compliance reporting features.

Learn about UpGuard’s reporting feature >

1798.185

(a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

(15) Issuing regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to:

(A) Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.

1. Are any of your processes involving consumer personal information at risk of violating data privacy laws or the California Privacy Rights Act (CPRA)?
2. What is your process for calculating risk severity levels with your processing activities?
3. Are internal cybersecurity audits performed annually?
4. Can you provide your most recent internal audit findings?
5. How do you determine and define the scope of internal audits?
6. How do you ensure these audits are thorough, given the complexity of your business?
7. How do you ensure these audits are impartial and appeal to objective cybersecurity standards?
8. What is your process for adjusting data security practices based on audit findings?
9. Can you provide an example of when audit findings have changed your data protection practices?
10. What is your process for preparing for annual cybersecurity audits?
11. Do you have a dedicated team responsible for implementing and managing internal audits?
12. How do you manage emerging vulnerabilities during the audit process?
13. What monitoring solutions are in place for tracking compliance between annual audits?

Watch this video to learn how UpGuard can help you reduce your attack surface to reduce the risk of data breaches.

(B) Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.

1. Do you regularly submit risk assessments to the California Privacy Protection Agency to keep them informed of your personal data processing practices?
2. How do you assess the degree of risks your data processing activities could pose to consumers' privacy or security?
3. Can you provide a sample of a risk assessment you've submitted (without violating the confidentiality of any trade secrets)?
4. How do you identify and weigh the benefits of processing personal information against the potential risks to consumers' rights?
5. Can you describe a time when risk assessment results led to restrictions or prohibitions on certain data processing activities?
6. How do your risk assessments take into account processes involving personal data?
7. What measures do you take to ensure that risk assessments are thorough, unbiased, and accurately reflect potential privacy risks to consumers?
8. How do you define and assess the benefits of processing personal information for the business, the consumer, other stakeholders, and the public?
9. Do you have a dedicated team or individual responsible for conducting risk assessments and implementing necessary changes based on their findings?
10. How do you communicate with businesses about the results of these risk assessments and your plans for addressing any issues identified?
11. How does your risk assessment process fit into your overall data management strategy, and how is it adapted to suit legal or regulatory requirements changes?

Watch this video to learn how UpGuard automates processes to improve vendor collaboration and streamline Vendor Risk Management.

How UpGuard Can Help with CCPA Compliance

UpGuard’s library of industry-leading vendor risk assessments includes a CCPA-specific security questionnaire within its library of industry-leading risk assessments and questionnaires mapping to popular regulations and frameworks such as ISO 27001, PCI DSS, and the GDPR.

To help you identify areas of non-compliance, all vendor and service provider responses are automatically mapped to CCPA’s security controls standards to highlight compliance deficits requiring attention.

With many advanced features supporting efficient Vendor Risk Management, like the ability to include additional information in risk assessments, UpGuard helps you and your vendors protect sensitive data and sensitive information from being compromised in data breaches.