Meeting the Third-Party Risk Requirements of the CCPA in 2022

Edward Kost
Edward Kost
updated Aug 09, 2022

Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aim’s to increase consumer rights by giving California residents greater control over the use of their personal data.

The CCPA heavily regulates the use of any data that could potentially link to the identity of a consumer or household, either directly or indirectly. This could include IP address identification or the collection of cookies on social media websites, such as Linkedin.

The problem with such a broad definition of sensitive data is that it increases the chances of regulatory noncompliance across all entities processing consumer data, including your third-party vendors.

To learn how to adjust your Third-Party Risk Management Program to comply with the CCPA, read on.

For an in-depth overview of all CCPA requirements, read this post.

CCPA Compliance Requirements for Third-Party Vendors and Service Providers

The following compliance checklist will help you comply with the data privacy laws and privacy regulations of the CCPA.

1. Identify all Third-Parties Involved in Data Collection and Data Processing

The CCPA summarizes its obligations when a business collects consumer data in section 1798:100 (b).

A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

The CCPA defines which data processing activities fall in the “business purpose” category in Section 1798.140 (4):

“Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

The first step toward privacy protection compliance is identifying all third-party relationships involved in selling, buying, and processing consumer data. This is most efficiently achieved with third-party risk assessments.

How UpGuard can help

UpGuard’s extensive risk assessment library includes an assessment specifically designed for the CCPA. After all, entities involved in consumer data processing are identified, their specific data security standards can be further scrutinized with custom questionnaires designed for each vendor's unique cybersecurity context.

Click here for a free 7-day trial of UpGuard.

Don’t Forget about your Fourth Parties.

The consumer data processing standards regulated by the CCPA do not end at your third-party network. Thanks to digital transformation, the impact on consumer data security now extends to the entire supply chain, including the fourth and even n-th party network. Identifying fourth party entities included in the consumer data transactions is complicated with risk assessments alone.

This is best achieved with the support of an attack surface monitoring solution capable of mapping your ecosystem to its third and fourth-party vendors.

Once all third and fourth parties have been identified, written contracts should then be updated to include the following details:

  • Expected data protection responses in the event of a data breach.
  • A requirement for vendors to share their data inventory details.
  • An agreement to complete due diligence questionnaires promptly.
  • An agreement of onsite auditing.
  • An agreement to map the consumer data processing lifecycle to all entities involved in the purchase and selling of the data.
  • An agreement to oblige with consumer requests for data deletion and access.

2. Identify all Vendor Risks and Security Vulnerabilities Threatening Consumer Data Safety

With a solution in place for promptly identifying security risks threatening the safety of consumer data, you’ll establish a strong foundation for complying with all the third-party risk requirements of the CCPA.

The automation of attack surface monitoring allows you to scale the assessment of open-source vendor data to identify potential cyber threats placing consumer data at risk. With a continuous monitoring solution in place, the due diligence requirements of section 1798.140 (4)(2) will be satisfied:

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity

How UpGuard Can Help

The UpGuard platform includes an attack surface monitoring solution and a third-party data leak detection engine to help shut down critical exposure threatening the integrity of all consumer data.

Learn the difference between a data leak and a data breach.

Click here for a free 7-day trial of UpGuard.

3. Perform Annual Audits for all Entities Threatening Consumer Data Safety

According to CCPA section 1798.185 (15), after vendors presenting a significant risk to consumer data safety have been identified, an annual cybersecurity audit should be implemented for these vendors.

(15) Issuing regulations requiring businesses whose processing of consumers' personal information presents a significant risk to consumers' privacy or security to:

(A) Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing results in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.

An independent party should complete these audits. As a separate requirement to these audits, a risk assessment evaluating the efficacy of each vendor’s data security controls should be submitted to the California Privacy Protection Agency regularly.

How UpGuard Can Help

UpGuard’s executive summary feature includes a risk matrix to help stakeholders quickly identify vendors posing the greatest threat to your security posture.

vendor risk overview matrix by UpGuard

By dividing vendors involved with consumer data processing across tiering categories increasing in criticality, this risk matrix could further improve communication of your state of third-party consumer data security to the California Privacy Protection Agency.

Get a preliminary evaluation of your vulnerability to a data breach, click here to request a free security score.

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating