On January 1, 2020 the California Consumer Privacy Act (CCPA) of 2018 came into effect. Although it impacts thousands of businesses across the country, with stiff financial penalties, many business leaders are still unsure about what it means. This blog looks at some key points of the law and its impact on third-party risk management.
Reach
The law applies to all businesses that interact with California residents and match one of the following criteria – regardless of where the business is located:
- Have annual gross revenues above $25 million
- Handle data of 50k+ consumers, households or devices annually
- Collect 50% or more of annual revenue from selling personal information
Rights to consumers
CCPA, enacted by Assembly Bill No. 375, allows any California consumer to access the information a company has saved on them, as well as a full list of all the third-parties that data is shared with.
In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can’t find out how their information has been collected or get copies of that information.
⠀⠀⠀⠀⠀⠀⠀⠀⠀
What does CCPA mean to organizations?
It adds a new layer of complexity in terms of data protection, as organizations have to communicate to all of their third-parties when a consumer exercises their rights. Thus, they will need to implement technical measures to ensure they can identify records and who that data has been shared with on a continuous basis.
There’s another aspect where things could get tricky and disrupt a lot of data-driven business relationships. Because of the broad definition of “selling” data under CCPA, organizations will really have to review their vendor/partner relationships to determine who they may be “selling” data to and if they will need to add the “Opt Out” feature to their website.
It’s important to understand that “selling” may also include transactions that don’t involve monetary payment. Let’s say you share information about your email subscribers to a third-party analytics organization to get detailed demographic insights. The third-party can use or allow usage of that data to other customers, and will provide the insights in exchange. Therefore, this would fall under the “selling to third-party” umbrella as defined by the CCPA, despite no money being involved.While a company cannot refuse users equal service, it can offer incentives to users to provide personal information through discounts.
In addition, CCPA implies having a data tracking system in place. If there isn’t one, companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. This might not be set in stone, but it’s definitely worth considering at your next board meeting.
How does CCPA impact Third-Party Risk Management?
Companies must allow consumers to choose not to have their data shared with third parties. This poses a challenge, as companies will have to separate the data they collect according to the users’ privacy choices. Therefore, Security teams will need to work closely with database administrators to understand the data tagging process.
In order to comply, it’s necessary to identify third-parties, define the relationships within contracts, and implement processes to comply with the new opt-out rules. Although CCPA doesn’t delimit roles like “controller” or “processor” (unlike GDPR), it may help to identify these roles in contracts so you know who is the decision maker when it comes to the data being shared.
To that end, it might be helpful to ask: Can the third party use the data only for the purposes of providing your organization with designated services, or are they able to act as a controller and determine what can be done with the data?
How does CCPA compare to GDPR and other state laws?
CCPA is quite similar to GDPR in the following aspects:
- It grants customers much greater access to their data records.
- Customers have to be able to choose not to have their data shared with third-parties.
However, one major difference is the absence in CCPA of a requirement to designate a Data Protection Officer. That is, the person who coordinates and oversees all activities related to the protection of data within a business, which was a mandatory figure in GDPR.
Also, CCPA will impact many businesses that were too small or local to be affected by GDPR.
In order to prevent costly compliance issues later, you should start preparing now! Understanding third-party relationships, mapping data, and implementing process change for on-boarding is a great place to start.
For more on how ThirdPartyTrust can help you assess and monitor third-party risk, request your demo now:
