NormShield Blog

A CCPA Perspective into Third-Party Risk Management

Living in a data-driven economy has changed consumers’ lives in an unimaginable way, especially when access to and sharing of the data is a lot easier nowadays.

Many companies use data-driven approaches to offer targeted services to consumers. On the consumer side, it is debatable whether these approaches are beneficial or detrimental in ways consumers might not even expect. One thing that is out of the question is the prevalence of data-driven technologies has accelerated the adoption of privacy laws. 

Here is what you need to know about CCPA.

What is CCPA?

Inspired by European Union’s GDPR, California Consumer Privacy Act (CCPA), signed into California State Law in June 2018 and took effect as of January 1st, 2020. Being the first comprehensive privacy law in the U.S., the bill aims to enhance the privacy rights of California residents.  

According to this act, businesses are obliged to tell consumers what data they are collecting and gives consumers the right to say no to the sale of their personal information. However, the law came with a catch. The consumers have to get in touch with each individual data broker or data holder to exercise their rights.

Who does CCPA affect?

CCPA applies to any entity that meet the following criteria:

  • Has a gross annual revenue of $25 million or more,
  • Purchases or receives or sells or shares personal information for 50,000 or more consumers, households, or devices in the state of California,
  • Or generates 50 percent or more of their annual gross revenue from selling personal information.

Consumer Rights in a Nutshell

Businesses regulated by the CCPA will have a number of liabilities to the consumers, including disclosures, General Data Protection Regulation (GDPR)-like consumer data subject rights (DSRs), an ‘opt-out’ for certain data transfers, and an ‘opt-in’ requirement for minors.

With CCPA the consumers have the right to

·      Know what personal data is being collected about them.

·      Know whether their personal data is sold or disclosed and to whom.

·      Say no to the sale of personal data.

·      Access their personal data.

·      Request a business to delete any personal information about a consumer. 

·      Not be discriminated against for their privacy choices.

“Selling Data” Put into Practice: Third Parties

According to CCPA, selling is:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

This definition covers a lot more activities than selling data to another company for money.  For example, a business collecting email info through its web site and making it available to third parties is in the scope of selling data. This means relations need to be reviewed with third parties according to the above definition (even if it does not involve a financial transaction).

Where to start?

Most of the CCPA consumer rights are very similar to GDPR’s data subject rights such as disclosure and data subject requests e.g., access, deletion, and portability. A business might look into its GDPR’s practices and solutions to kick-off its CCPA compliance.

Personal data inventory is a critical tool and starting point as well, when identifying personal information that applies to CCPA. Same works for third-party vendor inventory. Identifying third-party service providers with whom personal information is shared and the purpose of sharing are crucial steps into CCPA compliance.

How to become CCPA-Compliant when sharing data with Third Parties?

For businesses processing California residents’ personal data and sharing with third parties, there are several steps to be compliant with CCPA.

·      Train your employees

·      Derive a data map

·      Start listing all your service providers and third parties.

  • Conduct a due diligence process
  • Identify which parties are decision-makers in agreements (e.g, analysis of whether the disclosure is a sale), etc.

·      Provide privacy policy and notice

·      Do not forget to include “Purpose of sharing data”

·      Establish a process for consumers to request access, disclosure, deletion, or opt-out

·      Post “Do Not Sell My Personal Information” link on the website

Final Words

Although the CCPA went into effect as of January 1st 2020 and is now law, modifications are still underway, with a final draft of the law expected before the anticipated enforcement date of July 1, 2020. 

One of the recent modifications was about  the IP address; that it would not always be considered as “personal information” since the IP address does not always link to any particular consumer or household. Another modification was the addition of Biometric Information as Exclusion from Right to Know Disclosures.

With both the GDPR and CCPA compliance, third-party risk management will likely be challenging for many organizations. Now organizations are responsible for what those third parties do with their data. That means organizations should consider a due-diligence process on their third-parties which might be collecting, processing, or retaining personal information on that organization’s behalf. This includes continuous cyber risk monitoring of those third parties.