What is CCPA and How Do You Know Your Vendor is Compliant?
In an effort to prevent and mitigate the devastating consequences of cybercrime, many states and countries have passed data protection laws. In California, the latest data protection law to come into effect is the California Consumer Privacy Act (CCPA). The CCPA was signed into law in June 2018 and became enforceable on July 1, 2020, affecting businesses of all sizes, including third-party vendors.
Get the best third-party security content sent right to your inbox
Thanks for subscribing!
Like the General Data Privacy Regulation (GDPR) passed by the European Union, CCPA is far-reaching, although there are differences. Below we will review the CCPA to help you understand how you and your third parties can comply.
What is the California Consumer Privacy Act (CCPA)?
Under California’s data privacy law, state residents have the right to know how their data is being monetized and have control over how their data is handled. For example, California residents can demand that a company disclose exactly what personal information has been collected and request that companies delete their personal data.
Why are data privacy laws being passed?
Without data privacy laws, consumers are vulnerable. For instance, when a business isn’t legally required to disclose how a consumer’s data is being used, that consumer has no legal recourse if their personal data is stolen during a breach. Data privacy laws also set standards for businesses to increase cybersecurity measures to actively protect data from attacks.
Cybercrime incidents such as data breaches and ransomware attacks are frequently perpetrated against organizations that aren’t prepared to handle a cyberattack. These attacks can target anyone; nobody is immune to a data breach. According to one source, it takes an organization an average of 197 days to realize a data breach has occurred. By that time, the damage is usually done.
The CCPA is a different kind of data protection law.
Most data security laws in recent years have governed the security of the actual data. The CCPA governs a consumer’s right to access and control the data a business collects about them.
Who is governed by the CCPA?
The CCPA applies to all businesses that collect personal data from California residents and meet one of the following criteria:
- The business has at least $25 million in annual revenue (gross).
- The business buys, receives, shares or sells the personal information pertaining to more than 50,000 total households, consumers or devices.
- The business generates 50% or more of its annual revenue by selling personal information.
Some small businesses are governed by the CCPA.
Under these criteria, most small businesses would not be governed by the CCPA. However, if a business of any size generates half or more of its revenue from selling personal data, the CCPA does in fact apply.
Small business owners beware: Your business is actually more susceptible to cyberattacks than large corporations. Cybercriminals often target small businesses because they recognize that most small business owners don’t have strong cybersecurity strategies in place.
The CCPA can apply to businesses worldwide.
Just like the GDPR, the CCPA applies regardless of a business’ location. Any business that collects personal data from California residents and meets the aforementioned criteria is bound by the CCPA, even if that business operates outside of California or outside of the United States.
Under the CCPA, employees are considered consumers and are covered.
The CCPA defines “consumer” to include California residents who are employees. Under this definition, a business that sells exclusively to New York residents, yet employs a remote California resident, is governed by the CCPA where the employee’s data is concerned.
Data storage companies are covered.
Since the CCPA applies to anyone who processes personal data, it’s applicable to web hosts, data centers and even IT tech support and security teams that may create and store backups for organizations in the cloud. Third-party vendors often fall into this category.
What is personal information as defined by the CCPA?
Under the CCPA, personal information includes:
- First and last names
- Email addresses
- Physical mailing addresses
- Home addresses
- Online handles, nicknames or accounts
- IP addresses
- Social Security numbers
- Passport numbers
- Driver’s license numbers
- Professional or employment history or other data
- Geolocation data
- Biometric data such as fingerprints
Businesses can make mistakes about CCPA.
A business can violate the CCPA in a variety of ways. Most issues are caused by human error or oversight. However, the CCPA adds legal consequences to an old, yet popular marketing trick: keeping (and sometimes selling) a contact’s data after they request to be unsubscribed or to have their data deleted.
Many businesses have already added an option to unsubscribe, allowing consumers to request total deletion of their data. Most consumers don’t realize that after unsubscribing from a mailing list, their data still exists in the business’ contact database. Businesses that sell personal data often keep an individual’s data even when they can no longer send them emails. However, this is now illegal under the CCPA.
When a consumer requests to have their data deleted, it must be deleted. Furthermore, businesses must make it easy for consumers to request data deletion. The easiest way to process data deletion requests is through an automated web form. The deletion process should be automatic.
Third-party vendors need to be vetted.
A third-party vendor that doesn’t comply with your industry’s regulations is the most common source for data protection violations. Not all vendors will uphold your company’s high standards. Many vendors don’t even know what data protection laws they’re required to follow.
If you’re using any third-party vendors to process consumer data, you need to know your vendors are CCPA-compliant with absolute certainty. You need to know how they store and manage your customers’ data. If a customer asks you to delete their data from your database and one of your vendors still has a copy of their data, there may be consequences for violating the CCPA.
The only way to ensure you are CCPA-compliant is to verify that all of your vendors are CCPA-compliant.
Analyze and score your third-party vendors with Panorays.
No matter what third-party vendor you’re using to process data, you need to ensure they are CCPA-compliant. Panorays can tell you whether your third parties are in compliance with CCPA as well as a host of other regulations. That’s because, with Panorays, you receive a myriad of information about each vendor: a bottom-line cyber risk rating, a cyber posture rating of your third party’s digital perimeter, and your vendor’s answers to a fully customizable, automated questionnaire, all of which give you the ability to better assess gaps cyber gaps and work together on remediation.
Request a free Panorays demo today and see firsthand how we can help.