The California Consumer Privacy Act (CCPA), with its January 2020 deadline, will be just as significant a compliance project as the EU’s General Data Protection Regulation (GDPR) was – particularly when it comes to third parties.
However, the CCPA comes with its own distinct challenges. First, the language is not the same as GDPR, and so it’s important for organizations and third parties who are GDPR-compliant to undertake a gap analysis and not automatically assume they are CCPA-ready.
Second, elements of the CCPA are evolving as lawmakers continue to propose and pass amendments. It’s important to keep on top of these changes and incorporate them into the CCPA program. Thirdly, the CCPA has specific language about class action lawsuits, which are less of a risk within the EU. When it comes to the CCPA, legal risk is just as important as compliance risk.
As a result, it’s critical that organizations be proactive when it comes to hitting the CCPA January 2020 deadline. Below are seven important steps that organizations can take to help themselves get their CCPA third party compliance programs up and running:
- Consider the organization’s own CCPA requirements – As it is often said, the first step is a big one. Before beginning engagement with third parties, it’s important for the organization to identify how it is impacted by the CCPA. The law covers California state resident data that is collected. So, for example, is the entire organization caught up in it or just certain business lines? Are there elements of compliance already in place because of previous GDPR or data privacy projects? Organize the CCPA compliance project in a risk-based way, starting with the data sets and processes that create the most compliance and legal risk first. Undertake a gap analysis. Through this, identify the third-party relationships that need to be a priority.
- Engage with third parties – This second step is as fundamental as the first one. Open up a dialogue with third parties about your organization’s CCPA compliance requirements and how they impact the third-party relationship. Start with the third parties that pose the biggest compliance and legal risk challenges. Ask the third party how it is preparing for CCPA. It is early days for CCPA compliance, and the dialogue will almost certainly be mutually beneficial as the organization and the third party share their thoughts about the CCPA compliance journey.
- Create a third-party CCPA compliance road map – Starting with high-risk third parties, create a compliance plan for each one. Ensure the plan aligns the organization’s own CCPA-impacted internal personal data processes with those of the third party. Collaborate with the third party on this if possible. Put in place a team of responsible stakeholders on both sides to see the project through to completion. Develop a regular communication rhythm with key stakeholders, such as senior management and the board, about the organization’s CCPA preparations and its engagement with third parties.
- Prepare to undertake due diligence – With the January 2020 deadline rapidly approaching, it’s important to set up a program for CCPA due diligence of third parties that can be deployed nearer to the deadline. Existing third parties will need to fill out the assessment to benchmark their readiness, while all new third parties will have to complete it going forward. Either develop a CCPA third party assessment internally or work with scorecard providers to create a strong due diligence questionnaire that will address key CCPA third-party risk concerns. Also consider which third parties, based on risk, could need deeper due diligence, such as meetings with the third party’s management, site visits, or audits of the third party’s processes.
- Consider contract language – For GDPR compliance, many organizations found they needed to review the contract language they had in place with existing third parties. The same holds true here. Contracts should be reviewed to be sure that the language supports CCPA compliance explicitly and minimizes legal risk. Organizations should also add CCPA compliance language to all third-party contracts going forward.
- Plan for ongoing monitoring of CCPA compliance at third parties – Organizations need to be sure that their third parties continue to adhere to CCPA requirements over time through an ongoing monitoring program. Third parties should be reviewed periodically for compliance through an assessment questionnaire, for example. Higher risk third parties should be subject to deeper reviews, such as audits. Ongoing monitoring should also flag changes in circumstances at third parties, such as mergers or acquisitions at third parties, CCPA compliance violations with other clients, or legal actions based on personal data issues.
- Add CCPA elements to your third-party business continuity plans – Embed CCPA compliance in business continuity plans, and work closely with third parties to accomplish this. In particular, when there is a breach at the third party, ensure that data breach notification processes happen smoothly. Work together with third parties to draft data breach template language that is legally robust, given the potential for class action lawsuits in the US.