Vendor Risk Management and the California Consumer Privacy Act (CCPA)

BLOG 5 MINS | November 13, 2019
Vendor Risk Management and the California Consumer Privacy Act (CCPA)

As the effective date for the California Consumer Privacy Act (CCPA) approaches, businesses are wondering how the CCPA will impact their operations and their vendor risk management program.

In this blog post, we’ll look at the CCPA and discuss what it means for vendor risk management.

Note: The CCPA’s definition of a third party is not what businesses commonly consider a third party. Rather, third parties under the CCPA are the entities to which businesses sell or disclose personal information. On the other hand, a service provider under the CCPA processes personal information on a business’s behalf. As such, service providers constitute the relevant entities for purposes of vendor risk management. (More on this below).

Are you CCPA-ready? Download your vendor risk management CCPA checklist today!

What is the CCPA?

Third-Party Risk Management (TPRM) - CCPA
On January 1, 2020, the CCPA goes into effect, granting consumers new rights related to their personal information, and as a result, obligating businesses to meet new data privacy requirements. Indeed, consumers will have the Right to Request Information (i.e. the right to know), the Right to Request Deletion of their personal information, and the Right to ‘Opt-Out’ of the sale of their personal information. Similar to the EU’s GDPR, this CCPA focuses on proper practices for collecting, processing, and sharing a California consumer’s personal information.

The California Attorney General (AG) is authorized to begin enforcing the CCPA on July 1, 2020. Around this time, businesses should expect the AG to issue the CCPA’s final regulations, which will address consumer rights and businesses’ obligations.

How Does the CCPA Impact Vendor Risk Management?

In order to properly understand the CCPA, businesses need to know the difference between service providers and third parties under the CCPA.

Service Providers vs. Third Parties: What’s the Difference?

The CCPA defines third parties in the negative—that is, a third party does not:

  • Collect personal information directly from consumers.
  • Receive a consumer’s personal information from a business for a business purpose pursuant to a written contract that, among other things, prohibits the third party from selling, retaining, using, or disclosing the personal information.

Instead, third parties are entities to which businesses sell, or otherwise disclose, consumers’ personal information for monetary or other valuable consideration.

In contrast, the CCPA defines a “service provider” as:

  • A legal entity organized for profit,
  • Which processes consumers’ personal information on a business’s behalf,
  • And to which a business discloses consumers’ personal information for a business purpose,
  • Pursuant to a written contact that prohibits the entity from retaining, using, or disclosing the personal information for any purpose other than those services specified in the contract, or as otherwise permitted by the CCPA.

Prepare your vendor risk management program for the CCPA. Download your vendor risk management CCPA compliance checklist today!

In short, service providers can be processors, suppliers, and vendors, etc.

The difference between service providers and third parties has broad implications. Most importantly, service providers must not further disclose, sell, or use consumers’ personal information, except as necessary to perform the contractually specified business purposes. And, they must fulfill or help fulfill consumer rights’ requests.

On the other hand, third parties are not subject to contractual prohibitions. They have no obligations to delete personal information or to stop processing personal information when a consumer exercises the ‘opt-out of sale’ right. However, under the CCPA’s proposed regulations, businesses must ‘instruct’ third parties not to further sell a consumer’s personal information upon receipt of a request.


To qualify as a service provider under the CCPA, a written contract must exist between a business and the service provider. Without the contract in place, the entity receiving the personal information constitutes a third party.

The contract must state that the service provider will not use, retain, or disclose personal information other than for the specific purpose stipulated in the contract.

Consumer Rights

Businesses must be able to respond to consumer requests, which ranges from disclosing the consumer’s personal information, to deleting the consumer’s personal information, and to directing service providers to delete the consumer’s personal information.

Furthermore, businesses must keep records of transactions with third parties to whom they sell or disclose personal information in order to fulfill a consumer’s right to request information (i.e., the right to know) and to notify third parties of a consumer’s opt-out request.

What Vendor Risk Management Challenges Does the CCPA Create?

Businesses that deal with service providers need to make sure that such providers protect the privacy of their consumers’ personal information and enable the businesses to fulfill consumer rights’ requests. Ensuring that service providers safeguard personal information can be a daunting task for any business. Moreover, businesses should oversee their service providers’ own providers, confirming that fourth and even fifth parties keep personal information safe.

How Are Businesses Addressing These Vendor Risk Management Challenges?

More and more businesses are turning to vendor risk management software to help them tackle the CCPA challenges. Because there is often no single owner for vendor risk, businesses are coordinating their efforts across their units and departments to identify service providers, as well as discover and mitigate risks.

How OneTrust Vendorpedia Helps with Vendor Risk Management

OneTrust Vendorpedia is a ready-made solution for businesses seeking to comply with the CCPA’s vendor risk requirements, relating to both service providers and third parties. Request a demo to see the technology you need to streamline, scale, and create an audit-ready vendor risk management program.

If you’re interested in making sure your vendor risk management is defensible against the CCPA, download the vendor risk management CCPA compliance checklist today!

Onetrust All Rights Reserved