This blog post is the second in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). We received questions both before and during the webinar, and over the coming weeks we will be posting our responses. We will answer the most commonly-asked questions first, so please stay tuned if you don’t see your question in our first few posts. And, of course, please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.
You may see our first post here.
Thanks for reading!
What steps should we take with third parties that handle our data?
Some of the most notorious data breaches are caused not by the organization that made the headlines, but by vendors to whom the organization entrusted protected personal information. The new wave of data protection statutes, such as the New York Department of Financial Services Regulation, the European Union General Data Protection Regulation, and now the CCPA, highlight the need for companies to ensure that vendors protect, secure, and handle personal information shared with them consistent with applicable law.
In addition to general inquiries about how the CCPA may affect vendor management, we received the following specific questions:
- What specific guidelines do you provide under CCPA for Third Party Risk Assessments?
- What control documents should be gathered as evidence that the Third Party complies with CCPA?
Under the CCPA, organizations should be cognizant of two types of third parties: (1) third-party vendors; and (2) unrelated third parties to whom the organization may sell personal information.
What if we use third-party vendors to handle our data?
A third-party vendor is an entity that processes or stores information on behalf of and at the instruction of the organization. Examples include payroll vendors, data storage vendors, and customer-relationship management software vendors. While the CCPA does not provide technical guidelines or requirements that must be in place for these vendors, the onus to protect personal information collected is on the organization, which the organization must then impose on its vendors to ensure compliance. In other words, because a principal is responsible for the actions of its agent, organizations must ensure their vendors are complying.
The first step is understanding who the vendors are and whether these vendors process information subject to the CCPA. Once vendors are identified and prioritized, organizations should conduct due diligence of the security measures its vendors have in place and ensure they have contractual language in place to require the vendor’s cooperation and compliance with the CCPA. This includes, but is not limited to, language that requires cooperation with regard to the business’s response to consumer requests.
Due diligence of prospective vendors should also include:
- Requiring vendors to complete an information security questionnaire where appropriate. Such a questionnaire should be tailored based on the type and risk level of the information that the vendor is handling.
- Collecting and evaluating vendors’ information-security policies, procedures, and protocols.
- Determining which vendors have information that would be implicated by consumer requests and determining the vendors’ ability to comply with these requests.
For existing vendors, in addition to due diligence, companies will also want to update their agreements to include contractual language requiring the vendors’ cooperation and assistance in complying with the CCPA. Vendor agreements should also address the potential liability under CCPA (and other applicable statutes) if a vendor’s representations regarding its information security program prove to be inaccurate or in the event the vendor fails to cooperate and assist the organization. Both circumstances could expose organizations to liability under the CCPA.
What if third parties buy data from us?
The CCPA requires companies to disclose to consumers who submit a verifiable request: (1) the categories of personal information that the business collected; (2) the categories of personal information that the business sold and the categories of third parties to whom that business sold the information; and (3) the categories of personal information that the business disclosed for a business purpose. It also requires that consumers be given the right to opt-out of the sale of their information, and that they are notified of that right.
The CCPA’s disclosure obligations and opt-out requirements will require compliance by both selling and buying organizations. Businesses that collect and sell personal information must disclose to consumers “at or before the point of collection” the purposes for which the consumers’ personal information will be used. To ensure that the selling organizations’ disclosures and notices remain accurate, buying organizations must be transparent with selling organizations about how the consumer information will be used. Selling organizations should also complete due diligence regarding representations made by buying organizations (and vice versa) by reviewing website privacy policies and requesting internal documentation reflecting the organization’s policies and procedures on the handling of personal information. On the technical side, the buying and selling parties will need to collaborate to address and ensure that opt-out and deletion requests are appropriately honored, particularly with respect to buyers who may later resell personal information. As such, it is extremely important to review agreements for allocations of liability, to make necessary revisions to indemnification clauses, and to review insurance clauses and coverages so as to properly address the increased exposure as a result of the CCPA.
Whether you are managing a vendor or a third-party buyer of personal information that your organization collects, analyzing risks posed by these third parties is a necessary and important step in your CCPA compliance. Vendor management has increasingly become the focus of many data protection statutes and should be an issue that is embedded in any organization’s data privacy and information security program. While there is no one size fits all solution, Dykema’s Privacy and Data Security group has experience in helping its clients develop streamlined vendor management programs to respond to the evolving data protection risks and exposures.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.