Last Updated on March 16, 2023
The California Consumer Privacy Act (CCPA) went live on January 1st, 2020 and applies to any company (e.g., yours or your vendors’) that collects or provides the personal information of California residents and meets one or more of the following additional criteria:
- Has $25 million or more in annual sales
- Buys, sells, or shares information on 50,000 or more individuals, households, or devices
- Derives more than half of its annual revenue from selling personal information
If you or your vendors are in scope for the CCPA, ask yourself the following questions:
- Which of my vendors are in scope?
- What type of data is transmitted or stored (e.g., personal data (PII), health records (PHI), payment card data (PCI), social security numbers (SSN), etc.)?
- Who (including so-called “fourth parties”) has access to the data?
- How is the data being used? Is it being sold by your third-party vendor?
Here are some tips to protect your company from CCPA noncompliance:
- First, ensure you understand which of your vendors are in scope.
- Next, ensure your relevant vendor contracts include language to the effect that if the vendor and its fourth parties plan to sell California resident information, they must include mechanisms to explicitly notify consumers and allow consumers to opt-out.
- Third, establish communication channels and agreed-upon data breach procedures with third parties that are in scope for CCPA.
Even if your business does not need to comply with CCPA or another privacy regulation or customer privacy mandate today, it undoubtedly will in the future. Getting a head start on these changes now can make a big difference down the road.
To speak with a privacy expert about your privacy compliance concerns, contact Pivot Point Security.
For more information: