Getting the proper vendor contracts completed is a top concern for organizations preparing to comply with the California Consumer Privacy Act, says Caitlin Fennessy, research director at the International Association of Privacy Professionals (see: Analysis: Draft CCPA Regulations Fail to Clarify Ambiguities),
“Many of these companies had to put in place new data processing agreements to comply with GDPR [the EU’s General Data Protection Regulation] … and now they realize that they really need to do it again,” Fennessy says in an interview with Information Security Media Group.
“The key component which is causing challenges with regards to CCPA is the notion and delineation between ‘service providers’ and ‘third parties’,” Fennessy says. … “CCPA creates really specific requirements for the business that originally holds the information when they transfer data to a third party who can use it for their own purposes vs. when they transfer data to a service provider which is only using it for the specified purposes pursuant to a contract.”
CCPA is slated to go into effect Jan. 1, 2020, but will be enforced beginning July 2, 2020, and draft regulations are still pending.
In this interview (see audio link below the image), Fennessy also discusses:
- Sorting through the “Do Not Sell” button requirement for websites under CCPA that enables the opting out of the sale of data;
- The differences between a “service provider” and a “third party” under the law;
- Five key steps to prepare for CCPA compliance.
Fennessy is the research director at the International Association of Privacy Professionals. She also leads the IAPP’s privacy engineering initiative and serves as an in-house privacy expert. Previously, Fennessy was the privacy shield director at the U.S. International Trade Administration.