CPRA becomes effective 1/1/23, while CCPA has been effective since 1/1/20. This website has some easier to understand information on CPRA: https://www.caprivacy.org/
For service providers or contractors that store or process (nearly all actions fall under these terms) data on your behalf in scope of CPRA, you need to follow section 1798.100(d), pulled out below:
d) A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor, that:
(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;
(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title;
(3) Grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under this title;
(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title;
(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
The above has multiple requirements around contracts and performing due diligence on your vendors, not only to ensure they protect data, but can support your needs in fulfilling data subject rights. Privacy has been a difficult topic to fully address for many organizations so we're always curious to hear what others are doing in this area as well!
Sent: 06-06-2022 05:45 PM
From: Anonymous Member
Subject: California Consumer Privacy Act (CCPA)
This message was posted by a user wishing to remain anonymous
Just wanted to see what everybody is doing in regards to California Consumer Privacy Act (CCPA).
My understanding is that third party vendors and service providers (contractors) must certify their understanding of the requirements and must comply with them. Is that all we have to do with our vendors?
I believe that CCPA becomes effective on January 1, 2023.