Regulations

 View Only

  • 1.  California Consumer Privacy Act (CCPA)

    This message was posted by a user wishing to remain anonymous
    Posted 06-07-2022 08:01 AM
    This message was posted by a user wishing to remain anonymous

    Hello All,

    Just wanted to see what everybody is doing in regards to California Consumer Privacy Act (CCPA).
    My understanding is that third party vendors and service providers (contractors) must certify their understanding of the requirements and must comply with them. Is that all we have to do with our vendors? 

    I believe that CCPA becomes effective on January 1,  2023.

    Thanks


  • 2.  RE: California Consumer Privacy Act (CCPA)

    Posted 06-29-2022 03:17 PM

    CPRA becomes effective 1/1/23, while CCPA has been effective since 1/1/20. This website has some easier to understand information on CPRA: https://www.caprivacy.org/

    For service providers or contractors that store or process (nearly all actions fall under these terms) data on your behalf in scope of CPRA, you need to follow section 1798.100(d), pulled out below:
    d) A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor, that:

    (1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;

    (2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title;

    (3) Grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under this title;

    (4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title;

    (5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

    The above has multiple requirements around contracts and performing due diligence on your vendors, not only to ensure they protect data, but can support your needs in fulfilling data subject rights. Privacy has been a difficult topic to fully address for many organizations so we're always curious to hear what others are doing in this area as well!


    Original Message


  • 3.  RE: California Consumer Privacy Act (CCPA)

    This message was posted by a user wishing to remain anonymous
    Posted 07-19-2022 10:28 AM
    This message was posted by a user wishing to remain anonymous

    Thank you Aaron. This is very helpful.
    Original Message


  • 4.  RE: California Consumer Privacy Act (CCPA)

    This message was posted by a user wishing to remain anonymous
    Posted 10-21-2022 10:20 AM
    This message was posted by a user wishing to remain anonymous

    Hello All,

    We are community Bank in CA, and we are trying to address the CPRA requirements. However, we are struggling with which vendors/contractors fall under these requirements. For example, does a vendor who provides us remote access software for trouble shooting client's online accounts issues fall under this requirement? How about cloud file transfer providers? 

    Your inputs will be greatly appreciated.
    Original Message