Policy, Program and Procedures

 View Only
  • 1.  CCPA/CPRA Compliance

    This message was posted by a user wishing to remain anonymous
    Posted 12-02-2024 04:30 PM
    This message was posted by a user wishing to remain anonymous

    Hello everyone,

    I am looking at guidance and perspective from financial institutions that have branches in California that may not necessarily have their main/home branches in that same state? 

    This pertains to programs/policies/processes when it comes to how your organization handles CCPA/CPRA requirements and your vendor/third party partners. 

    Thank you.



  • 2.  RE: CCPA/CPRA Compliance

    Posted 12-11-2024 09:31 AM

    Thanks for posting! Below are recommendations for you to consider when it comes to your Program/Policies/Processes as it relates to CCPA/CPRA requirements.

    1. Vendor Classification and Risk Assessment 

    Classify vendors based on their access to personal information, prioritizing those who process California consumer data. 

    • High-Risk Vendors: Those directly handling personal or sensitive information (e.g., payment processors, marketing firms). 

    • Medium-Risk Vendors: Those with indirect exposure or access (e.g., IT support). 

    • Low-Risk Vendors: Infrastructure providers or those without data access. 

    For each category, conduct a CCPA/CPRA-specific risk assessment to identify compliance gaps. 

    2. Contractual Safeguards 

    All third-party agreements include provisions addressing CCPA/CPRA compliance: 

    • Data Processing Agreements (DPAs): Outline roles, data usage limitations, and obligations for deletion upon request. 

    • Prohibition on Sale of Data: Explicitly prohibit vendors from "selling" consumer data (as defined by CCPA). 

    • Audit and Monitoring Rights: Allow us to verify compliance with privacy obligations. 

    3. Consumer Rights Requests (CRRs) 

    • Ensure third parties can support or comply with consumer requests, such as access, deletion, or correction. 
    • Vendors are required to respond to CRRs within a defined timeframe (typically 15-30 days). 
    • Established a centralized process to forward verified requests to applicable vendors. 

    4. Training and Awareness 

    Vendors must complete privacy training tailored to CCPA/CPRA compliance, particularly those handling sensitive data. This includes understanding obligations under "service provider" designations. 

    5. Vendor Monitoring and Audits 

    Incorporate CCPA/CPRA compliance checks into our annual vendor reviews, verifying that vendors adhere to obligations such as: 

    • Data minimization practices. 

    • Proper notification of data breaches. 

    • Maintaining records of compliance efforts. 

    6. Incident Response Plans 

    For California data breaches involving vendors, develop incident response protocols aligned with CPRA's notification timelines. Vendors must notify of breaches immediately, and coordinate to notify affected consumers as required. 

    Considerations: 

    • Tailored Policies: California's laws are unique, so one-size-fits-all solutions rarely work. Created state-specific addendums to our vendor management policies. 
    • Ongoing Updates: With CPRA enforcement ramping up, monitor guidance from the California Privacy Protection Agency (CPPA) and update our practices regularly. 
    • Transparency is Key: Clear communication with vendors about their obligations under California laws has been essential to our compliance efforts. 

    I hope you find this helpful and would love to hear thoughts from other members! 

    ------------------------------
    Madelyn Norwood, CTPRP
    ------------------------------