Many organizations have spent substantial resources to ensure internal compliance with GDPR and will spend even more to comply with the CCPA in the coming year. According to an economic impact study commissioned by the California Department of Finance, the initial costs to American businesses could exceed $55 billion, with some organizations spending $2 million or more to ensure their operations follow the new privacy regulations. Many will spend quite a bit more. Organizations with over $1 billion in revenue are estimated to spend between $10 to $100 million to prepare for the CCPA. These estimates include a minimum of ten new full-time hires dedicated to compliance. Much of those resources will be used for addressing customer complaints, a task to which organizations will apply people, process and technology.
But these efforts still leave a gaping hole in compliance: their vendors. Both GDPR and CCPA make it clear that an organization is fully responsible for the vendors within their supply chains, and the onus is on those organizations to ensure compliance. Most companies don’t realize the significance of this mandate and have taken little to no steps to ensure compliance. This creates substantial reputational, regulatory and financial risks.
Ensuring vendor compliance is difficult in today’s environment and will continue to become more complex. The privacy frameworks many organizations relied upon ceased to be useful once California and Nevada passed laws imposing defined standards to which all companies and vendors must adhere. Moreover, those frameworks are not likely to accommodate the patchwork of requirements under debate in state houses across the country.
For organizations to achieve compliance they will need to assess, in clear terms, how each vendor adheres to specific privacy regulations.
The Onus of Vendor Management for CCPA and GDPR
Is an organization liable for the actions of its vendors under GDPR and CCPA? The answer is yes, under both laws.
GDPR Article 24
Under GDPR, the corporation is responsible for its vendors if that corporation determines the “purposes and means” of processing the consumer data. In other words, if a company opts to collect consumer data for marketing purposes they’re responsible for ensuring that all vendors aiding in marketing initiatives are fully compliant with GDPR, as stated in article 24:
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
Recital 74 expressly states that the “controller” is completely responsible and liable for processing done on its behalf by a third party:
“The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.”
This means if you’re the entity that determines purposes and the means with which data is collected, you are responsible for ensuring all the rights described in the previous section are protected. You are also responsible for ensuring and demonstrating the vendors you rely on—data company, media agency, trading desk, benefits administrator, affinity programs, ad exchange, etc.;—process consumer data in compliance with GDPR.
CCPA and Agency Law
The CCPA analysis is…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
