If Managing Your Vendor’s Risk Isn’t a Top Priority, It Should Be
Gordon Moore, the co-founder of Intel, died this year. He was 94. In 1965, he predicted that the number of transistors that could be placed on a silicon chip would double at regular intervals for the foreseeable future, thus increasing the data-processing power of computers exponentially. He predicted computers would be more expensive to build but cheaper to buy for consumers since so many would be sold.
And the result of all that computing power today seems to indicate that Moore's Law can now be applied to privacy regulation, given the number of states passing laws to protect consumer privacy, children's online privacy, and now all manner of health-related data.
Yet, we still lack standardization for how our industry deals with the patchwork of privacy legislation here and abroad. New requirements are already in place, and if you're not ready, it's not just your risk; you're gambling with your vendor's privacy compliance risk too.
Recent enforcement activity in California should serve as a warning to the industry, as it not only shows where California is going but is a precursor to a national trend. Last August, we saw the first significant public enforcement action under the California Consumer Privacy Act (CCPA). The headline on Sephora, as we all know now, is that the company didn't disclose that it was "selling" consumers' data to advertisers, business partners, and analytics networks and that it failed to process consumer opt-outs.
Less headline-grabbing, but also important, Attorney General Rob Bonta said in the complaint that Sephora "did not have valid service provider contracts in place with each third party." In addition to a fine and mandated measures to address the headline-grabbing issues, the settlement requires:
- Sephora conforms its vendor agreements to the CCPA's requirements.
- Sephora provides reports to the Attorney General relating to its sale of personal information and the status of its service provider relationships.
With a good risk management system in place, this could have potentially been avoided. If they had proper visibility and control over where data was going, Sephora might have met its CCPA obligations. But because the company was passing data to vendors without contracts in place, "All of these transactions were sales under the law." So, by doing the work on the front end, and analyzing vendor risk through audits, businesses can reduce their risk of falling short of compliance.
If Sephora's misstep wasn't enough to convince you to kick-start your vendor risk management processes, California Privacy Protection Agency (CPPA) will now be analyzing them too. The CPPA's first new regulation went into effect on March 30, and it was clear that vendor risk management is a top priority.
CCPA-covered businesses have been required to enter contracts with vendors for several years. But the recent amendments to the CCPA together with the new regulations go a step further. It's not enough merely to have contracts in place. Businesses now need to include in those contracts audit rights to verify their vendors' privacy compliance.
And businesses have an obligation to exercise those rights and ensure their vendors are complying with the CCPA or stop sending data until non-compliance is remediated. Businesses who fail to conduct due diligence by exercising their audit rights risk being liable for their vendors' non-compliance.
The CPPA's power to enforce begins July 1, giving the agency the power to conduct unannounced audits of businesses. Since the Attorney General will share enforcement powers with the CPPA, we can expect privacy sweeps to continue and, in fact, increase.
It's Not Only California
Virginia's privacy law became effective in January. And Colorado and Connecticut will come online on July 1. Those 3 states require controllers to enter into contracts with their processors with terms similar to California and create similar obligations to conduct due diligence on processors.
Many companies have not yet realized the significance of these new laws as they continue to proliferate. Some of these new state laws require businesses to conduct risk assessments before undertaking certain activities, including targeted advertising. There are significant obligations around sharing, selling, or disclosing data to vendors.
You cannot properly assess or mitigate your risk without conducting due diligence on any vendor with whom you share personal information. It's clear that the era of freely sharing data with vendors is over. There are countless other examples that prove this.
The Federal Trade Commission is using its powers under the FTC Act in a way we haven't seen before. This is the start of a trend in enforcement across the board. The FTC is interpreting its rules — that cookies, pixels, ad IDs, and hashed email addresses can all be personal information. They can even be health data, whether covered under HIPAA or not. The FTC sanctioned two telehealth companies (GoodRx and BetterHelp), not covered entities under HIPAA, for engaging in unfair and deceptive practices for allegedly sharing user data with vendors without having the proper vendor risk management measures in place and for misleading consumers about how their sensitive personal information would be used.
Given the new laws, new regulations, and new enforcement efforts, it's clear that our industry is under scrutiny and the bar has been raised higher than many businesses are currently prepared for. It's important to get ahead of these changes by prioritizing vendor risk management.
Understand where data is going. Assess and control the risks with respect to those vendors you work with. Make sure you have audit rights in your contracts and processes in place to exercise them. Under these new laws and regulations, you are obligated to be your vendor's keeper, if your vendor has your data.
I believe there is an important role to play, by leading the industry and demonstrating to our consumers and regulators that we as an industry are fully compliant and that we are committed to ensuring that our counterparties are compliant as directed by the law.
The views and opinions expressed are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.
Richy Glassberg is the cofounder and CEO of SafeGuard Privacy.