How Your Third-Party Risk Management Program Should Respond to Privacy Laws

Keeping up with current privacy laws is a bit like playing 'whack-a-mole.’ As soon as one state law has passed and you understand the basics, another state proposes one of its own. And to make things even more complicated, these laws go by different names. Some use the term "privacy" in the law, while others use "data protection." So, what does all this mean for third-party risk management?  

Rather than reviewing each privacy law in detail, we've gathered some best practices to help you stay updated in this rapidly changing environment. 

Common Attributes of Current Privacy Laws

California was the first state to enact a comprehensive privacy law, originally titled the California Consumer Privacy Act This later became amended to the California Privacy Rights Act. which went into effect on January 1, 2023. Other states have since followed California by signing their own privacy laws, including Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia. Generally, each law describes the consumer's rights and the organization's obligations when collecting data.  

Here are a few common attributes that are found in each of the previously mentioned state privacy laws: 

• Right to access – This relates to consumers’ right to access their information or categories of information collected or shared with third parties. It may also mean that consumers have a right to know which third parties or categories of third parties have access to their information. 
• Right to delete – Under some conditions, consumers can request that their information is deleted. 
• Right to portability – This ensures that consumers can request their information in a commonly used file format to enable easy transfer to another organization. 
• Right to opt-out of sales – Consumers can choose whether their information is sold to a third party.
• Notice/transparency requirement – This requires an organization to notify its consumers about how it manages data, and its privacy operations or programs.
• Data and third parties – It's also worth noting that each law includes language around disclosing or selling personal data to third parties. These laws specifically state that an organization that collects and shares or sells personal information to a third party must create an agreement that, per CPRA, for example, "Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title." 
  
  

4 Best Practices to Implement Within Your Third-Party Risk Management Program

It can be challenging enough to comply with privacy laws when you consider all the variations that exist between different states, excluding the many organizations that fall under international privacy laws as well. When you add in requirements about your third parties' compliance, an additional layer of complexity must be addressed.  

Here are some tips that can help bridge the gap between new privacy laws and your third-party risk management practices: 

1. Review a legislation tracker. Some states have laws in effect, some have passed and have future effective dates, others are still being debated, and a few are newly introduced. A simple way to keep up with these laws is to review a tracker, such as the U.S. State Privacy Legislation Tracker by the International Association of Privacy Professionals (IAPP).  

2. Consider external research. When a new state privacy law is proposed, signed, or amended, it may help to research using a trusted legal site that explains some of the highlights. Many law firms specializing in privacy law will regularly release blogs or other educational content that's easy to digest for the average reader. It's preferable to review a site that publishes content on each law rather than one that only focuses on a single state or region.  

3. Examine your vendors' policies and notices. Ensure you understand how your vendors’ policies and notices compare to applicable laws. Here are some helpful questions to consider:

   • What information is being shared or accessed by the vendor? 
     

   • How is the vendor protecting that information? 
     

   • Does your vendor’s definition of terms such as sensitive data or personally identifiable information (PII) align with the law? 
     

   • Does your vendor’s control environment meet the law’s expectations?  

4. Review your exit strategy. An exit strategy should be in place with any vendor accessing your organization’s or customers' data. This ensures that data security and privacy is maintained, even if you’re transitioning to a new vendor or bringing the outsourced activity in-house. The exit strategy should include details about how the vendor will return or destroy any data they have after the engagement has ended. It should also require that the vendor provides assurance that they haven’t intentionally or unintentionally shared any sensitive data with their third or fourth parties.  

Although we’ve focused on US-based privacy laws, let's not forget about global laws such as the General Data Protection Regulation (GDPR). Many regulators often look to each other for best practices when creating guidance, so it’s helpful to familiarize yourself with these other global privacy laws, which can potentially impact guidance in the US. Understanding some basic principles of state and international privacy laws will help you create a safer environment for your organization and vendors.