Third-Party Risk Management SOP - California
THIRD-PARTY RISK MANAGEMENT SOP — CALIFORNIA SUPPLEMENT
Organization: [________________________________]
SOP Number: TPRM-CA-[____]
Version: [____]
Effective Date: [__/__/____]
Approved By: [________________________________]
TABLE OF CONTENTS
- Purpose and Scope
- California Regulatory Framework
- Definitions
- Risk Tiering — California Enhancements
- Third-Party Lifecycle — California Requirements
- CPRA Service Provider/Contractor Framework
- Roles and Responsibilities
- Documentation and Systems of Record
- Metrics, KRIs, and Reporting
- Exceptions and Compensating Controls
- Review Cadence
- Annexes
1. PURPOSE AND SCOPE
1.1 Purpose
This SOP supplements the Universal TPRM SOP with California-specific requirements under the CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.) and CPPA implementing regulations (11 CCR § 7050 et seq.). The CPRA significantly enhanced obligations for businesses working with "service providers" and "contractors," including restrictions on use, retention, and disclosure; audit rights; subcontractor flow-down; and the recognition of Global Privacy Control (GPC) as a valid opt-out signal under § 1798.135 and 11 CCR § 7025.
1.2 Scope
Applies to all third-party relationships involving:
☐ Personal information of California consumers (Cal. Civ. Code § 1798.140(v))
☐ Sensitive personal information (§ 1798.140(ae))
☐ Services delivered to California operations or consumers
☐ Vendors classified as CPRA "service providers" (§ 1798.140(ag)) or "contractors" (§ 1798.140(j))
2. CALIFORNIA REGULATORY FRAMEWORK
| Statute/Regulation | Key Vendor Requirements |
|---|---|
| CPRA, § 1798.100(d) | Service provider/contractor restrictions: no retention, use, or disclosure beyond contracted purposes; no sale/sharing; no combining from multiple businesses; notify if unable to comply; allow audits |
| § 1798.140(ag) | Service provider definition and contract requirements |
| § 1798.140(j) | Contractor definition and additional audit/certification requirements |
| § 1798.105 | Right to Delete — must flow through to service providers/contractors |
| § 1798.120-121 | Opt-out of sale/sharing; right to limit sensitive PI |
| § 1798.135, 11 CCR § 7025 | Recognition of GPC / universal opt-out preference signals |
| 11 CCR § 7030 et seq. | ADMT regulations — transparency, access, opt-out for significant decisions |
| § 1798.82 | Breach notification — "most expedient time possible"; AG notice if >500 CA residents |
| § 1798.185(a)(15) | Risk assessments for processing that presents significant risk to privacy |
3. DEFINITIONS
| Term | Definition |
|---|---|
| Personal Information | Information that identifies, relates to, or is reasonably linkable to a California consumer or household (§ 1798.140(v)) |
| Sensitive Personal Information | SSN/government ID, financial accounts, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text contents (non-recipient), genetic/biometric data, health data, sex life/orientation (§ 1798.140(ae)) |
| Service Provider | Entity that processes personal information on behalf of a business per a written contract meeting CPRA requirements (§ 1798.140(ag)) |
| Contractor | Entity to which a business makes available personal information for a business purpose per a written contract, with additional certification and audit requirements (§ 1798.140(j)) |
| Sale | Disclosing personal information for monetary or other valuable consideration (§ 1798.140(ad)) |
| Sharing | Cross-context behavioral advertising disclosure (§ 1798.140(ah)) |
4. RISK TIERING — CALIFORNIA ENHANCEMENTS
| Factor | Elevated Risk Indicators |
|---|---|
| CPRA Sensitive PI | Vendor processes sensitive personal information (SSN, financial, geolocation, health, biometric, genetic, racial/ethnic, religious, union, sex life/orientation) |
| Sale or Sharing | Vendor relationship involves potential sale or sharing of personal information |
| Automated Decision-Making | Vendor uses ADMT for decisions with legal or similarly significant effects |
| Children's Data | Vendor processes data of consumers under 16 (opt-in consent required under § 1798.120(c)-(d)) |
| GPC/Opt-Out Signal Processing | Vendor must recognize and honor GPC signals |
| Cross-Context Behavioral Advertising | Vendor involved in targeted advertising using personal information from multiple businesses |
Vendors classified as CPRA service providers or contractors shall be classified no lower than Medium tier. Vendors processing sensitive PI shall be classified no lower than High tier.
5. THIRD-PARTY LIFECYCLE — CALIFORNIA REQUIREMENTS
5.1 Due Diligence Enhancements
| # | Requirement | Tier | Evidence |
|---|---|---|---|
| 5.1.1 | Determine vendor classification: service provider (§ 1798.140(ag)) vs. contractor (§ 1798.140(j)) vs. third party | All w/ CA PI | ☐ Classification analysis |
| 5.1.2 | Verify vendor can comply with CPRA use, retention, and disclosure restrictions (§ 1798.100(d)) | All SP/Contractor | ☐ DPA ☐ Policy review |
| 5.1.3 | Assess consumer rights support: Right to Know, Delete, Correct, Portability, Opt-Out of Sale/Sharing, Limit Sensitive PI | Critical/High | ☐ Rights workflow |
| 5.1.4 | Verify GPC/universal opt-out signal recognition (§ 1798.135, 11 CCR § 7025) | All w/ CA consumer-facing | ☐ Technical verification |
| 5.1.5 | Evaluate ADMT transparency, access, and opt-out capabilities (11 CCR § 7030) | If ADMT used | ☐ ADMT documentation |
| 5.1.6 | Assess sensitive PI handling and ability to support "Limit Use" requests (§ 1798.121) | If sensitive PI | ☐ Sensitive data controls |
| 5.1.7 | Verify subcontractor flow-down of CPRA restrictions | Critical/High | ☐ Subcontractor agreements |
| 5.1.8 | Assess breach notification capability | All w/ CA PI | ☐ IRP ☐ SLA |
5.2 Contract Requirements — California Additions
| Clause | Requirement | Citation |
|---|---|---|
| CPRA Service Provider/Contractor Agreement | Must include all elements of § 1798.100(d): purpose limitation, no sale/sharing, no combining, compliance obligations, audit rights, notification if unable to comply | § 1798.100(d) |
| Certification | Vendor certifies understanding and compliance with CPRA restrictions | § 1798.100(d) |
| Use/Retention/Disclosure Restrictions | No retention, use, or disclosure of personal information outside the contracted business purpose | § 1798.140(ag)(1)(A) |
| No Sale/Sharing | Vendor shall not sell or share personal information | § 1798.140(ag)(1)(B) |
| No Unauthorized Combining | Vendor shall not combine PI received from multiple businesses except as permitted | § 1798.140(ag)(1)(D) |
| Subcontractor Flow-Down | Vendor must impose same CPRA restrictions on subcontractors and notify business of subcontractor engagements | § 1798.100(d)(5) |
| Audit/Assessment Rights | Business may take reasonable steps to ensure vendor compliance, including audits | § 1798.100(d)(1) |
| Consumer Rights Cooperation | Vendor must assist with Right to Know, Delete, Correct, Portability, Opt-Out | §§ 1798.100-121 |
| GPC Compliance | Vendor must treat GPC signal as valid opt-out of sale/sharing | § 1798.135, 11 CCR § 7025 |
| Sensitive PI Limitation | Vendor must support "Limit the Use of My Sensitive PI" requests | § 1798.121 |
| Breach Notification | Notify within [____] hours; support AG notification if >500 CA residents | § 1798.82 |
| Data Minimization/Retention | Retention limited to what is reasonably necessary for the disclosed purpose | § 1798.100(a)(3) |
| Deletion Obligation | Delete PI upon request, including instructing subcontractors to delete | § 1798.105(c) |
5.3 Ongoing Monitoring — California Additions
| Activity | Frequency | Responsible |
|---|---|---|
| CPRA compliance verification | Annual | Compliance / Privacy |
| Consumer rights request support review | Semi-Annual (Critical/High) | Privacy |
| GPC/opt-out signal compliance testing | Annual | Security / Privacy |
| ADMT compliance review (if applicable) | Annual | Privacy |
| Sensitive PI handling verification | Annual | Privacy |
| Subcontractor flow-down verification | Annual | Compliance |
| Breach notification readiness | Annual | Security / Compliance |
| Risk assessment review (§ 1798.185(a)(15)) | As processing changes | Privacy |
5.4 Offboarding — California Additions
☐ Confirm deletion of all CA consumer personal information per § 1798.105(c)
☐ Instruct vendor to direct subcontractors to delete CA PI
☐ Obtain written deletion certification
☐ Verify no retained copies except as required by law
☐ Document compliance with CPRA through termination
6. CPRA SERVICE PROVIDER/CONTRACTOR FRAMEWORK
6.1 Classification Decision Tree
| Question | If Yes | If No |
|---|---|---|
| Does the business make PI available to vendor? | Continue | No CPRA classification needed |
| Does the vendor process PI only per business's instructions? | Service Provider or Contractor | May be "Third Party" (sale/sharing analysis needed) |
| Does the contract meet § 1798.100(d) requirements? | Service Provider / Contractor | Must remediate contract |
| Does the vendor certify understanding of restrictions? | Contractor eligible | Service Provider only |
| Does the business conduct audits or require annual certifications? | Full Contractor treatment | Service Provider treatment |
6.2 Service Provider vs. Contractor Key Differences
| Requirement | Service Provider | Contractor |
|---|---|---|
| Written contract with CPRA terms | Required | Required |
| Certification of understanding | Not required | Required |
| Right to audit | Required | Required + annual exercise |
| Use/retention/disclosure restrictions | Same | Same |
| Regulatory treatment | Established category | CPRA-new category |
7. ROLES AND RESPONSIBILITIES
| Role | CA-Specific Responsibilities |
|---|---|
| Privacy | CPRA classification; consumer rights support; GPC compliance; ADMT; sensitive PI; risk assessments |
| Compliance | CPRA regulatory updates; AG notification coordination; subcontractor flow-down verification |
| Security | Breach notification readiness; GPC technical implementation; security measures verification |
| Legal | CPRA contract terms; service provider/contractor classification; audit rights |
| Business Owner | Ensure SLAs support CA breach notification; consumer rights request coordination |
8. DOCUMENTATION
Additional TPRM platform fields:
☐ CPRA classification (service provider / contractor / third party)
☐ Service provider/contractor agreement status
☐ GPC compliance status
☐ Sensitive PI processing flag
☐ ADMT use flag
☐ Consumer rights support verification
☐ Subcontractor flow-down status
☐ Risk assessment completion status
9. METRICS
| Metric | Target | Frequency |
|---|---|---|
| CPRA-compliant SP/contractor agreements | 100% of applicable | Quarterly |
| GPC compliance verification | 100% of consumer-facing vendors | Annual |
| Consumer rights support verified | 100% of Critical/High | Annual |
| Subcontractor flow-down verified | 100% of Critical/High | Annual |
| Risk assessments completed | 100% of high-risk processing | Semi-Annual |
| Breach notification SLA compliance | 100% | Per incident |
10. EXCEPTIONS
☐ CPRA-related exceptions require approval by [CPO / General Counsel]
☐ Document compensating controls with statutory reference
☐ Maximum exception duration: [____] days
11. REVIEW CADENCE
| Field | Information |
|---|---|
| SOP Owner | [________________________________] |
| Review Frequency | Annual, or upon CPPA regulatory change |
| Next Review | [__/__/____] |
12. ANNEXES
Annex A: CPRA Service Provider/Contractor Contract Checklist
☐ Purpose limitation — no use beyond contracted services (§ 1798.140(ag)(1)(A))
☐ No sale or sharing (§ 1798.140(ag)(1)(B))
☐ No unauthorized combining (§ 1798.140(ag)(1)(D))
☐ Certification of understanding (Contractor only)
☐ Audit/assessment rights (§ 1798.100(d)(1))
☐ Notification if unable to meet obligations (§ 1798.100(d)(3))
☐ Subcontractor flow-down (§ 1798.100(d)(5))
☐ Consumer rights cooperation (Know, Delete, Correct, Portability, Opt-Out, Limit Sensitive PI)
☐ GPC/universal opt-out signal recognition (§ 1798.135, 11 CCR § 7025)
☐ Data minimization and retention limitation (§ 1798.100(a)(3))
☐ Breach notification SLA
☐ Deletion certification on termination
SOURCES AND REFERENCES
- CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.
- Cal. Civ. Code § 1798.140(ag) (Service Provider), § 1798.140(j) (Contractor)
- Cal. Civ. Code § 1798.82 (Breach Notification)
- CPPA Final Regulations, 11 CCR § 7050 et seq.
- 11 CCR § 7025 (Opt-Out Preference Signals)
- 11 CCR § 7030 et seq. (ADMT Regulations)
- OCC Bulletin 2023-17
- DOJ Evaluation of Corporate Compliance Programs (2023)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026