What CCPA Means for Your TPCRM Program

Introduction

Picture this. A California resident submits a data subject request to your company. You respond on time, check the box, move on. Two weeks later, a regulator comes back with a question you weren’t expecting: what did your CRM vendor do with that same data? Can you prove they handled it correctly? Do you even have the contract language that requires them to cooperate?

If you hesitated on any of those, you have a TPCRM problem dressed up as a compliance problem.

The California Consumer Privacy Act has been law since 2018, effective since January 2020. Most security and compliance teams know it applies to them. Fewer have internalized what it actually demands from their vendor oversight programs. That gap is where enforcement exposure lives.

What CCPA Requires

CCPA gives California residents enforceable rights over their personal data: the right to know what’s collected, the right to opt out of its sale, and the right to request deletion. The CPRA amendments, effective January 2023, extended those rights to include correction and portability. For minors under 16, the law requires affirmative opt-in consent before any sale of their personal information. Children under 13 require parental or guardian authorization. Not 18. Not a general “minor” standard. Under 16.

The law applies to any business that operates in California or processes California residents’ personal data through third parties, and meets at least one of these thresholds:

• $25 million or more in gross annual revenue
• Buys, sells, or shares the personal information of 100,000 or more consumers or households annually (the original CCPA threshold was 50,000; CPRA doubled it and removed “devices” from the definition)
• Generates 50% or more of annual gross revenue from selling or sharing personal information

Your Vendors Are Your Responsibility

Once you’re subject to CCPA, compliance doesn’t stop at your perimeter. Every vendor handling personal data on your behalf is part of your obligation. Your CRM. Your cloud infrastructure provider. Your analytics stack. Your marketing automation tools. If they touch personal information, you are responsible for how they handle it.

CCPA doesn’t prescribe a specific program structure. It requires “reasonable and appropriate steps.” That phrase sounds flexible. Regulators do not treat it that way.

Here’s what reasonable and appropriate actually looks like in practice:

Tier your vendors by risk. Evaluate across data sensitivity, data volume, business criticality, and access level. Map to defined tiers: Tier 1 for critical vendors with direct access to sensitive personal information, Tier 2 for elevated risk, Tier 3 for standard. A cloud infrastructure provider processing sensitive PI is a Tier 1 relationship. A vendor with no direct PI access is Tier 3. The category determines the oversight.

Match oversight to risk. Tier 1 vendors warrant continuous monitoring and formal annual audits. Tier 2 gets quarterly automated scanning plus an annual audit. Tier 3 gets an annual assessment. The oversight should scale with what’s at stake. Applying identical controls across every vendor isn’t proportionate risk management. It’s compliance theater.

Govern every contract. Regardless of tier, every contract with a service provider, contractor, or third party receiving personal information needs the right provisions. Work with legal counsel on the specific language. The January 1, 2026 amendments to §7050(h) added explicit cooperation requirements for cybersecurity audits and risk assessments. If your vendor agreements predate that, pull them and review. A contract written in 2023 may have a gap you haven’t closed yet.

Three Places Enforcement Finds You

Contract compliance. The §7050(h) cooperation clauses are active as of January 1, 2026. If a vendor agreement doesn’t address cybersecurity audit cooperation and risk assessment obligations, that’s a finding waiting to happen.

Evidence retention. Monitoring means nothing without documentation. The CPPA requires three years of documented monitoring artifacts, risk decisions, and audit trails. The question isn’t whether you’re doing the work. The question is whether you can prove it. If the answer is “it’s in someone’s head” or “we’d have to reconstruct it,” your evidence posture is broken.

Formal risk assessments. Sections 7150 through 7157 require completed risk assessments for processing activities involving personal information that predated 2026. The deadline is December 31, 2027. That sounds distant. It isn’t. Completing a risk assessment for every qualifying processing activity takes time, especially if you haven’t catalogued them yet. The clock is running.

What This Actually Costs

Non-compliance under CCPA carries fines of $2,500 per unintentional violation and $7,500 per intentional violation. The math scales fast. And CPPA enforcement actions are public record, which means the reputational impact compounds the financial one.

But here’s the real cost. Most organizations that end up in regulatory scrutiny aren’t there because they ignored the law. They’re there because they assumed their vendors were handling it. They outsourced accountability without building the oversight structure to back it up.

That assumption is not a defense.

Your TPCRM program is the mechanism that turns CCPA’s “reasonable and appropriate steps” language into documented, auditable reality. If the program isn’t built to that standard, the risk isn’t theoretical. It’s scheduled.

Bob Maley is the Chief Security Officer of Black Kite® (NormShield, Inc.) and the author of Unleashing the Power of the OODA Loop in Cybersecurity and The Book of Five Keys. He serves on the Shared Assessments Advisory Board and co-chairs the AI and Emerging Technology Working Group.