CCPA requires companies to allow consumers to choose not to have their data shared with third parties. That means that companies will now have to ensure that their this-party vendors cannot access sensitive data.
Furthermore, organizations are not only responsible for upholding the consumer rights themselves, but also for whether or not their third-party vendors also comply. Such vendors often provide JavaScript code snippets, including social media pixels, chatbots tracking scripts and payment iframes.
If consumer data is exposed on your site because of an attack on a third-party vendor, you are no longer compliant with CCPA and liable for any damages that result. Even if third-party code accesses sensitive data on a site non-maliciously, the website owner could still be in violation of CCPA.
Third-party code vendors often state in their legal agreements that they aren’t responsible for what data gets grabbed by their systems. If they do get access to sensitive data, they are free from liability because the onus was on the website to not grant access in the first place. It is critical to continuously audit third-party code and always verify that it is collecting expected data.