This year, International Data Privacy Day follows one of the biggest data privacy events since EU’s General Data Protection Regulation (GDPR) - on January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. CCPA is the strongest consumer privacy legislation mandated at the state level, and it gives significantly more power to consumers to demand accountability and transparency for how their private data is handled. The CCPA also puts in place costly penalties against organizations that collect data and fail to protect it. CCPA is, in effect, a national and global law. It covers any security and data problems that happen in the state of California and impact companies conducting business in California. So, for example, a German company that does business in California could find itself liable for costly fines if its website is breached and California customers are affected. The good news? If your organization already complies with GDPR, you are 95% of the way toward reaching CCPA compliance. A less-known but critically important piece of the CCPA is that liability for breaches extends to third-party services that web application publishers and operators use. This includes information security companies, payment processors, chatbot operators and any other provider of third-party services. Your organization may be responsible not only for security problems and breaches affecting your own code, but also for code that is not even operating on your site. This is true as long as that third-party code is included in your user experience or exposed to your users in the web application. Nearly all web applications (including web, mobile web and hybrid mobile applications) use third-party JavaScript libraries and services to add functionality and improve performance. Now is a good time, to protect yourself from liability, to ask all third-party service providers for detailed answers to the following questions. Do you capture any of our user data? How, where and when? Please explain the mechanism. If you do capture our user data, what is your own CCPA policy and database access structure? Can you provide an easy mechanism for us to access any user data you collect and provide it to our end users as part of a comprehensive CCPA report? What are you doing to monitor data privacy laws that other states are likely to enact? In addition, demand certification information and make it a condition of ongoing business. For SaaS companies, SOC 2 Compliance and/or ISO 270001 is the gold standard. Next, ask them to run a simulated CCPA request process with you. This will help you assess their readiness. And, make sure your security stance for all your public-facing applications is audited and up to date with proper configurations. This will mean not only internal firewalls on databases and malware protection on every user’s device, but also technology specific to guarding web applications. Web application firewalls are table stakes. Make sure they are tuned appropriately. CCPA adherence enforces good basic security hygiene and best practices — and that will result in better protection for your users, your infrastructure and your bottom line.  Read Less