The Supply Chain Language Hidden in a Privacy Law
The California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020, is primarily a consumer-rights statute. It creates rights to access, deletion, correction, and opt-out, and it defines duties for businesses that process California residents' personal information.
Most discussion of CCPA focuses on the privacy notices and rights processes. But the law contains two provisions with direct implications for software supply chain. The first is § 1798.150, which creates a private right of action for "breach of the duty to implement and maintain reasonable security procedures and practices." The second is § 1798.100(d), which requires specific contractual provisions for service providers and contractors — provisions that reach vendor software supply chain.
Software supply chain teams ignore these at their peril. When a breach happens and the question of "reasonable security" lands in front of a California Superior Court, whether you had a sensible SBOM and vulnerability management program is likely to be weighed. This post walks through where the statutes meet software supply chain practice.
What "Reasonable Security" Means
CCPA doesn't define "reasonable security procedures and practices." It cross-references the duty by reference to § 1798.81.5, which applies a similar duty to all California businesses. Neither statute specifies controls.
Case law and Attorney General guidance have filled the gap. The most commonly cited reference is the 2016 California Data Breach Report from Attorney General Kamala Harris, which identified the CIS Critical Security Controls (then called the CIS Top 20) as a minimum bar for reasonable security. The report stated explicitly that failure to implement all relevant CIS Controls "constitutes a lack of reasonable security." That language has been quoted in subsequent AG enforcement actions.
For software supply chain, the relevant CIS Controls are:
- Control 2 (Inventory and Control of Software Assets) — maintain an inventory of authorized software. This is an SBOM requirement by another name.
- Control 7 (Continuous Vulnerability Management) — regularly scan, prioritize, and remediate vulnerabilities.
- Control 16 (Application Software Security) — secure the application layer through secure development practices.
- Control 15 (Service Provider Management) — assess and monitor third-party providers.
If a business gets breached through an unpatched component and doesn't have an SBOM, Continuous Vulnerability Management, or Service Provider Management in place, the AG's 2016 position is that reasonable security is absent.
The Private Right of Action
Section 1798.150 allows consumers to sue following breaches of non-encrypted, non-redacted personal information if the breach resulted from a failure to maintain reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
For a breach affecting one million California residents, that's $100 million to $750 million in statutory exposure. The threshold question in litigation is whether reasonable security was in place. Plaintiff's counsel increasingly frames this question in specific terms: did the business have a software inventory? Were components tracked for vulnerabilities? Were patches applied within industry-typical timelines?
Software supply chain documentation becomes litigation evidence. An SBOM with a clear vulnerability remediation history is a defense artifact. Its absence is a cross-examination opportunity.
Service Provider Provisions Under § 1798.100(d)
The 2020 CPRA amendments to CCPA tightened service provider obligations significantly. Section 1798.100(d) requires a written contract between a business and each service provider, contractor, or third party to whom personal information is disclosed. The contract must, among other things:
- Specify that the personal information is sold or disclosed by the business to the service provider only for limited and specified purposes.
- Obligate the service provider to comply with applicable obligations under CCPA.
- Grant the business audit rights.
- Require the service provider to notify the business if it determines it can no longer meet its CCPA obligations.
For software vendors — particularly SaaS products handling California data — "applicable obligations" pull in the reasonable security standard. The audit-rights provision is where software supply chain evidence gets requested. California businesses increasingly ask vendors for SBOMs, penetration test summaries, vulnerability SLAs, and SOC 2 reports as part of service provider diligence.
The Mapping in Practice
For a software vendor selling into California, the practical stance is:
Build and maintain SBOMs for every deployed application. These satisfy CIS Control 2 and support the reasonable security argument.
Run continuous vulnerability management with SLA tracking. CIS Control 7. Typical industry SLAs are 30 days for critical, 90 days for high, 180 days for medium. Document deviations.
Offer SBOMs and vulnerability posture to business customers. This supports their § 1798.100(d)(3) diligence obligations and reduces contract friction.
Track your own sub-processors at component depth. If you use a third-party library that transmits data to a third party, that relationship lives in the SBOM. It may trigger your customers' service-provider obligations.
Document breach response process and timeline. § 1798.150 references the California Data Breach Reporting statute; notification timelines matter even though CCPA itself doesn't set one.
Intersection With Other California Laws
Two adjacent statutes compound the exposure.
The California Age-Appropriate Design Code (SB 190, signed 2022, enjoined in part) imposed specific security obligations for products likely to be accessed by children. While enforcement is in flux, businesses covered by the law need stronger vulnerability management because the statute's risk assessments must consider data-security risks.
The California AI Transparency Act (SB 942, 2024) adds labeling and provenance requirements for AI-generated content. For software supply chain, this reaches into ML model provenance — model SBOMs and attestation around training data become relevant under CCPA's reasonable-security analysis when AI systems process personal information.
The Attorney General's Enforcement Posture
The California AG and, since 2023, the California Privacy Protection Agency (CPPA), have been active. Enforcement actions have focused on notice and opt-out issues most prominently, but several enforcement sweeps specifically called out "failures to implement reasonable security."
The Sephora settlement in 2022 ($1.2 million) focused on sale-of-personal-information notices but called out absence of a sale-opt-out as a failure. The DoorDash advisory (2020) cited inadequate vendor management. The pattern shows that service-provider diligence gets scrutiny alongside consumer-facing practices.
Common Mistakes
Assuming privacy-and-security is one function. CCPA compliance often sits with Legal or Privacy; software supply chain sits with Engineering Security. They need to share evidence. The SBOM is the bridge.
Treating service-provider audit rights as nuisance. When a business customer exercises audit rights, give them the SBOM, the pen-test summary, and the SOC 2. If you don't have these, you have a real problem under § 1798.150 too.
Ignoring transitive vendors. A service provider's service providers may process the same personal information. § 1798.140(ag) (definition of service provider) reaches far.
Overweighting opt-out and underweighting security. Privacy compliance that passes notice-and-opt-out review but fails at reasonable security creates the biggest-dollar exposure.
How Safeguard Helps
Safeguard maintains the SBOM and vulnerability inventory that the California AG's "reasonable security" standard expects — CIS Control 2 and Control 7 evidence in one view. When business customers invoke audit rights under § 1798.100(d), vendors can export SBOM and vulnerability posture reports scoped to each product, with SLA adherence attached. For businesses managing service providers, Safeguard's supplier risk assessments pull real component-level data rather than self-attestations, strengthening the § 1798.100(d) diligence story. If a breach leads to § 1798.150 litigation, the vulnerability remediation timeline is documented and defensible.