Just as the CCPA granted consumers new rights on their personal data, CCPA places new obligations on business for handling data. Some of these obligations are to enable data subject rights while others are obligations pertain to general data protections and transference of data.
There are several requirements that businesses need to comply with in terms of notices for consumers. Businesses need to provide notice to end-users of their data rights under CCPA. In addition, they need to provide clear means to exercise those rights. For companies that sell personal data, they need a link on their homepage that consumers can use to opt-out of selling their personal information.
CCPA requires that businesses provide consumers with two methods of submitting data access requests and data deletion requests. In the case of online-only companies, only one method is required for access requests; 2 methods are still necessary for deletion requests.
Businesses cannot discriminate against consumers who exercise their data rights. Businesses cannot charge different amounts or offer different services to consumers based on how they use their data rights.
There are two categories of third parties under CCPA - service providers and non-service providers. Service providers are companies that provide services for other companies. A typical service provider for technology companies is their cloud provider.
For service providers, companies need to have agreements in place with them to ensure the protection of personal information.
For non-service providers, companies must disclose to consumers that personal data will be shared with the third party before the data is actually shared.
While CCPA does not mandate training of all employees, it does mandate training of all employees who may need to administer or respond to users’ inquiries about data rights and the company’s compliance with CCPA. It should be best practice to at least train employees on the basics of CCPA as there are many avenues for consumer questions and requests.