CCPA Primer

Lesson 5 | Your responsibilities under CCPA

Download Lesson PDF

Your Responsibilities

Just as the CCPA granted consumers new rights on their personal data, CCPA places new obligations on business for handling data. Some of these obligations are to enable data subject rights while others are obligations pertain to general data protections and transference of data.

Notice to Consumers

There are several requirements that businesses need to comply with in terms of notices for consumers. Businesses need to provide notice to end-users of their data rights under CCPA. In addition, they need to provide clear means to exercise those rights. For companies that sell personal data, they need a link on their homepage that consumers can use to opt-out of selling their personal information.

Methods of Exercise Consumer Rights

CCPA requires that businesses provide consumers with two methods of submitting data access requests and data deletion requests. In the case of online-only companies, only one method is required for access requests; 2 methods are still necessary for deletion requests.

Do Not Discriminate

Businesses cannot discriminate against consumers who exercise their data rights. Businesses cannot charge different amounts or offer different services to consumers based on how they use their data rights.

Transferring Data to Third Parties

There are two categories of third parties under CCPA - service providers and non-service providers. Service providers are companies that provide services for other companies. A typical service provider for technology companies is their cloud provider.

For service providers, companies need to have agreements in place with them to ensure the protection of personal information.

For non-service providers, companies must disclose to consumers that personal data will be shared with the third party before the data is actually shared.

Training Employees

While CCPA does not mandate training of all employees, it does mandate training of all employees who may need to administer or respond to users’ inquiries about data rights and the company’s compliance with CCPA. It should be best practice to at least train employees on the basics of CCPA as there are many avenues for consumer questions and requests.