“To effectively address the CCPA rules regarding disclosure of personal information, an organization must take the time to understand how and why personal information is moving out of the organization. This effort requires input from multiple stakeholders in the company to understand from a technical standpoint where personal information might be housed (e.g., identifying external systems and third parties that maintain company information) and understand from a business standpoint why the information is disclosed (e.g., hosting of a website or customer relationship management system or provision of marketing services).”

“Because the CCPA does not specifically exempt data flows between affiliated companies, disclosures by and among different legal entities of the same company must be factored in.”

“Companies not only have to undertake careful review of disclosures to identify those that meet the definition of ‘sale,’ but they will also have to coordinate across technical and business teams to make sure that once a consumer exercises this right, the organization can shut down all flows of that consumer’s data that fall into the category of sale.”

Details from the International Association of Privacy Professionals.