Providers of services that involve the personal information of California residents: What do the proposed CCPA Regs mean for your compliance?
You may want to:
- Reassess whether CCPA applies to you – this is now possible if you otherwise meet the requirements for “service provider” under CCPA, and:
- are a “service provider” to an entity which is not a business (e.g. education systems, hospitals etc.)
- direct a person or entity to collect personal information directly from a consumer on behalf of a business.
- If you are also a business under CCPA – devise processes to comply with the CCPA and the regs with regard to any personal information that you collect, maintain, or sell outside of your role as a service provider.
- Ensure that you do not use consumer personal information received in connection with the services provided to one business client for another unless necessary to detect data security incidents/ fraudulent or illegal activity.
- Address who answers consumer requests in your agreement with the business-client
- If you do not respond to a consumer request explain why and direct the consumer to the business.