Providers of services that involve the personal information of California residents: What do the proposed CCPA Regs mean for your compliance?

You may want to:

  • Reassess whether CCPA applies to you – this is now possible if you otherwise meet the requirements for “service provider” under CCPA, and:
    • are a “service provider” to an entity which is not a business (e.g. education systems, hospitals etc.)
    • direct a person or entity to collect personal information directly from a consumer on behalf of a business.
  •  If you are also a business under CCPA – devise processes to comply with the CCPA and the regs with regard to any personal information that you collect, maintain, or sell outside of your role as a service provider.
  • Ensure that you do not use consumer personal information received in connection with the services provided to one business client for another unless necessary to detect data security incidents/ fraudulent or illegal activity.
  • Address who answers consumer requests in your agreement with the business-client
  • If you do not respond to a consumer request explain why and direct the consumer to the business.

Read the full text of the proposed regulations.