The answer largely depends on whether your organization would be a “business,” a “service provider,” or a “third party” under the CCPA.
For businesses, the main obligations include:
- Notifying consumers of the types of personal information collected and how that information will be used. This notice must be provided at or before the point where personal information is collected.
- Providing consumers with ways to submit requests to access or delete their personal information or to know more about how it is processed and shared, and responding to those requests.
- Providing a clear and conspicuous link on the business’s website entitled “Do Not Sell My Personal Information” so that consumers may exercise their right to opt-out of “sales” of their personal information, if the business sells personal information.
- Not discriminating against consumers who exercise their rights under the CCPA.
- Providing reasonable security to protect personal information from unauthorized access or acquisition.
For service providers, the main obligations include:
- Processing personal information only for the purposes specified in the written contract with the business customer, and not for the service provider’s own commercial purposes.
- Deleting personal information about a consumer when instructed to do so by the business customer.
For third parties that receive personal information in a “sale,” but that are not service providers, CCPA prohibits the third party from further “selling” that personal information unless the consumer received “explicit notice” and an opportunity to opt out of “sales.” “Explicit notice” is not defined by the CCPA, and third parties may wish to consult their own legal counsel to assess their obligations.