Chances are you’re considering the California Consumer Privacy Act and its impact on not only your organization but also on policies and processes of your business partners. Rest assured—as you’ll read below—A-Check (as a consumer reporting agency) is committed to data protection and already complies with the majority of California resident rights under CCPA legislation.
Here’s a very quick, high-level summary. The CCPA provides:
- Rights to California Residents when it comes to the buying and selling of their personal information, including notices, right to delete, right to access, etc.
- Requirements for businesses that meet the definition of a “Business” in civil code 1798.140 (exceeding $25M in revenue and/or collecting personal information of more than 50,000 people) – requirements include Data Security, Breach Notification, and administration of the rights of residents of CA (explained above).
However, the CPPA also includes exceptions for both employers and consumer reporting agencies reducing the responsibilities of each entity:
1798.145 – Interaction with other statutes, rights, and obligations
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
The exceptions for employers and CRAs exclude these two entities from administering an applicant’s rights e.g., deletion of data. However both are still required to comply with the Data Security and Breach notification requirements.
However, as a CRA, A-Check Global already complies with the majority of California Resident Rights under the CPPA legislation:
- A-Check staffs a dedicated Compliance Team that handles all consumer requests for corrections, copies, full file disclosures, and requests for deletion of personal information*
A-Check’s Data Security Strategy includes a robust Information Security Policy based on the NIST Framework and a Data Security Team comprised of members of A-Check’s Staff – Executive Management, Compliance, Marketing, Development, and Infrastructure that meet bimonthly
- A-Check requires a contract and data security assessment with all vendors that A-Check shares PII Information with
- The new CCPA calls for an opt out button for consumers to opt out of having their information sold, however A-Check does not sell personal data for any reason, therefore the button is not necessary to our process
- A-Check’s systems do not discriminate between applicants utilizing the system – no preferential treatment whatsoever
- A-Check can only process a background check on a person under the age of 18 with consent from a guardian
*A-Check is required by the ICRAA to archive all information utilized to produce a consumer report for a period of 2 years, therefore we will not be able to immediately honor requests for deletion from consumers.
What is required of clients:
- Compliance with Notice requirement 1798.100 of the legislation and Disclosure requirement 1798.110 of the legislation; and
- Compliance with all Data Security and Breach Notification of the law
We’re here to help!
877.345.2021 | firstname.lastname@example.org