Disclaimer
This topic is meant to provide general guidelines and should not be construed as legal advice. You bear the risk of using these FAQs, so always consult your counsel on matters of legal compliance. Information and views expressed in this FAQs, including URLs, may change without notice. This content is provided to you “as is” and does not provide you with any legal rights to any intellectual property in any Sabre product. You may only copy and use this content for your internal purposes.
What is the CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is a data protection law in the United States which applies to any for-profit entity that does business in California, collects personal information about California consumers (defined to be natural persons who are residents of California), determines the purposes and means of processing consumers’ personal information and that meets one of the following criteria:
- (1) has an annual gross revenue of more than $25 million,
- (2) derives 50% or more of its annual revenue from the sale of consumer personal information, or
- (3) buys, sells or shares the personal information of more than 50,000 California consumers.
Businesses subject to the CCPA will have a number of obligations to their consumers, including by way of example, making appropriate disclosures about the business’ use of personal information and responding to a consumer’s requests to know, delete or “opt-out” of data transfers considered a “sale” of personal information. Also, businesses will have to comply with an “opt-in” requirement for minors.
What is “personal information” under the CCPA?
Personal information is any information that identifies, is related to, describes, is capable of being associated with or reasonably linkable, directly or indirectly, to an individual California consumer or household. Public, aggregate and de-identified information is excluded from this definition.
To whom does the CCPA apply?
The CCPA applies to any company that meets the definition of a business under the act and impacts service providers who have personal information about California residents, regardless of their location.
As it relates to the CCPA, is Sabre a business, a service provider or a third party?
Generally, Sabre is a Service Provider to its customers, suppliers and participating carriers. Sabre’s customers and travel suppliers who meet the definition of a “Business” must meet their obligations under the CCPA – including providing adequate notices to consumers and being prepared to respond to consumers’ requests to access, know, delete or opt-out.
What actions must a business take in order to comply with the CCPA?
Because the CCPA is a complex law, we encourage our customers to review their requirements under the CCPA with their legal counsel and determine the applicability and implications of the CCPA to their business.
What support can I expect from Sabre with respect to my Sabre solutions?
Sabre evaluates its solutions with data protection and applicable data protection laws in mind. To the extent that any changes are made to a solution that processes personal information, you may be prompted to take action. For example, regarding any Sabre systems that you operate from your data center, you will need to ensure you install any updates that may be made to the system code and ensure your local computing environment meets CCPA requirements. Your account team will communicate any actions needed on your part to the extent Sabre makes a change to a solution you are using.
Is personal data from my employees included in CCPA?
One amendment to the CCPA clarified that many CCPA obligations do not apply to personal information of employees until January 1st, 2021. For the most part, CCPA provisions related to consumer requests do not apply to employee information, but a business should consult its counsel and consider appropriate disclosures to its employees in an appropriate employee-facing privacy policy.
Are there any geographic data transfer restrictions under the CCPA?
There is no requirement under the CCPA that limits data transfers geographically. CCPA does enforce the requirement that any data transfer must be accomplished with reasonable data security. When Sabre is acting as a service provider, the transfer of personal information to Sabre is not considered a “sale” under CCPA.
What is Sabre’s policy regarding de-identifying or aggregating personal information?
Sabre addresses the technical aspects of data de-identification and aggregation by aligning its processes and policies to follow applicable laws.
Is it better to communicate our concerns with our account manager or directly with Sabre’s Data Privacy team?
The privacy@sabre.com email address is monitored by Sabre’s Data Privacy team, who will be glad to respond to any questions related to privacy issues. You may also continue to work directly with your Sabre account manager.
How does the CCPA affect my relationship with Sabre?
Sabre made available service provider terms to our customers and suppliers as applicable. These service provider terms do not alter any commercial terms.
Do we need to include notices to California consumers to meet the CCPA requirement that we inform the traveler why certain data is being collected?
We cannot provide legal advice or advise what actions are required on your part. Because CCPA is complex, we recommend that companies speak with their legal counsel to determine the applicability and implications of CCPA to their business.