CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.100. General Duties of Businesses that Collect Personal Information
15 obligations
CCPA-1798.100-01
Transparency
Inform consumers of personal information categories and purposes at collection
At or before the point of collection, inform consumers of the categories of personal information to be collected, the pu
CCPA-1798.100-02
Prohibition
Prohibition on collecting additional PI categories without notice
Do not collect additional categories of personal information or use personal information for additional purposes incompa
CCPA-1798.100-03
Transparency
Inform consumers of sensitive personal information categories and purposes
If collecting sensitive personal information, inform consumers at or before collection of the categories of sensitive pe
CCPA-1798.100-04
Prohibition
Prohibition on collecting additional sensitive PI categories without notice
Do not collect additional categories of sensitive personal information or use sensitive personal information for additio
CCPA-1798.100-05
Transparency
Disclose intended retention period or criteria
Inform consumers of the length of time the business intends to retain each category of personal information (including s
CCPA-1798.100-06
Requirement
Limit retention to reasonably necessary period
Do not retain consumer's personal information or sensitive personal information for each disclosed purpose longer than i
CCPA-1798.100-07
Transparency
Third-party website homepage disclosure option
A business acting as a third party controlling collection may satisfy disclosure obligations by providing required infor
CCPA-1798.100-08
Transparency
Physical location disclosure for third-party collection
If a business acting as third party controls collection on its premises (including vehicles), inform consumers at or bef
CCPA-1798.100-09
Data Governance
Proportionality requirement for collection, use, retention, and sharing
Ensure collection, use, retention, and sharing of consumer's personal information is reasonably necessary and proportion
CCPA-1798.100-10
Documentation
Specify limited purposes in third-party agreements
When selling, sharing, or disclosing personal information to third parties, service providers, or contractors, enter agr
CCPA-1798.100-11
Documentation
Obligate third parties to comply with CCPA requirements
In agreements with third parties, service providers, or contractors, obligate them to comply with applicable CCPA obliga
CCPA-1798.100-12
Documentation
Grant rights to ensure compliant use by third parties
In third-party agreements, grant the business rights to take reasonable and appropriate steps to help ensure third parti
CCPA-1798.100-13
Documentation
Require notification of inability to meet CCPA obligations
In third-party agreements, require the third party, service provider, or contractor to notify the business if it determi
CCPA-1798.100-14
Documentation
Grant rights to stop unauthorized use
In third-party agreements, grant the business the right, upon notice, to take reasonable and appropriate steps to stop a
CCPA-1798.100-15
Risk Management
Implement reasonable security procedures and practices
Implement reasonable security procedures and practices appropriate to the nature of personal information to protect from
Article 1798.105. Consumers’ Right to Delete Personal Information
9 obligations
CCPA-1798.105-01
Transparency
Disclose consumer's right to delete personal information
Business must disclose to consumers their rights to request deletion of personal information, pursuant to Section 1798.1
CCPA-1798.105-02
Requirement
Delete personal information from business records upon verifiable request
Business must delete consumer's personal information from its own records when receiving a verifiable consumer deletion
CCPA-1798.105-03
Requirement
Notify service providers and contractors to delete personal information
Business must notify any service providers or contractors to delete the consumer's personal information from their recor
CCPA-1798.105-04
Requirement
Notify third parties to delete sold or shared personal information
Business must notify all third parties to whom it has sold or shared personal information to delete consumer's personal
CCPA-1798.105-05
Requirement
Cooperate with business on deletion requests
Service provider or contractor must cooperate with business in responding to verifiable consumer deletion requests
CCPA-1798.105-06
Requirement
Delete personal information at business direction
Service provider or contractor must delete, or enable business to delete, personal information about consumer collected,
CCPA-1798.105-07
Requirement
Notify downstream parties to delete personal information
Service provider or contractor must notify its own service providers, contractors, or third parties who accessed persona
CCPA-1798.105-08
Prohibition
Limit compliance with direct consumer deletion requests
Service provider or contractor is not required to comply with deletion requests submitted directly by consumer when acti
CCPA-1798.105-09
Data Governance
Maintain confidential record of deletion requests for permitted purposes
Business may maintain confidential record of deletion requests solely to prevent sale of deleted personal information, f
Article 1798.106. Consumers’ Right to Correct Inaccurate Personal Information
1 obligation