CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.199.10. Untitled
8 obligations
CCPA-1798.199.10-01
Requirement
Establish California Privacy Protection Agency
The state of California must establish the California Privacy Protection Agency with full administrative power, authorit
CCPA-1798.199.10-02
Requirement
Structure Agency with Five-Member Board
The California Privacy Protection Agency must be governed by a five-member board, including the chairperson.
CCPA-1798.199.10-03
Requirement
Governor Must Appoint Chairperson and One Board Member
The Governor of California must appoint the chairperson and one member of the California Privacy Protection Agency board
CCPA-1798.199.10-04
Requirement
Attorney General Must Appoint One Board Member
The Attorney General of California must appoint one member of the California Privacy Protection Agency board.
CCPA-1798.199.10-05
Requirement
Senate Rules Committee Must Appoint One Board Member
The Senate Rules Committee of California must appoint one member of the California Privacy Protection Agency board.
CCPA-1798.199.10-06
Requirement
Speaker of Assembly Must Appoint One Board Member
The Speaker of the Assembly of California must appoint one member of the California Privacy Protection Agency board.
CCPA-1798.199.10-07
Requirement
Appoint Members with Relevant Expertise
All appointing authorities should make appointments from among Californians with expertise in the areas of privacy, tech
CCPA-1798.199.10-08
Requirement
Complete Initial Appointments Within 90 Days
All initial appointments to the California Privacy Protection Agency must be made within 90 days of the effective date o
Article 1798.199.15. Members of the agency board shall:
7 obligations
CCPA-1798.199.15-01
Requirement
Agency board members must have required qualifications and skills
Agency board members must possess qualifications, experience, and skills, particularly in privacy and technology areas,
CCPA-1798.199.15-02
Requirement
Agency board members must maintain confidentiality
Agency board members must maintain the confidentiality of information obtained during performance of their tasks or exer
CCPA-1798.199.15-03
Requirement
Agency board members must remain free from external influence
Agency board members must remain independent from external influence, whether direct or indirect, and cannot seek or tak
CCPA-1798.199.15-04
Prohibition
Agency board members prohibited from incompatible actions and occupations
Agency board members must refrain from any action incompatible with their duties and cannot engage in any incompatible o
CCPA-1798.199.15-05
Requirement
Agency board members have right of access to agency information
Agency board members have the right to access all information that the agency makes available to the chairperson.
CCPA-1798.199.15-06
Prohibition
One-year post-office employment restriction for agency board members
Agency board members are prohibited from accepting employment with any business that was subject to enforcement action o
CCPA-1798.199.15-07
Prohibition
Two-year post-office representation restriction for agency board members
Agency board members are prohibited from acting for compensation as an agent or attorney for, or otherwise representing,
Article 1798.199.40. The agency shall perform the following functions:
10 obligations
CCPA-1798.199.40-01
Requirement
Administer, implement, and enforce CCPA through administrative actions
The agency must administer, implement, and enforce the California Consumer Privacy Act through administrative actions.
CCPA-1798.199.40-02
Requirement
Adopt, amend, and rescind CCPA regulations
The agency must adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisi
CCPA-1798.199.40-03
Requirement
Protect fundamental privacy rights through CCPA implementation
The agency must protect the fundamental privacy rights of natural persons with respect to the use of their personal info
CCPA-1798.199.40-04
Transparency
Promote public awareness of privacy rights and risks
The agency must promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights
CCPA-1798.199.40-05
Reporting
Provide public report on risk assessments
The agency must provide a public report summarizing the risk assessments filed with the agency pursuant to paragraph (14
CCPA-1798.199.40-06
Transparency
Provide guidance to consumers on their CCPA rights
The agency must provide guidance to consumers regarding their rights under the CCPA.
CCPA-1798.199.40-07
Transparency
Provide guidance to businesses on CCPA duties and responsibilities
The agency must provide guidance to businesses regarding their duties and responsibilities under the CCPA.
CCPA-1798.199.40-08
Monitoring
Appoint Chief Privacy Auditor and conduct business audits
The agency must appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with the CCPA pursu
CCPA-1798.199.40-09
Requirement
Provide technical assistance to Legislature on privacy legislation
The agency must provide technical assistance and advice to the Legislature, upon request, with respect to privacy-relate
CCPA-1798.199.40-10
Monitoring
Monitor developments in personal information protection
The agency must monitor relevant developments relating to the protection of personal information and, in particular, the