CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.130. Notice, Disclosure, Correction, and Deletion Requirements
17 obligations
CCPA-1798.130-12
Requirement
Categorize Personal Information Collection Details for Section 1798.110
Identify by category the personal information collected about consumer, sources of collection, business/commercial purpo
CCPA-1798.130-13
Requirement
Provide Specific Personal Information in Structured Format
Provide specific pieces of personal information obtained from consumer in easily understandable format, and where techni
CCPA-1798.130-14
Requirement
Identify and Associate Consumer Information for Section 1798.115 Requests
For Section 1798.115(b) purposes, identify the consumer and associate information provided in verifiable consumer reques
CCPA-1798.130-15
Requirement
Categorize Personal Information Sales and Sharing for Section 1798.115
Identify by category personal information sold or shared during applicable period and provide categories of third partie
CCPA-1798.130-16
Requirement
Categorize Personal Information Business Purpose Disclosures for Section 1798.115
Identify by category personal information disclosed for business purposes during applicable period and provide categorie
CCPA-1798.130-17
Transparency
Publish Consumer Rights Description and Request Methods
Disclose in online privacy policy or California-specific privacy rights description, or on website if no policies exist,
CCPA-1798.130-18
Transparency
Publish Categories of Personal Information Collected
For Section 1798.110(c) purposes, publish list of categories of personal information collected about consumers in preced
CCPA-1798.130-19
Transparency
Publish Categories of Personal Information Sources
For Section 1798.110(c) purposes, publish the categories of sources from which consumers' personal information is collec
CCPA-1798.130-20
Transparency
Publish Business/Commercial Purposes for Collection/Sale/Sharing
For Section 1798.110(c) purposes, publish the business or commercial purpose for collecting, selling, or sharing consume
CCPA-1798.130-21
Transparency
Publish Categories of Third Party Personal Information Recipients
For Section 1798.110(c) purposes, publish the categories of third parties to whom the business discloses consumers' pers
CCPA-1798.130-22
Transparency
Publish Personal Information Sale/Sharing Categories or No-Sale Statement
For Section 1798.115(c) purposes, publish list of personal information categories sold or shared about consumers in prec
CCPA-1798.130-23
Transparency
Publish Business Purpose Disclosure Categories or No-Disclosure Statement
For Section 1798.115(c) purposes, publish list of personal information categories disclosed for business purposes about
CCPA-1798.130-24
Human Oversight
Train Staff on Privacy Requirements and Consumer Rights
Ensure all individuals handling consumer privacy inquiries or compliance matters are informed of all requirements in spe
CCPA-1798.130-25
Data Governance
Limit Use of Verification Information
Use personal information collected from consumer for request verification solely for verification purposes; cannot furth
CCPA-1798.130-26
Requirement
Limit Information Provision Frequency
Business is not obligated to provide information required by Sections 1798.110 and 1798.115 to the same consumer more th
CCPA-1798.130-27
Requirement
Use Specified Personal Information Categories in Disclosures
Categories of personal information required to be disclosed must follow Section 1798.140 definitions, using specific ter
CCPA-1798.130-28
Requirement
Service Provider Direct Request Exemption
Service providers or contractors are not required to comply with verifiable consumer requests received directly from con
Article 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
8 obligations
CCPA-1798.135-01
Requirement
Provide 'Do Not Sell or Share' Link on Homepage
Provide a clear and conspicuous link on the business' internet homepages, titled 'Do Not Sell or Share My Personal Infor
CCPA-1798.135-02
Requirement
Provide 'Limit Sensitive Information Use' Link on Homepage
Provide a clear and conspicuous link on the business' internet homepages, titled 'Limit the Use of My Sensitive Personal
CCPA-1798.135-03
Requirement
Option to Provide Single Combined Link
At the business' discretion, utilize a single, clearly labeled link on the business' internet homepages instead of separ
CCPA-1798.135-04
Transparency
Present Financial Incentive Terms When Charging for Opt-Out
When responding to opt-out requests by informing consumers of charges for product/service use, present the terms of any
CCPA-1798.135-05
Requirement
Honor Opt-Out Preference Signals
Allow consumers to opt out of sale/sharing and limit sensitive information use through opt-out preference signals sent v
CCPA-1798.135-06
Requirement
Provide Easy Consent Revocation for Opt-Out Override
If providing a link to consent to ignoring opt-out preference signals, the consent web page must allow consumers or auth
CCPA-1798.135-07
Requirement
Ensure Non-Degraded User Experience for Override Link
The link to the consent web page for ignoring opt-out signals must not degrade the consumer's experience and must have s
CCPA-1798.135-08
Conformity
Comply with Technical Specifications for Consent Page
The consent web page for ignoring opt-out preference signals must comply with technical specifications set forth in regu