CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
12 obligations
CCPA-1798.135-09
Prohibition
No Account Creation Requirement for Opt-Out
Not require consumers to create an account or provide additional information beyond what is necessary to direct the busi
CCPA-1798.135-10
Transparency
Include Consumer Rights Description in Privacy Policy
Include a description of consumer rights under Sections 1798.120 and 1798.121, along with separate links to opt-out page
CCPA-1798.135-11
Human Oversight
Train Staff on Privacy Requirements
Ensure all individuals responsible for handling consumer privacy inquiries are informed of all requirements in Sections
CCPA-1798.135-12
Requirement
Honor Opt-Out and Wait 12 Months Before Re-Solicitation
For consumers who exercise opt-out rights, refrain from selling/sharing personal information or using/disclosing sensiti
CCPA-1798.135-13
Requirement
Honor Minor Non-Consent and Wait 12 Months
For consumers under 16 who do not consent to sale/sharing, refrain from selling/sharing their personal information and w
CCPA-1798.135-14
Data Governance
Use Opt-Out Request Data Only for Compliance
Use any personal information collected from consumers in connection with opt-out request submissions solely for the purp
CCPA-1798.135-15
Requirement
Direct California Consumers to Dedicated Homepage
If maintaining separate homepages, take reasonable steps to ensure California consumers are directed to the California-s
CCPA-1798.135-16
Requirement
Honor Authorized Person Opt-Out Requests
Comply with opt-out requests received from persons authorized by consumers to act on their behalf, including through opt
CCPA-1798.135-17
Requirement
Communicate Opt-Out to Authorized Data Collectors
If communicating a consumer's opt-out request to any person authorized by the business to collect personal information,
CCPA-1798.135-18
Prohibition
Prohibit Sale/Sharing by Authorized Data Collectors Post Opt-Out
Authorized data collectors who receive opt-out communications must be prohibited from selling or sharing the personal in
CCPA-1798.135-19
Prohibition
Restrict Data Use by Authorized Collectors to Service Provision
Authorized data collectors who receive opt-out communications must be prohibited from retaining, using, or disclosing co
CCPA-1798.135-20
Risk Management
Limited Liability for Third-Party Violations
A business that communicates opt-out requests to third parties shall not be liable if the receiving person violates rest
Article 1798.136. Untitled
3 obligations
CCPA-1798.136-01
Requirement
Browser Must Include Opt-Out Preference Signal Functionality
Businesses that develop or maintain browsers must include functionality that can be configured by consumers to send opt-
CCPA-1798.136-02
Requirement
Opt-Out Functionality Must Be Easy to Locate and Configure
The opt-out preference signal functionality must be designed to be easily located and configured by a reasonable person.
CCPA-1798.136-03
Transparency
Public Disclosure of Opt-Out Signal Functionality Required
Businesses that develop or maintain browsers must clearly explain in public disclosures how the opt-out preference signa
Article 1798.140. Definitions
10 obligations
CCPA-1798.140-01
Requirement
Contractor Contract Prohibition Requirements
Businesses must ensure written contracts with contractors prohibit: (1) selling or sharing personal information, (2) ret
CCPA-1798.140-02
Requirement
Contractor Certification Requirement
Businesses must include in contractor contracts a certification that the contractor understands the restrictions and wil
CCPA-1798.140-03
Requirement
Contractor Monitoring Provision Requirement
Businesses must include contract provisions permitting monitoring of contractor compliance through manual reviews, autom
CCPA-1798.140-04
Requirement
Contractor Sub-engagement Notification Requirement
Contractors must notify the business when engaging other persons to assist in processing personal information for busine
CCPA-1798.140-05
Requirement
Contractor Sub-engagement Contract Requirement
Contractors must ensure sub-engagements are pursuant to written contracts binding the other person to observe all contra
CCPA-1798.140-06
Requirement
Deidentified Information Security Measures Requirement
Businesses possessing deidentified information must take reasonable measures to ensure the information cannot be associa
CCPA-1798.140-07
Requirement
Deidentified Information Public Commitment Requirement
Businesses must publicly commit to maintain and use deidentified information in deidentified form and not attempt to rei
CCPA-1798.140-08
Requirement
Deidentified Information Recipient Contractual Obligations
Businesses must contractually obligate any recipients of deidentified information to comply with all deidentification pr
CCPA-1798.140-09
Requirement
Research Data Pseudonymization/Deidentification Requirement
Businesses conducting research with personal information must subsequently pseudonymize and deidentify, or deidentify an
CCPA-1798.140-10
Requirement
Research Technical Safeguards Requirement
Businesses must implement technical safeguards that prohibit reidentification of consumers in research data (except as n