CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.140. Definitions
11 obligations
CCPA-1798.140-11
Requirement
Research Business Process Anti-Reidentification Requirement
Businesses must establish business processes that specifically prohibit reidentification of research information (except
CCPA-1798.140-12
Requirement
Research Inadvertent Release Prevention Requirement
Businesses must implement business processes to prevent inadvertent release of deidentified research information
CCPA-1798.140-13
Requirement
Research Reidentification Protection Requirement
Businesses must protect research information from any reidentification attempts
CCPA-1798.140-14
Requirement
Research Purpose Limitation Requirement
Businesses must use research information solely for research purposes that are compatible with the context in which the
CCPA-1798.140-15
Requirement
Research Access Control Security Requirement
Businesses must implement additional security controls that limit access to research data to only those individuals nece
CCPA-1798.140-16
Requirement
Service Provider Contract Prohibition Requirements
Businesses must ensure written contracts with service providers prohibit: (1) selling or sharing personal information, (
CCPA-1798.140-17
Requirement
Service Provider Sub-engagement Notification Requirement
Service providers must notify the business when engaging other persons to assist in processing personal information for
CCPA-1798.140-18
Requirement
Service Provider Sub-engagement Contract Requirement
Service providers must ensure sub-engagements are pursuant to written contracts binding the other person to observe all
CCPA-1798.140-19
Transparency
Material Practice Change Notice Requirement (Sale Context)
Third parties assuming control through mergers/acquisitions must provide prior notice to consumers if they materially al
CCPA-1798.140-20
Transparency
Material Practice Change Notice Requirement (Sharing Context)
Third parties assuming control through mergers/acquisitions must provide prior notice to consumers if they materially al
CCPA-1798.140-21
Prohibition
Cross-Context Behavioral Advertising Service Provider Restriction
Service providers and contractors providing advertising and marketing services must not combine personal information of
Article 1798.145. Exemptions
12 obligations
CCPA-1798.145-01
Data Governance
Retain data when law enforcement requests preservation with active case
Upon receipt of direction from law enforcement agencies with an active case number, businesses must not delete consumer
CCPA-1798.145-02
Data Governance
Extend data retention for additional 90-day periods when law enforcement shows good cause
For good cause and only to the extent necessary for investigatory purposes, businesses must comply with law enforcement
CCPA-1798.145-03
Prohibition
Limit use of retained data to law enforcement production only
Businesses that receive law enforcement direction not to delete consumer personal information must not use that informat
CCPA-1798.145-04
Requirement
Extend consumer request response time when necessary with proper notice
Businesses may extend response time for consumer requests by up to 90 days total when necessary due to complexity and nu
CCPA-1798.145-05
Transparency
Inform consumer when not taking action on their request
If a business does not take action on a consumer request, it must inform the consumer without delay and within the permi
CCPA-1798.145-06
Transparency
Notify consumer when charging fee or refusing manifestly unfounded requests
When consumer requests are manifestly unfounded or excessive, businesses may charge reasonable fees or refuse to act but
CCPA-1798.145-07
Requirement
Bear burden of proving consumer requests are manifestly unfounded or excessive
Businesses must bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessi
CCPA-1798.145-08
Requirement
Require written contracts with third parties for consumer data protection
Businesses disclosing personal information to third parties (except for opted-out consumers, sensitive data limited cons
CCPA-1798.145-09
Prohibition
Limit vehicle/vessel information sharing to warranty and recall purposes only
New motor vehicle dealers and vessel dealers sharing vehicle/vessel information with manufacturers must ensure the infor
CCPA-1798.145-10
Requirement
Comply with physical item production consent despite consumer opt-out when commercially reasonable
When consumers have consented to use of personal information for physical item production (like yearbooks), businesses m
CCPA-1798.145-11
Transparency
Notify consumers when acting under student grades deletion exception
If a business does not comply with a deletion request for student grades, educational scores, or test results held on be
CCPA-1798.145-12
Transparency
Notify consumers when withholding educational assessment information to protect validity
If a business does not disclose educational standardized assessment information or specific responses because disclosure
Article 1798.146. Untitled
2 obligations
CCPA-1798.146-01
Conformity
Comply with deidentification requirements for patient information exemption
Information must be deidentified in accordance with Section 164.514 of Part 164 of Title 45 of the Code of Federal Regul
CCPA-1798.146-02
Conformity
Ensure deidentified information derives from regulated entity patient data
Deidentified information must be derived from patient information that was originally collected, created, transmitted, o