CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.146. Untitled
4 obligations
CCPA-1798.146-03
Requirement
Apply data privacy laws to reidentified information
Information that was previously deidentified but is subsequently reidentified must be subject to applicable federal and
CCPA-1798.146-04
Conformity
Conduct research in accordance with applicable ethics and privacy rules
Research involving information collection, use, or disclosure must be conducted in accordance with Part 164 of Title 45
CCPA-1798.146-05
Data Governance
Maintain patient information consistent with medical/PHI standards for exemption
Healthcare providers and covered entities must maintain, use, and disclose patient information in the same manner as med
CCPA-1798.146-06
Data Governance
Business associates must handle patient information like medical/PHI for exemption
Business associates of covered entities must maintain, use, and disclose patient information in the same manner as medic
Article 1798.148. Untitled
6 obligations
CCPA-1798.148-01
Prohibition
Prohibition on reidentifying deidentified information except for specified purposes
Must not reidentify or attempt to reidentify information that has met the deidentification requirements of Section 1798.
CCPA-1798.148-02
Requirement
Compliance with federal and state privacy laws for reidentified information
Must ensure that any information reidentified pursuant to this section complies with applicable federal and state data p
CCPA-1798.148-03
Transparency
Inclusion of deidentified patient information disclosure in contracts
Must include a statement in contracts for sale or license of deidentified information disclosing that the deidentified i
CCPA-1798.148-04
Transparency
Inclusion of reidentification prohibition clause in contracts
Must include a statement in contracts for sale or license of deidentified information that reidentification and attempte
CCPA-1798.148-05
Requirement
Inclusion of third-party disclosure restrictions in contracts
Must include a requirement in contracts for sale or license of deidentified information that, unless otherwise required
CCPA-1798.148-06
Requirement
Contract compliance for testing/validation of deidentification
When engaging a person or entity to attempt reidentification for testing, analysis, or validation of deidentification te
Article 1798.150. Personal Information Security Breaches
4 obligations
CCPA-1798.150-01
Risk Management
Implement and maintain reasonable security procedures and practices
Businesses must implement and maintain reasonable security procedures and practices appropriate to the nature of the per
CCPA-1798.150-02
Requirement
Respond to 30-day written notice of violations
When a business receives 30 days' written notice from a consumer identifying specific violations, the business must cure
CCPA-1798.150-03
Prohibition
Prohibition on treating post-breach security measures as cure
Businesses are prohibited from treating the implementation and maintenance of reasonable security procedures and practic
CCPA-1798.150-04
Requirement
Comply with express written statements to avoid continued violations
Businesses must not continue to violate the CCPA in breach of any express written statement provided to consumers under
Article 1798.155. Administrative Enforcement
3 obligations
CCPA-1798.155-01
Prohibition
Avoid violations to prevent administrative fines
Must not violate any provision of the CCPA/CPRA to avoid administrative fines of up to $2,500 per violation or $7,500 pe
CCPA-1798.155-02
Requirement
Deposit 95% of administrative fines into Consumer Privacy Subfund
Must deposit ninety-five percent of any administrative fine assessed and settlement proceeds into the Consumer Privacy S
CCPA-1798.155-03
Requirement
Deposit 5% of administrative fines into Consumer Privacy Grant Subfund
Must deposit five percent of any administrative fine assessed and settlement proceeds into the Consumer Privacy Grant Su
Article 1798.160. Consumer Privacy Fund
8 obligations
CCPA-1798.160-01
Requirement
Deposit 95% of CPPA Administrative Fines to Consumer Privacy Subfund
Ninety-five percent of any administrative fine recovered in an action brought by the California Privacy Protection Agenc
CCPA-1798.160-02
Requirement
Use Consumer Privacy Subfund Exclusively for CPPA Duties
Funds in the Consumer Privacy Subfund must be used exclusively by the California Privacy Protection Agency in carrying o
CCPA-1798.160-03
Requirement
Deposit 95% of Attorney General Civil Penalties to AG Enforcement Subfund
Ninety-five percent of any civil penalty recovered in an action brought by the Attorney General for a violation of this
CCPA-1798.160-04
Requirement
Use AG Enforcement Subfund Exclusively for Attorney General Duties
Funds in the Attorney General Consumer Privacy Enforcement Subfund must be used exclusively by the Attorney General in c
CCPA-1798.160-05
Requirement
Deposit 5% of CPPA Administrative Fines to Consumer Privacy Grant Subfund
Five percent of any administrative fine recovered in an action brought by the California Privacy Protection Agency for a
CCPA-1798.160-06
Requirement
Deposit 5% of Attorney General Civil Penalties to Consumer Privacy Grant Subfund
Five percent of any civil penalty recovered in an action brought by the Attorney General for a violation of this title m
CCPA-1798.160-07
Requirement
Use Grant Subfund Exclusively for Specified Privacy Programs
Funds deposited into the Consumer Privacy Grant Subfund must be used exclusively by the California Privacy Protection Ag
CCPA-1798.160-08
Requirement
Distribute Grant Funds in Equal Thirds to Specified Recipients
The California Privacy Protection Agency must make grants from the Consumer Privacy Grant Subfund by distributing one-th