CCPA-CPRA
California Consumer Privacy Act of 2018 (as amended by CPRA)
- I. California Consumer Privacy Act of 2018 (CCPA/CPRA)
- Ch. I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
- Art. 1798.100. General Duties of Businesses that Collect Personal Information (15)
- Art. 1798.105. Consumers’ Right to Delete Personal Information (9)
- Art. 1798.106. Consumers’ Right to Correct Inaccurate Personal Information (3)
- Art. 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information (10)
- Art. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom (6)
- Art. 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (6)
- Art. 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information (4)
- Art. 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights (11)
- Art. 1798.130. Notice, Disclosure, Correction, and Deletion Requirements (28)
- Art. 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information (20)
- Art. 1798.136. Untitled (3)
- Art. 1798.140. Definitions (21)
- Art. 1798.145. Exemptions (12)
- Art. 1798.146. Untitled (6)
- Art. 1798.148. Untitled (6)
- Art. 1798.150. Personal Information Security Breaches (4)
- Art. 1798.155. Administrative Enforcement (3)
- Art. 1798.160. Consumer Privacy Fund (14)
- Art. 1798.175. Conflicting Provisions (3)
- Art. 1798.180. Preemption (1)
- Art. 1798.185. Regulations (31)
- Art. 1798.190. Anti-Avoidance (2)
- Art. 1798.192. Waiver (5)
- Art. 1798.194. This title shall be liberally construed to effectuate its purposes. ref
- Art. 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution. ref
- Art. 1798.198. Untitled (2)
- Art. 1798.199. Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section. ref
- Art. 1798.199.10. Untitled (8)
- Art. 1798.199.15. Members of the agency board shall: (7)
- Art. 1798.199.20. Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years. ref
- Art. 1798.199.25. For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted pursuant to subdivision (d) of Section 1798.199.95, and shall be reimbursed for expenses incurred in performance of their official duties. ref
- Art. 1798.199.30. The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees. ref
- Art. 1798.199.35. The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority. ref
- Art. 1798.199.40. The agency shall perform the following functions: (15)
- Art. 1798.199.45. Untitled (4)
- Art. 1798.199.50. No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public. ref
- Art. 1798.199.55. Untitled (8)
- Art. 1798.199.60. Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision. ref
- Art. 1798.199.65. The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title. ref
- Art. 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred. (3)
- Art. 1798.199.75. Untitled (5)
- Art. 1798.199.80. Untitled (5)
- Art. 1798.199.85. Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard. ref
- Art. 1798.199.90. Untitled (6)
- Art. 1798.199.95. Untitled (6)
- Art. 1798.199.100. The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation. ref
Title I — California Consumer Privacy Act of 2018 (CCPA/CPRA)
Chapter I — California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)
Article 1798.185. Regulations
16 obligations
CCPA-1798.185-16
Requirement
Define 'Specific Pieces of Information'
The Attorney General must define 'specific pieces of information obtained from the consumer' to maximize consumer access
CCPA-1798.185-17
Requirement
Require Cybersecurity Audits for High-Risk Processing
The Attorney General must issue regulations requiring businesses whose processing presents significant risk to perform a
CCPA-1798.185-18
Requirement
Require Risk Assessments for High-Risk Processing
The Attorney General must require businesses with significant risk processing to submit regular risk assessments to the
CCPA-1798.185-19
Requirement
Govern Automated Decisionmaking Access Rights
The Attorney General must issue regulations governing access and opt-out rights for automated decisionmaking technology
CCPA-1798.185-20
Requirement
Define Law Enforcement Investigation Exception
The Attorney General must issue regulations to further define 'law enforcement agency-approved investigation' for purpos
CCPA-1798.185-21
Requirement
Define Agency Audit Authority Scope
The Attorney General must issue regulations defining the scope and process for the agency's audit authority, establishin
CCPA-1798.185-22
Requirement
Define Opt-Out Preference Signal Technical Requirements
The Attorney General must issue regulations defining requirements and technical specifications for opt-out preference si
CCPA-1798.185-23
Requirement
Define Minor Age Verification for Opt-Out Signals
The Attorney General must issue regulations establishing technical specifications for opt-out preference signals that al
CCPA-1798.185-24
Requirement
Govern Sensitive Information Use Despite Consumer Direction
The Attorney General must issue regulations governing use/disclosure of sensitive personal information despite consumer
CCPA-1798.185-25
Requirement
Govern Opt-Out Signal Response and Consent Opportunity
The Attorney General must issue regulations governing how businesses responding to opt-out preference signals provide su
CCPA-1798.185-26
Requirement
Review Insurance Code for Consumer Privacy Protections
The Attorney General must review existing Insurance Code provisions and regulations relating to consumer privacy (except
CCPA-1798.185-27
Requirement
Harmonize Operational Mechanisms
The Attorney General must harmonize regulations governing opt-out mechanisms, consumer notices, and other operational me
CCPA-1798.185-28
Prohibition
Enforcement Moratorium Until Final Regulations
The Attorney General shall not bring enforcement actions under this title until six months after final regulation public
CCPA-1798.185-29
Requirement
Transfer Authority to California Privacy Protection Agency
Beginning the later of July 1, 2021, or six months after the agency provides notice of readiness, the California Privacy
CCPA-1798.185-30
Requirement
Final Regulation Adoption Timeline for CPRA Amendments
Final regulations required by the act adding subdivision (d) must be adopted by July 1, 2022.
CCPA-1798.185-31
Prohibition
Enforcement Moratorium Until July 1, 2023
Civil and administrative enforcement of provisions added or amended by this act shall not commence until July 1, 2023, a
Article 1798.190. Anti-Avoidance
2 obligations
CCPA-1798.190-01
Prohibition
Prohibition on Circumventing CCPA Through Multi-Step Transactions
Businesses must not engage in a series of steps or transactions that are component parts of a single transaction intende
CCPA-1798.190-02
Prohibition
Prohibition on Avoiding 'Sell' or 'Share' Definitions Through Value Exchange Schemes
Businesses must not engage in steps or transactions purposely designed to avoid the definitions of 'sell' or 'share' by
Article 1798.192. Waiver
5 obligations
CCPA-1798.192-01
Prohibition
Prohibition on Waiver Contract Provisions
Businesses must not include any provision in contracts or agreements that purports to waive or limit rights under the CC
CCPA-1798.192-02
Prohibition
Prohibition on Representative Action Waivers
Businesses must not include representative action waivers in contracts or agreements that would limit consumers' rights
CCPA-1798.192-03
Requirement
Respect Consumer Choice Regarding Information Requests
Businesses must respect and allow consumers to decline to request information without this being considered a waiver of
CCPA-1798.192-04
Requirement
Respect Consumer Choice Regarding Opt-Out Decisions
Businesses must respect and allow consumers to decline to opt out of the sale of their personal information without this
CCPA-1798.192-05
Requirement
Allow Consumer Authorization for Data Sale/Share After Previous Opt-Out
Businesses must allow consumers to authorize the sale or sharing of their personal information even after they have prev
Article 1798.198. Untitled
2 obligations
CCPA-1798.198-01
Requirement
Comply with CCPA operative date requirement
Ensure compliance with CCPA provisions as they become operative on January 1, 2020, subject to the limitations in subdiv
CCPA-1798.198-02
Monitoring
Monitor initiative measure withdrawal condition
Monitor and verify that initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, has been withdrawn fr