Article 1798.100. General Duties of Businesses that Collect Personal Information

1 obligation

CCPA-1798.100-06 Requirement

Limit retention to reasonably necessary period

Do not retain consumer's personal information or sensitive personal information for each disclosed purpose longer than i

Article 1798.105. Consumers’ Right to Delete Personal Information

6 obligations

CCPA-1798.105-02 Requirement

Delete personal information from business records upon verifiable request

Business must delete consumer's personal information from its own records when receiving a verifiable consumer deletion

CCPA-1798.105-03 Requirement

Notify service providers and contractors to delete personal information

Business must notify any service providers or contractors to delete the consumer's personal information from their recor

CCPA-1798.105-04 Requirement

Notify third parties to delete sold or shared personal information

Business must notify all third parties to whom it has sold or shared personal information to delete consumer's personal

CCPA-1798.105-05 Requirement

Cooperate with business on deletion requests

Service provider or contractor must cooperate with business in responding to verifiable consumer deletion requests

CCPA-1798.105-06 Requirement

Delete personal information at business direction

Service provider or contractor must delete, or enable business to delete, personal information about consumer collected,

CCPA-1798.105-07 Requirement

Notify downstream parties to delete personal information

Service provider or contractor must notify its own service providers, contractors, or third parties who accessed persona

Article 1798.106. Consumers’ Right to Correct Inaccurate Personal Information

2 obligations

CCPA-1798.106-02 Requirement

Correct Inaccurate Personal Information Upon Verifiable Request

Businesses that receive a verifiable consumer request to correct inaccurate personal information must use commercially r

CCPA-1798.106-03 Requirement

Consider Nature and Purpose When Correcting Information

When processing requests to correct inaccurate personal information, businesses must take into account the nature of the

Article 1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information

3 obligations

CCPA-1798.120-01 Requirement

Comply with Consumer Opt-Out Direction (Sale/Sharing)

Businesses must comply with consumer directions not to sell or share their personal information to third parties when su

CCPA-1798.120-02 Requirement

Honor Previous Opt-Out Directions in Asset Transfers

Businesses that acquire personal information as part of mergers, acquisitions, bankruptcy, or other transactions must co

CCPA-1798.120-05 Requirement

Willful Disregard of Consumer Age Deemed Actual Knowledge

Businesses that willfully disregard a consumer's age shall be deemed to have had actual knowledge of the consumer's age

Article 1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information

1 obligation

CCPA-1798.121-04 Requirement

Limited Scope of Service Provider/Contractor Limitation Requirements

Service providers or contractors are only required to limit their use of sensitive personal information when: (1) the in

Article 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights

4 obligations

CCPA-1798.125-06 Requirement

Requirement for Data Value-Based Pricing Justification

When charging different prices or providing different service levels based on consumer data value, a business must ensur

CCPA-1798.125-07 Requirement

Requirement for Financial Incentive Data Value Justification

A business offering different prices or service levels in financial incentive programs must ensure such differences are

CCPA-1798.125-09 Requirement

Requirement for Prior Opt-In Consent for Financial Incentives

A business may only enter a consumer into a financial incentive program after obtaining the consumer's prior opt-in cons

CCPA-1798.125-10 Requirement

Requirement for 12-Month Wait After Consent Refusal

If a consumer refuses to provide opt-in consent for a financial incentive program, the business must wait at least 12 mo

Article 1798.130. Notice, Disclosure, Correction, and Deletion Requirements

19 obligations

CCPA-1798.130-01 Requirement

Provide Multiple Consumer Request Submission Methods

Make available to consumers two or more designated methods for submitting requests for information disclosure, deletion,

CCPA-1798.130-02 Requirement

Provide Website-Based Request Submission Method

If the business maintains an internet website, make the website available to consumers to submit requests for informatio

CCPA-1798.130-03 Requirement

Respond to Consumer Requests Within 45 Days

Disclose and deliver required information, correct inaccurate personal information, or delete consumer personal informat

CCPA-1798.130-04 Requirement

Promptly Determine Request Verifiability

Promptly take steps to determine whether a consumer request is a verifiable consumer request, without extending the 45-d

CCPA-1798.130-05 Requirement

Deliver Information in Specified Format and Method

Deliver disclosed information in writing through consumer's account if maintained, or by mail/electronically at consumer

CCPA-1798.130-06 Requirement

Implement Reasonable Authentication Without Requiring New Accounts

Require authentication that is reasonable given the nature of personal information requested, but cannot require consume

CCPA-1798.130-07 Requirement

Provide 12-Month Historical Data Coverage

Disclosure of required information must cover the 12-month period preceding receipt of the verifiable consumer request.

CCPA-1798.130-08 Requirement

Disclose All Personal Information Collected About Consumer

Upon receiving verifiable consumer request under Sections 1798.110 or 1798.115, disclose any personal information collec

CCPA-1798.130-09 Requirement

Service Provider Assistance with Business Requests

Service providers and contractors must assist businesses with verifiable consumer request responses, including providing

CCPA-1798.130-10 Requirement

Service Provider Technical and Organizational Compliance Assistance

Service providers and contractors collecting personal information under written contract must assist businesses through

CCPA-1798.130-11 Requirement

Identify and Associate Consumer Information for Section 1798.110 Requests

For Section 1798.110(b) purposes, identify the consumer and associate information provided in verifiable consumer reques

CCPA-1798.130-12 Requirement

Categorize Personal Information Collection Details for Section 1798.110

Identify by category the personal information collected about consumer, sources of collection, business/commercial purpo

CCPA-1798.130-13 Requirement

Provide Specific Personal Information in Structured Format

Provide specific pieces of personal information obtained from consumer in easily understandable format, and where techni

CCPA-1798.130-14 Requirement

Identify and Associate Consumer Information for Section 1798.115 Requests

For Section 1798.115(b) purposes, identify the consumer and associate information provided in verifiable consumer reques

CCPA-1798.130-15 Requirement

Categorize Personal Information Sales and Sharing for Section 1798.115

Identify by category personal information sold or shared during applicable period and provide categories of third partie

CCPA-1798.130-16 Requirement

Categorize Personal Information Business Purpose Disclosures for Section 1798.115

Identify by category personal information disclosed for business purposes during applicable period and provide categorie

CCPA-1798.130-26 Requirement

Limit Information Provision Frequency

Business is not obligated to provide information required by Sections 1798.110 and 1798.115 to the same consumer more th

CCPA-1798.130-27 Requirement

Use Specified Personal Information Categories in Disclosures

Categories of personal information required to be disclosed must follow Section 1798.140 definitions, using specific ter

CCPA-1798.130-28 Requirement

Service Provider Direct Request Exemption

Service providers or contractors are not required to comply with verifiable consumer requests received directly from con

Article 1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information

11 obligations

CCPA-1798.135-01 Requirement

Provide 'Do Not Sell or Share' Link on Homepage

Provide a clear and conspicuous link on the business' internet homepages, titled 'Do Not Sell or Share My Personal Infor

CCPA-1798.135-02 Requirement

Provide 'Limit Sensitive Information Use' Link on Homepage

Provide a clear and conspicuous link on the business' internet homepages, titled 'Limit the Use of My Sensitive Personal

CCPA-1798.135-03 Requirement

Option to Provide Single Combined Link

At the business' discretion, utilize a single, clearly labeled link on the business' internet homepages instead of separ

CCPA-1798.135-05 Requirement

Honor Opt-Out Preference Signals

Allow consumers to opt out of sale/sharing and limit sensitive information use through opt-out preference signals sent v

CCPA-1798.135-06 Requirement

Provide Easy Consent Revocation for Opt-Out Override

If providing a link to consent to ignoring opt-out preference signals, the consent web page must allow consumers or auth

CCPA-1798.135-07 Requirement

Ensure Non-Degraded User Experience for Override Link

The link to the consent web page for ignoring opt-out signals must not degrade the consumer's experience and must have s

CCPA-1798.135-12 Requirement

Honor Opt-Out and Wait 12 Months Before Re-Solicitation

For consumers who exercise opt-out rights, refrain from selling/sharing personal information or using/disclosing sensiti

CCPA-1798.135-13 Requirement

Honor Minor Non-Consent and Wait 12 Months

For consumers under 16 who do not consent to sale/sharing, refrain from selling/sharing their personal information and w

CCPA-1798.135-15 Requirement

Direct California Consumers to Dedicated Homepage

If maintaining separate homepages, take reasonable steps to ensure California consumers are directed to the California-s

CCPA-1798.135-16 Requirement

Honor Authorized Person Opt-Out Requests

Comply with opt-out requests received from persons authorized by consumers to act on their behalf, including through opt

CCPA-1798.135-17 Requirement

Communicate Opt-Out to Authorized Data Collectors

If communicating a consumer's opt-out request to any person authorized by the business to collect personal information,

Article 1798.136. Untitled

2 obligations

CCPA-1798.136-01 Requirement

Browser Must Include Opt-Out Preference Signal Functionality

Businesses that develop or maintain browsers must include functionality that can be configured by consumers to send opt-

CCPA-1798.136-02 Requirement

Opt-Out Functionality Must Be Easy to Locate and Configure

The opt-out preference signal functionality must be designed to be easily located and configured by a reasonable person.

Article 1798.140. Definitions

18 obligations

CCPA-1798.140-01 Requirement

Contractor Contract Prohibition Requirements

Businesses must ensure written contracts with contractors prohibit: (1) selling or sharing personal information, (2) ret

CCPA-1798.140-02 Requirement

Contractor Certification Requirement

Businesses must include in contractor contracts a certification that the contractor understands the restrictions and wil

CCPA-1798.140-03 Requirement

Contractor Monitoring Provision Requirement

Businesses must include contract provisions permitting monitoring of contractor compliance through manual reviews, autom

CCPA-1798.140-04 Requirement

Contractor Sub-engagement Notification Requirement

Contractors must notify the business when engaging other persons to assist in processing personal information for busine

CCPA-1798.140-05 Requirement

Contractor Sub-engagement Contract Requirement

Contractors must ensure sub-engagements are pursuant to written contracts binding the other person to observe all contra

CCPA-1798.140-06 Requirement

Deidentified Information Security Measures Requirement

Businesses possessing deidentified information must take reasonable measures to ensure the information cannot be associa

CCPA-1798.140-07 Requirement

Deidentified Information Public Commitment Requirement

Businesses must publicly commit to maintain and use deidentified information in deidentified form and not attempt to rei

CCPA-1798.140-08 Requirement

Deidentified Information Recipient Contractual Obligations

Businesses must contractually obligate any recipients of deidentified information to comply with all deidentification pr

CCPA-1798.140-09 Requirement

Research Data Pseudonymization/Deidentification Requirement

Businesses conducting research with personal information must subsequently pseudonymize and deidentify, or deidentify an

CCPA-1798.140-10 Requirement

Research Technical Safeguards Requirement

Businesses must implement technical safeguards that prohibit reidentification of consumers in research data (except as n

CCPA-1798.140-11 Requirement

Research Business Process Anti-Reidentification Requirement

Businesses must establish business processes that specifically prohibit reidentification of research information (except

CCPA-1798.140-12 Requirement

Research Inadvertent Release Prevention Requirement

Businesses must implement business processes to prevent inadvertent release of deidentified research information

CCPA-1798.140-13 Requirement

Research Reidentification Protection Requirement

Businesses must protect research information from any reidentification attempts

CCPA-1798.140-14 Requirement

Research Purpose Limitation Requirement

Businesses must use research information solely for research purposes that are compatible with the context in which the

CCPA-1798.140-15 Requirement

Research Access Control Security Requirement

Businesses must implement additional security controls that limit access to research data to only those individuals nece

CCPA-1798.140-16 Requirement

Service Provider Contract Prohibition Requirements

Businesses must ensure written contracts with service providers prohibit: (1) selling or sharing personal information, (

CCPA-1798.140-17 Requirement

Service Provider Sub-engagement Notification Requirement

Service providers must notify the business when engaging other persons to assist in processing personal information for

CCPA-1798.140-18 Requirement

Service Provider Sub-engagement Contract Requirement

Service providers must ensure sub-engagements are pursuant to written contracts binding the other person to observe all

Article 1798.145. Exemptions

4 obligations

CCPA-1798.145-04 Requirement

Extend consumer request response time when necessary with proper notice

Businesses may extend response time for consumer requests by up to 90 days total when necessary due to complexity and nu

CCPA-1798.145-07 Requirement

Bear burden of proving consumer requests are manifestly unfounded or excessive

Businesses must bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessi

CCPA-1798.145-08 Requirement

Require written contracts with third parties for consumer data protection

Businesses disclosing personal information to third parties (except for opted-out consumers, sensitive data limited cons

CCPA-1798.145-10 Requirement

Comply with physical item production consent despite consumer opt-out when commercially reasonable

When consumers have consented to use of personal information for physical item production (like yearbooks), businesses m

Article 1798.146. Untitled

1 obligation

CCPA-1798.146-03 Requirement

Apply data privacy laws to reidentified information

Information that was previously deidentified but is subsequently reidentified must be subject to applicable federal and

Article 1798.148. Untitled

3 obligations

CCPA-1798.148-02 Requirement

Compliance with federal and state privacy laws for reidentified information

Must ensure that any information reidentified pursuant to this section complies with applicable federal and state data p

CCPA-1798.148-05 Requirement

Inclusion of third-party disclosure restrictions in contracts

Must include a requirement in contracts for sale or license of deidentified information that, unless otherwise required

CCPA-1798.148-06 Requirement

Contract compliance for testing/validation of deidentification

When engaging a person or entity to attempt reidentification for testing, analysis, or validation of deidentification te

Article 1798.150. Personal Information Security Breaches

2 obligations

CCPA-1798.150-02 Requirement

Respond to 30-day written notice of violations

When a business receives 30 days' written notice from a consumer identifying specific violations, the business must cure

CCPA-1798.150-04 Requirement

Comply with express written statements to avoid continued violations

Businesses must not continue to violate the CCPA in breach of any express written statement provided to consumers under

Article 1798.155. Administrative Enforcement

2 obligations

CCPA-1798.155-02 Requirement

Deposit 95% of administrative fines into Consumer Privacy Subfund

Must deposit ninety-five percent of any administrative fine assessed and settlement proceeds into the Consumer Privacy S

CCPA-1798.155-03 Requirement

Deposit 5% of administrative fines into Consumer Privacy Grant Subfund

Must deposit five percent of any administrative fine assessed and settlement proceeds into the Consumer Privacy Grant Su

Article 1798.160. Consumer Privacy Fund

14 obligations

CCPA-1798.160-01 Requirement

Deposit 95% of CPPA Administrative Fines to Consumer Privacy Subfund

Ninety-five percent of any administrative fine recovered in an action brought by the California Privacy Protection Agenc

CCPA-1798.160-02 Requirement

Use Consumer Privacy Subfund Exclusively for CPPA Duties

Funds in the Consumer Privacy Subfund must be used exclusively by the California Privacy Protection Agency in carrying o

CCPA-1798.160-03 Requirement

Deposit 95% of Attorney General Civil Penalties to AG Enforcement Subfund

Ninety-five percent of any civil penalty recovered in an action brought by the Attorney General for a violation of this

CCPA-1798.160-04 Requirement

Use AG Enforcement Subfund Exclusively for Attorney General Duties

Funds in the Attorney General Consumer Privacy Enforcement Subfund must be used exclusively by the Attorney General in c

CCPA-1798.160-05 Requirement

Deposit 5% of CPPA Administrative Fines to Consumer Privacy Grant Subfund

Five percent of any administrative fine recovered in an action brought by the California Privacy Protection Agency for a

CCPA-1798.160-06 Requirement

Deposit 5% of Attorney General Civil Penalties to Consumer Privacy Grant Subfund

Five percent of any civil penalty recovered in an action brought by the Attorney General for a violation of this title m

CCPA-1798.160-07 Requirement

Use Grant Subfund Exclusively for Specified Privacy Programs

Funds deposited into the Consumer Privacy Grant Subfund must be used exclusively by the California Privacy Protection Ag

CCPA-1798.160-08 Requirement

Distribute Grant Funds in Equal Thirds to Specified Recipients

The California Privacy Protection Agency must make grants from the Consumer Privacy Grant Subfund by distributing one-th

CCPA-1798.160-09 Requirement

Begin Grant Program Administration When Funds Exceed $300,000

The California Privacy Protection Agency must begin administering the grant program when the amount of funds in the Cons

CCPA-1798.160-10 Requirement

Retain Funds in Grant Subfund When Balance is $300,000 or Less

In a fiscal year in which the amount of funds in the Consumer Privacy Grant Subfund is equal to or less than three hundr

CCPA-1798.160-11 Requirement

Transfer Interest and Earnings to General Fund Annually

Any interest and earnings from the Consumer Privacy Fund and all subfunds within the fund must be transferred on an annu

CCPA-1798.160-12 Requirement

One-Time Transfer of Remaining 2025 Budget Funds - 45% to Consumer Privacy Subfund

Any remaining funds in the Consumer Privacy Fund and subfunds that were not appropriated as part of the 2025 Budget Act

CCPA-1798.160-13 Requirement

One-Time Transfer of Remaining 2025 Budget Funds - 45% to AG Enforcement Subfund

Any remaining funds in the Consumer Privacy Fund and subfunds that were not appropriated as part of the 2025 Budget Act

CCPA-1798.160-14 Requirement

One-Time Transfer of Remaining 2025 Budget Funds - 10% to Grant Subfund

Any remaining funds in the Consumer Privacy Fund and subfunds that were not appropriated as part of the 2025 Budget Act

Article 1798.175. Conflicting Provisions

2 obligations

CCPA-1798.175-01 Requirement

Apply CCPA to all personal information collection regardless of method

Businesses must apply CCPA provisions to all personal information collected from consumers, not just information collect

CCPA-1798.175-03 Requirement

Apply most protective privacy law when conflicts cannot be harmonized

When conflicts between CCPA and other consumer personal information laws cannot be harmonized, businesses and legal inte

Article 1798.185. Regulations

29 obligations

CCPA-1798.185-01 Requirement

Attorney General Must Adopt Initial Regulations by July 1, 2020

The Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this titl

CCPA-1798.185-02 Requirement

Update Personal Information Categories

The Attorney General must adopt regulations updating or adding categories of personal information enumerated in Section

CCPA-1798.185-03 Requirement

Update Deidentified and Unique Identifier Definitions

The Attorney General must adopt regulations updating definitions of 'deidentified' and 'unique identifier' to address te

CCPA-1798.185-04 Requirement

Establish Trade Secret and Intellectual Property Exceptions

The Attorney General must establish exceptions necessary to comply with state or federal law, including those relating t

CCPA-1798.185-05 Requirement

Establish Opt-Out Request Rules and Procedures

The Attorney General must establish rules and procedures to facilitate consumer opt-out requests for sale/sharing of per

CCPA-1798.185-06 Requirement

Govern Business Compliance with Opt-Out Requests

The Attorney General must establish rules and procedures to govern how businesses must comply with consumer opt-out requ

CCPA-1798.185-07 Requirement

Develop Uniform Opt-Out Logo/Button Standards

The Attorney General must establish rules for the development and use of a recognizable and uniform opt-out logo or butt

CCPA-1798.185-08 Requirement

Establish Notice and Information Accessibility Rules

The Attorney General must establish rules ensuring business notices and information are easily understood by average con

CCPA-1798.185-09 Requirement

Establish Verifiable Consumer Request Standards

The Attorney General must establish rules to facilitate consumer rights under Sections 1798.105, 1798.106, 1798.110, and

CCPA-1798.185-10 Requirement

Establish Correction Request Standards

The Attorney General must establish regulations governing how often and under what circumstances consumers may request c

CCPA-1798.185-11 Requirement

Establish 12-Month Information Provision Standards

The Attorney General must establish standards governing when providing information beyond the 12-month period in respons

CCPA-1798.185-12 Requirement

Define Business Purposes for Personal Information Use

The Attorney General must issue regulations further defining and adding to the business purposes for which businesses, s

CCPA-1798.185-13 Requirement

Define Service Provider Own Business Purpose Uses

The Attorney General must issue regulations identifying business purposes for which service providers and contractors ma

CCPA-1798.185-14 Requirement

Define 'Intentionally Interacts'

The Attorney General must issue regulations to further define 'intentionally interacts' with the goal of maximizing cons

CCPA-1798.185-15 Requirement

Define 'Precise Geolocation'

The Attorney General must issue regulations to further define 'precise geolocation,' including considerations for sparse

CCPA-1798.185-16 Requirement

Define 'Specific Pieces of Information'

The Attorney General must define 'specific pieces of information obtained from the consumer' to maximize consumer access

CCPA-1798.185-17 Requirement

Require Cybersecurity Audits for High-Risk Processing

The Attorney General must issue regulations requiring businesses whose processing presents significant risk to perform a

CCPA-1798.185-18 Requirement

Require Risk Assessments for High-Risk Processing

The Attorney General must require businesses with significant risk processing to submit regular risk assessments to the

CCPA-1798.185-19 Requirement

Govern Automated Decisionmaking Access Rights

The Attorney General must issue regulations governing access and opt-out rights for automated decisionmaking technology

CCPA-1798.185-20 Requirement

Define Law Enforcement Investigation Exception

The Attorney General must issue regulations to further define 'law enforcement agency-approved investigation' for purpos

CCPA-1798.185-21 Requirement

Define Agency Audit Authority Scope

The Attorney General must issue regulations defining the scope and process for the agency's audit authority, establishin

CCPA-1798.185-22 Requirement

Define Opt-Out Preference Signal Technical Requirements

The Attorney General must issue regulations defining requirements and technical specifications for opt-out preference si

CCPA-1798.185-23 Requirement

Define Minor Age Verification for Opt-Out Signals

The Attorney General must issue regulations establishing technical specifications for opt-out preference signals that al

CCPA-1798.185-24 Requirement

Govern Sensitive Information Use Despite Consumer Direction

The Attorney General must issue regulations governing use/disclosure of sensitive personal information despite consumer

CCPA-1798.185-25 Requirement

Govern Opt-Out Signal Response and Consent Opportunity

The Attorney General must issue regulations governing how businesses responding to opt-out preference signals provide su

CCPA-1798.185-26 Requirement

Review Insurance Code for Consumer Privacy Protections

The Attorney General must review existing Insurance Code provisions and regulations relating to consumer privacy (except

CCPA-1798.185-27 Requirement

Harmonize Operational Mechanisms

The Attorney General must harmonize regulations governing opt-out mechanisms, consumer notices, and other operational me

CCPA-1798.185-29 Requirement

Transfer Authority to California Privacy Protection Agency

Beginning the later of July 1, 2021, or six months after the agency provides notice of readiness, the California Privacy

CCPA-1798.185-30 Requirement

Final Regulation Adoption Timeline for CPRA Amendments

Final regulations required by the act adding subdivision (d) must be adopted by July 1, 2022.

Article 1798.192. Waiver

3 obligations

CCPA-1798.192-03 Requirement

Respect Consumer Choice Regarding Information Requests

Businesses must respect and allow consumers to decline to request information without this being considered a waiver of

CCPA-1798.192-04 Requirement

Respect Consumer Choice Regarding Opt-Out Decisions

Businesses must respect and allow consumers to decline to opt out of the sale of their personal information without this

CCPA-1798.192-05 Requirement

Allow Consumer Authorization for Data Sale/Share After Previous Opt-Out

Businesses must allow consumers to authorize the sale or sharing of their personal information even after they have prev

Article 1798.198. Untitled

1 obligation

CCPA-1798.198-01 Requirement

Comply with CCPA operative date requirement

Ensure compliance with CCPA provisions as they become operative on January 1, 2020, subject to the limitations in subdiv

Article 1798.199.10. Untitled

8 obligations

CCPA-1798.199.10-01 Requirement

Establish California Privacy Protection Agency

The state of California must establish the California Privacy Protection Agency with full administrative power, authorit

CCPA-1798.199.10-02 Requirement

Structure Agency with Five-Member Board

The California Privacy Protection Agency must be governed by a five-member board, including the chairperson.

CCPA-1798.199.10-03 Requirement

Governor Must Appoint Chairperson and One Board Member

The Governor of California must appoint the chairperson and one member of the California Privacy Protection Agency board

CCPA-1798.199.10-04 Requirement

Attorney General Must Appoint One Board Member

The Attorney General of California must appoint one member of the California Privacy Protection Agency board.

CCPA-1798.199.10-05 Requirement

Senate Rules Committee Must Appoint One Board Member

The Senate Rules Committee of California must appoint one member of the California Privacy Protection Agency board.

CCPA-1798.199.10-06 Requirement

Speaker of Assembly Must Appoint One Board Member

The Speaker of the Assembly of California must appoint one member of the California Privacy Protection Agency board.

CCPA-1798.199.10-07 Requirement

Appoint Members with Relevant Expertise

All appointing authorities should make appointments from among Californians with expertise in the areas of privacy, tech

CCPA-1798.199.10-08 Requirement

Complete Initial Appointments Within 90 Days

All initial appointments to the California Privacy Protection Agency must be made within 90 days of the effective date o

Article 1798.199.15. Members of the agency board shall:

4 obligations

CCPA-1798.199.15-01 Requirement

Agency board members must have required qualifications and skills

Agency board members must possess qualifications, experience, and skills, particularly in privacy and technology areas,

CCPA-1798.199.15-02 Requirement

Agency board members must maintain confidentiality

Agency board members must maintain the confidentiality of information obtained during performance of their tasks or exer

CCPA-1798.199.15-03 Requirement

Agency board members must remain free from external influence

Agency board members must remain independent from external influence, whether direct or indirect, and cannot seek or tak

CCPA-1798.199.15-05 Requirement

Agency board members have right of access to agency information

Agency board members have the right to access all information that the agency makes available to the chairperson.

Article 1798.199.40. The agency shall perform the following functions:

7 obligations

CCPA-1798.199.40-01 Requirement

Administer, implement, and enforce CCPA through administrative actions

The agency must administer, implement, and enforce the California Consumer Privacy Act through administrative actions.

CCPA-1798.199.40-02 Requirement

Adopt, amend, and rescind CCPA regulations

The agency must adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisi

CCPA-1798.199.40-03 Requirement

Protect fundamental privacy rights through CCPA implementation

The agency must protect the fundamental privacy rights of natural persons with respect to the use of their personal info

CCPA-1798.199.40-09 Requirement

Provide technical assistance to Legislature on privacy legislation

The agency must provide technical assistance and advice to the Legislature, upon request, with respect to privacy-relate

CCPA-1798.199.40-11 Requirement

Cooperate with other privacy authorities for consistent application

The agency must cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities i

CCPA-1798.199.40-14 Requirement

Solicit, review, and approve grant applications

The agency must solicit, review, and approve applications for grants to the extent funds are available pursuant to parag

CCPA-1798.199.40-15 Requirement

Perform necessary acts and balance consumer privacy with business impact

The agency must perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdictio

Article 1798.199.45. Untitled

1 obligation

CCPA-1798.199.45-03 Requirement

Written Notification to Complainant Requirement

The agency shall notify in writing the person who made the complaint of the action, if any, the agency has taken or plan

Article 1798.199.55. Untitled

6 obligations

CCPA-1798.199.55-01 Requirement

Conduct hearing when probable cause of violation exists

The agency must hold a hearing to determine if violations have occurred when it determines there is probable cause for b

CCPA-1798.199.55-02 Requirement

Issue cease and desist order for violations

The agency may require violators to cease and desist violation of this title if violations are determined to have occurr

CCPA-1798.199.55-03 Requirement

Assess administrative fines for violations

The agency may impose administrative fines up to $2,500 per violation, or up to $7,500 for each intentional violation an

CCPA-1798.199.55-04 Requirement

Deposit 95% of fines into Consumer Privacy Subfund

The agency must deposit ninety-five percent of any administrative fine into the Consumer Privacy Subfund created within

CCPA-1798.199.55-05 Requirement

Deposit 5% of fines into Consumer Privacy Grant Subfund

The agency must deposit five percent of any administrative fine into the Consumer Privacy Grant Subfund created within t

CCPA-1798.199.55-08 Requirement

Pay assessed administrative fines

Violators must pay administrative fines when assessed by the agency, which may be up to $2,500 per violation or up to $7

Article 1798.199.70. No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

2 obligations

CCPA-1798.199.70-01 Requirement

Five-Year Statute of Limitations for Administrative Actions

Administrative enforcement agencies must commence any administrative action alleging a violation of CCPA provisions with

CCPA-1798.199.70-03 Requirement

Compliance with Court Orders for Document Production

Entities subject to administrative proceedings under CCPA must produce documents by the date ordered when a superior cou

Article 1798.199.75. Untitled

5 obligations

CCPA-1798.199.75-01 Requirement

Follow Proper Procedures When Filing Civil Action for Unpaid Administrative Fines

When bringing a civil action to collect unpaid administrative fines after exhaustion of judicial review, the agency must

CCPA-1798.199.75-02 Requirement

Prove Administrative Fines Were Imposed Following Proper Procedures

In civil proceedings to collect unpaid administrative fines, the agency must demonstrate that the administrative fines w

CCPA-1798.199.75-03 Requirement

Prove Proper Notice Was Given of Administrative Fines

In civil proceedings to collect unpaid administrative fines, the agency must demonstrate that the defendant(s) were noti

CCPA-1798.199.75-04 Requirement

Prove Demand for Payment Was Made and Not Satisfied

In civil proceedings to collect unpaid administrative fines, the agency must demonstrate that a demand for payment has b

CCPA-1798.199.75-05 Requirement

Commence Civil Action Within Four-Year Limitation Period

Any civil action brought to collect unpaid administrative fines must be commenced within four years after the date on wh

Article 1798.199.80. Untitled

5 obligations

CCPA-1798.199.80-01 Requirement

Apply to court clerk for judgment to collect administrative fines after judicial review period

The agency may apply to the clerk of the court for a judgment to collect administrative fines imposed by a final order o

CCPA-1798.199.80-02 Requirement

Include certified copy and proof of service in court application

The application to the court clerk must include a certified copy of the order or decision (or the order as modified in a

CCPA-1798.199.80-03 Requirement

Enter judgment immediately upon proper application

The clerk of the court shall enter the judgment immediately in conformity with the application when the application incl

CCPA-1798.199.80-04 Requirement

Apply to superior court clerk in county where fines were imposed

An application for judgment to collect administrative fines must be made to the clerk of the superior court in the count

CCPA-1798.199.80-05 Requirement

File application within four years of exhausted judicial review

The agency may bring an application for judgment to collect administrative fines only within four years after the date o

Article 1798.199.90. Untitled

4 obligations

CCPA-1798.199.90-01 Requirement

Deposit 95% of civil penalties into Attorney General Consumer Privacy Enforcement Subfund

The Attorney General must deposit 95% of any civil penalty recovered by an action for a violation of this title, and of

CCPA-1798.199.90-02 Requirement

Deposit portion of penalties for joint investigation reimbursement

The Attorney General may, if an action or settlement is the result of a joint investigation with the agency, deposit a p

CCPA-1798.199.90-03 Requirement

Deposit 5% of civil penalties into Consumer Privacy Grant Subfund

The Attorney General must deposit 5% of any civil penalty recovered by an action for a violation of this title, and of t

CCPA-1798.199.90-04 Requirement

Stay administrative action upon Attorney General request

The agency must, upon request by the Attorney General, stay an administrative action or investigation under this title t

Article 1798.199.95. Untitled

5 obligations

CCPA-1798.199.95-01 Requirement

Department of Finance Budget Inclusion Requirements

The Department of Finance must include specific items in the state budget and Budget Act bill when submitted to the Legi

CCPA-1798.199.95-02 Requirement

Attorney General Staff Support Provision

The Attorney General must provide staff support to the California Privacy Protection Agency until the agency has hired i

CCPA-1798.199.95-03 Requirement

California Privacy Protection Agency Reimbursement Obligation

The California Privacy Protection Agency must reimburse the Attorney General for staff support services provided.

CCPA-1798.199.95-04 Requirement

Biennial Monetary Threshold Adjustment Requirement

The California Privacy Protection Agency must adjust monetary thresholds in specified CCPA sections on January 1, 2025,

CCPA-1798.199.95-05 Requirement

Consumer Price Index Calculation Method Requirement

The California Privacy Protection Agency must use the specific Consumer Price Index (CPI) - California, All Items, All U