State Privacy Laws
Advertising and Privacy Law
Your hub for advertising, privacy, and consumer protection legal information

State Privacy Laws

Insights
Insights
State Privacy Laws
Welcome to Kelley Drye’s State Privacy Law portal, providing the full, searchable text of recently enacted state privacy laws and regulations in California, Virginia, and Colorado. The laws regulate how companies collect, use, and share personal information through required disclosures and contractual terms, and by offering consumers a broad range of rights with respect to their data.

To learn more, we encourage you to visit our blog, Ad Law Access, where we regularly cover developments and proposed changes to state privacy laws.
  • California
    • California Consumer Privacy Act (CCPA)
      The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. This regulation brings significant change to the U.S. privacy and data protection law landscape, and serves as a harbinger of a potential wave of additional consumer data privacy regulations at the state and even federal level.
      • Right to Know
        • 1798.100: Consumers' Right to Know About Privacy Practices and Access Information
          1. A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

          2. A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

          3. A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.

          4. A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

          5. This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

          (Amended by Stats. 2019, Ch. 757, Sec. 1. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
      • Deletion
        • 1798.105: Consumers' Right to Request Deletion
          1. A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

          2. A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.

          3. A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

          4. A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

            1. Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

            2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

            3. Debug to identify and repair errors that impair existing intended functionality.

            4. Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.

            5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

            6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

            7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

            8. Comply with a legal obligation.

            9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

          (Amended by Stats. 2019, Ch. 751, Sec. 1. (AB 1146) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
      • Access Rights
        • 1798.110: Information to be Provided as Part of an Access Request
          1. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
             
            1. The categories of personal information it has collected about that consumer.

            2. The categories of sources from which the personal information is collected.

            3. The business or commercial purpose for collecting or selling personal information.

            4. The categories of third parties with whom the business shares personal information.

            5. The specific pieces of personal information it has collected about that consumer.

          2. A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer.

          3. A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:

            1. The categories of personal information it has collected about consumers.

            2. The categories of sources from which the personal information is collected.

            3. The business or commercial purpose for collecting or selling personal information.

            4. The categories of third parties with whom the business shares personal information.

            5. That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

          4. This section does not require a business to do the following:

            1. Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.

            2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

          (Amended by Stats. 2019, Ch. 757, Sec. 2. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
      • Sale/Discrimination
        • 1798.115: Consumers' Right to Information About Sale and Disclosures
          1. A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
             
            1. The categories of personal information that the business collected about the consumer.

            2. The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.

            3. The categories of personal information that the business disclosed about the consumer for a business purpose.

          2. A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

          3. A business that sells consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:

            1. The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.

            2. The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.

          4. A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

          (Amended by Stats. 2019, Ch. 757, Sec. 3. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.120: Consumers' Right to Prohibit the Sale of Personal Information
          1. A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.

          2. A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.

          3. Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt-in.”

          4. A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

          (Amended by Stats. 2019, Ch. 757, Sec. 4. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.125: Prohibition on Discrimination Based upon Exercise of Rights
          1. 1.    A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:

            1. Denying goods or services to the consumer.

            2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

            3. Providing a different level or quality of goods or services to the consumer.

            4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

          2. 2.     Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.

          3. 1.    A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.

            1. A business that offers any financial incentives pursuant to this subdivision shall notify consumers of the financial incentives pursuant to Section 1798.130.

            2. A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

            3. A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

          (Amended by Stats. 2019, Ch. 757, Sec. 5. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
      • Rights Methods
        • 1798.130: Methods for Exercising Consumer Rights
          1. In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

            1. (A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.

              1. If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.

            2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request. If the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.

            3. For purposes of subdivision (b) of Section 1798.110:

              1. To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

              2. Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected.

            4. For purposes of subdivision (b) of Section 1798.115:

              1. Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

              2. Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

              3. Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

            5. Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website and update that information at least once every 12 months:

              1. A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.

              2. For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

              3. For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

                1. A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.

                2. A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

              4. In the case of a business that sells or discloses deidentified patient information not subject to this title pursuant to clause (i) of subparagraph (A) of paragraph (4) of subdivision (a) of Section 1798.146, whether the business sells or discloses deidentified patient information derived from patient information and if so, whether that patient information was deidentified pursuant to one or more of the following:

                1. The deidentification methodology described in Section 164.514(b)(1) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA expert determination method.

                2. The deidentification methodology described in Section 164.514(b)(2) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA safe harbor method.

            6. Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

            7. Use any personal information collected from the consumer in connection with the business’ verification of the consumer’s request solely for the purposes of verification.

          2. A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

          3. The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.

          (Amended by Stats. 2020, Ch. 172, Sec. 1. (AB 713) Effective September 25, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.135: Do Not Sell Link
          1. A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:

            1. Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

            2. Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:

              1. Its online privacy policy or policies if the business has an online privacy policy or policies.

              2. Any California-specific description of consumers’ privacy rights.

            3. Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

            4. For consumers who exercise their right to opt-out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.

            5. For a consumer who has opted-out of the sale of the consumer’s personal information, respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.

            6. Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.

          2. Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.

          3. A consumer may authorize another person solely to opt-out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 8. (SB 1121) Effective September 23, 2018. Section operative January 1, 2020, pursuant to Section 1798.198. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
      • Definitions
        • 1798.140: Definitions
          For purposes of this title:
           
          1. “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de­identified.

          2. “Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

          3. “Business” means:

            1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

              1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

              2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

              3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

            2. Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.

          4. “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

            1. Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

            2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

            3. Debugging to identify and repair errors that impair existing intended functionality.

            4. Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

            5. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

            6. Undertaking internal research for technological development and demonstration.

            7. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

          5. “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

          6. “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

          7. “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.

          8. “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

            1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

            2. Has implemented business processes that specifically prohibit reidentification of the information.

            3. Has implemented business processes to prevent inadvertent release of deidentified information.

            4. Makes no attempt to reidentify the information.

          9. “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.

          10. “Device” means any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.

          11. “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.

          12. “Homepage” means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.135, including, but not limited to, before downloading the application.

          13. “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

          14. “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

          15. (1)            “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

            1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

            2. Any categories of personal information described in subdivision (e) of Section 1798.80.

            3. Characteristics of protected classifications under California or federal law.

            4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

            5. Biometric information.

            6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

            7. Geolocation data.

            8. Audio, electronic, visual, thermal, olfactory, or similar information.

            9. Professional or employment-related information.

            10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

            11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

          16. “Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

          17. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

          18. “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

          19. “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

          20. “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

          21. “Research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:

            1. Compatible with the business purpose for which the personal information was collected.

            2. Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.

            3. Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

            4. Subject to business processes that specifically prohibit reidentification of the information.

            5. Made subject to business processes to prevent inadvertent release of deidentified information.

            6. Protected from any reidentification attempts.

            7. Used solely for research purposes that are compatible with the context in which the personal information was collected.

            8. Not be used for any commercial purpose.

            9. Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.

          22. (1)            “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

            1. For purposes of this title, a business does not sell personal information when:

              1. A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.

              2. The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.

              3. The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:

                1. The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.

                2. The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

              4. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

          23. “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.

          24. “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

          25. “Third party” means a person who is not any of the following:

            1. The business that collects personal information from consumers under this title.

            2. (A) A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:

              1. Prohibits the person receiving the personal information from:

                1. Selling the personal information.

                2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.

                3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

              2. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

            3. A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

          26. “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

          27. “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.100, 1798.105, 1798.110, and 1798.115 if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

          (Amended by Stats. 2019, Ch. 757, Sec. 7.5. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
      • Exceptions/Other
        • 1798.145: Exceptions
          1. The obligations imposed on businesses by this title shall not restrict a business’ ability to:

            1. Comply with federal, state, or local laws.

            2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

            3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.

            4. Exercise or defend legal claims.

            5. Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.

            6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

          2. The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

          3. (1)    This title shall not apply to any of the following:

            1. Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

            2. A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

            3. Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.

          4. For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

          5. (1)    This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.

            1. Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.

            2. This subdivision shall not apply to Section 1798.150.

          6. This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

          7. This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

          8. (1)        Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.

            1. For purposes of this subdivision:

              1. “Vehicle information” means the vehicle information number, make, model, year, and odometer reading.

              2. “Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.

          9. (1)    This title shall not apply to any of the following:

            1. Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.

            2. Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.

            3. Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

          10. For purposes of this subdivision:

            1. “Contractor” means a natural person who provides any service to a business pursuant to a written contract.

            2. “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

            3. “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.

            4. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.

            5. “Owner” means a natural person who meets one of the following:

              1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

              2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

              3. Has the power to exercise a controlling influence over the management of a company.

          11. This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.

          12. This subdivision shall become inoperative on January 1, 2021.

          13. Notwithstanding a business’ obligations to respond to and honor consumer rights requests pursuant to this title:

            1. A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.

            2. If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.

            3. If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

          14. A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

          15. This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

          16. The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.

          17. The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

          18. (1)    The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.

            1. For purposes of this subdivision:

              1. “Contractor” means a natural person who provides any service to a business pursuant to a written contract.

              2. “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

              3. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.

              4. “Owner” means a natural person who meets one of the following:

                1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

                2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

                3. Has the power to exercise a controlling influence over the management of a company.

            2. This subdivision shall become inoperative on January 1, 2021.

          (Amended by Stats. 2019, Ch. 763, Sec. 2.3. (AB 25) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24. But see now the immediately operative subdivisions (m) and (n) in Prop. 24’s amendment. Note: In Prop. 24’s amendment, on December 16, 2020, its new subd. (m) becomes operative, and its subd. (n) supsersedes the subd. (n) in this version.)
           
        • 1798.146: Medical Information
          1. This title shall not apply to any of the following:

            1. Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5).

            2. A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

            3. A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

            4. Information that

              1. meets both of the following conditions:

                1. It is deidentified in accordance with the requirements for deidentification set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations.

                2. It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

              2. Information that met the requirements of subparagraph (A) but is subsequently reidentified shall no longer be eligible for the exemption in this paragraph, and shall be subject to applicable federal and state data privacy and security laws, including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, and this title.

            5. Information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.

          2. For purposes of this section, all of the following shall apply:

            1. “Business associate” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            2. “Covered entity” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            3. “Identifiable private information” has the same meaning as defined in Section 46.102 of Title 45 of the Code of Federal Regulations.

            4. “Individually identifiable health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            5. “Medical information” has the same meaning as defined in Section 56.05.

            6. “Patient information” shall mean identifiable private information, protected health information, individually identifiable health information, or medical information.

            7. “Protected health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            8. “Provider of health care” has the same meaning as defined in Section 56.05.

          (Added by Stats. 2020, Ch. 172, Sec. 2. (AB 713) Effective September 25, 2020.)
        • 1798.148: Reidentification of Medical Information
          1. A business or other person shall not reidentify, or attempt to reidentify, information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, except for one or more of the following purposes:

            1. Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity. For purposes of this paragraph, “treatment,” “payment,” “health care operations,” “covered entity,” and “business associate” have the same meaning as defined in Section 164.501 of Title 45 of the Code of Federal Regulations.

            2. Public health activities or purposes as described in Section 164.512 of Title 45 of the Code of Federal Regulations.

            3. Research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, that is conducted in accordance with Part 46 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

            4. Pursuant to a contract where the lawful holder of the deidentified information that met the requirements of paragraph (4) of subdivision (a) of Section 1798.146 expressly engages a person or entity to attempt to reidentify the deidentified information in order to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract.

            5. If otherwise required by law.

          2. In accordance with paragraph (4) of subdivision (a) of Section 1798.146, information reidentified pursuant this section shall be subject to applicable federal and state data privacy and security laws including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, and this title.

          3. Beginning January 1, 2021, any contract for the sale or license of deidentified information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, where one of the parties is a person residing or doing business in the state, shall include the following, or substantially similar, provisions:

            1. A statement that the deidentified information being sold or licensed includes deidentified patient information.

            2. A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to this section.

            3. A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

          4. For purposes of this section, “reidentify” means the process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

          (Added by Stats. 2020, Ch. 172, Sec. 3. (AB 713) Effective September 25, 2020.)
           
        • 1798.150: Private Right of Action
          1. (1)    Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

            1. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

            2. Injunctive or declaratory relief.

            3. Any other relief the court deems proper.

            (2)    In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

          2. Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

          3. The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.

          (Amended by Stats. 2019, Ch. 757, Sec. 9. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.155: Attorney General Guidance and Enforcement
          1. Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

          2. A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

          3. Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 12. (SB 1121) Effective September 23, 2018. Section operative January 1, 2020, pursuant to Section 1798.198. Superseded on January 1, 2023; see amendment by Proposition 24.)
        • 1798.160: Consumer Privacy Fund
          1. A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature first to offset any costs incurred by the state courts in connection with actions brought to enforce this title, the costs incurred by the Attorney General in carrying out the Attorney General’s duties under this title, and then for the purposes of establishing an investment fund in the State Treasury, with any earnings or interest from the fund to be deposited in the General Fund, and making grants to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

          2. Funds transferred to the Consumer Privacy Fund shall be used exclusively as follows:

            1. To offset any costs incurred by the state courts and the Attorney General in connection with this title.

            2. After satisfying the obligations under paragraph (1), the remaining funds shall be allocated each fiscal year as follows:

              1. Ninety-one percent shall be invested by the Treasurer in financial assets with the goal of maximizing long term yields consistent with a prudent level of risk. The principal shall not be subject to transfer or appropriation, provided that any interest and earnings shall be transferred on an annual basis to the General Fund for appropriation by the Legislature for General Fund purposes.

              2. Nine percent shall be made available to the California Privacy Protection Agency for the purposes of making grants in California, with 3 percent allocated to each of the following grant recipients:

                1. Nonprofit organizations to promote and protect consumer privacy.

                2. Nonprofit organizations and public agencies, including school districts, to educate children in the area of online privacy.

                3. State and local law enforcement agencies to fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

          3. Funds in the Consumer Privacy Fund shall not be subject to appropriation or transfer by the Legislature for any other purpose.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 18. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.175: Intent and Construction with Existing Privacy Laws
          This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

          (Added by Stats. 2018, Ch. 55, Sec. 3. (AB 375) Effective January 1, 2019. Section operative January 1, 2020, pursuant to Section 1798.198. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.180: Preemption
          This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

          (Added by Stats. 2018, Ch. 55, Sec. 3. (AB 375) Effective January 1, 2019. Section operative September 23, 2018, pursuant to Section 1798.199. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.185: Regulations
          1. On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

            1. Updating or adding categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (v) of Section 1798.140, and updating or adding categories of sensitive personal information to those enumerated in subdivision (ae) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

            2. Updating as needed the definitions of “deidentified” and “unique identifier” to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and adding, modifying, or deleting categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130. The authority to update the definition of “deidentified” shall not apply to deidentification standards set forth in Section 164.514 of Title 45 of the Code of Federal Regulations, where such information previously was “protected health information” as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            3. Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter, with the intention that trade secrets should not be disclosed in response to a verifiable consumer request.

            4. Establishing rules and procedures for the following:

              1. To facilitate and govern the submission of a request by a consumer to opt-out of the sale or sharing of personal information pursuant to Section 1798.120 and to limit the use of a consumer’s sensitive personal information pursuant to Section 1798.121 to ensure that consumers have the ability to exercise their choices without undue burden and to prevent business from engaging in deceptive or harassing conduct, including in retaliation against consumers for exercising their rights, while allowing businesses to inform consumers of the consequences of their decision to opt out of the sale or sharing of their personal information or to limit the use of their sensitive personal information.

              2. To govern business compliance with a consumer’s opt-out request.

              3. For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

            5. Adjusting the monetary thresholds, in January of every odd-numbered year to reflect any increase in the Consumer Price Index, in: subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.140; subparagraph (A) of paragraph (1) of subdivision (a) of Section 1798.150; subdivision (a) of Section 1798.155; Section 1798.199.25; and subdivision (a) of Section 1798.199.90.

            6. Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentives within one year of passage of this title and as needed thereafter.

            7. Establishing rules and procedures to further the purposes of Sections 1798.105, 1798.106, 1798.110, and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to delete personal information, correct inaccurate personal information pursuant to Section 1798.106, or obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received from a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.

            8. Establishing how often, and under what circumstances, a consumer may request a correction pursuant to Section 1798.106, including standards governing the following:

              1. How a business responds to a request for correction, including exceptions for requests to which a response is impossible or would involve disproportionate effort, and requests for correction of accurate information.

              2. How concerns regarding the accuracy of the information may be resolved.

              3. The steps a business may take to prevent fraud.

              4. If a business rejects a request to correct personal information collected and analyzed concerning a consumer’s health, the right of a consumer to provide a written addendum to the business with respect to any item or statement regarding any such personal information that the consumer believes to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item and shall clearly indicate in writing that the consumer requests the addendum to be made a part of the consumer’s record.

            9. Establishing the standard to govern a business’ determination, pursuant to subparagraph (B) of paragraph (2) of subdivision (a) of Section 1798.130, that providing information beyond the 12-month period in a response to a verifiable consumer request is impossible or would involve a disproportionate effort.

            10. Issuing regulations further defining and adding to the business purposes, including other notified purposes, for which businesses, service providers, and contractors may use consumers’ personal information consistent with consumers’ expectations, and further defining the business purposes for which service providers and contractors may combine consumers’ personal information obtained from different sources, except as provided for in paragraph (6) of subdivision (e) of Section 1798.140.

            11. Issuing regulations identifying those business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes, with the goal of maximizing consumer privacy.

            12. Issuing regulations to further define “intentionally interacts,” with the goal of maximizing consumer privacy.

            13. Issuing regulations to further define “precise geolocation,” including if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.

            14. Issuing regulations to define the term “specific pieces of information obtained from the consumer” with the goal of maximizing a consumer’s right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful to the consumer, including system log information and other technical data. For delivery of the most sensitive personal information, the regulations may require a higher standard of authentication provided that the agency shall monitor the impact of the higher standard on the right of consumers to obtain their personal information to ensure that the requirements of verification do not result in the unreasonable denial of verifiable consumer requests.

            15. Issuing regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to:

              1. Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.

              2. Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.

            16. Issuing regulations governing access and opt-out rights with respect to businesses’ use of automated decisionmaking technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer.

            17. Issuing regulations to further define a “law enforcement agency-approved investigation” for purposes of the exception in paragraph (2) of subdivision (a) of Section 1798.145.

            18. Issuing regulations to define the scope and process for the exercise of the agency’s audit authority, to establish criteria for selection of persons to audit, and to protect consumers’ personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena.

            19. Issuing regulations to define

              1. the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer’s intent to opt out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information. The requirements and specifications for the opt-out preference signal should be updated from time to time to reflect the means by which consumers interact with businesses, and should:

                1. Ensure that the manufacturer of a platform or browser or device that sends the opt-out preference signal cannot unfairly disadvantage another business.

                2. Ensure that the opt-out preference signal is consumer-friendly, clearly described, and easy to use by an average consumer and does not require that the consumer provide additional information beyond what is necessary.

                3. Clearly represent a consumer’s intent and be free of defaults constraining or presupposing that intent.

                4. Ensure that the opt-out preference signal does not conflict with other commonly used privacy settings or tools that consumers may employ.

                5. Provide a mechanism for the consumer to selectively consent to a business’ sale of the consumer’s personal information, or the use or disclosure of the consumer’s sensitive personal information, without affecting the consumer’s preferences with respect to other businesses or disabling the opt-out preference signal globally.

                6. State that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

                  1. Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.

                  2. Choice to “Limit the Use of My Sensitive Personal Information.”

                  3. Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”

              2. Issuing regulations to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.

              3. Issuing regulations, with the goal of strengthening consumer privacy while considering the legitimate operational interests of businesses, to govern the use or disclosure of a consumer’s sensitive personal information, notwithstanding the consumer’s direction to limit the use or disclosure of the consumer’s sensitive personal information, including:

                1. Determining any additional purposes for which a business may use or disclose a consumer’s sensitive personal information.

                2. Determining the scope of activities permitted under paragraph (8) of subdivision (e) of Section 1798.140, as authorized by subdivision (a) of Section 1798.121, to ensure that the activities do not involve health-related research.

                3. Ensuring the functionality of the business’ operations.

                4. Ensuring that the exemption in subdivision (d) of Section 1798.121 for sensitive personal information applies to information that is collected or processed incidentally, or without the purpose of inferring characteristics about a consumer, while ensuring that businesses do not use the exemption for the purpose of evading consumers’ rights to limit the use and disclosure of their sensitive personal information under Section 1798.121.

            20. Issuing regulations to govern how a business that has elected to comply with subdivision (b) of Section 1798.135 responds to the opt-out preference signal and provides consumers with the opportunity subsequently to consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information for purposes in addition to those authorized by subdivision (a) of Section 1798.121. The regulations should:

              1. Strive to promote competition and consumer choice and be technology neutral.

              2. Ensure that the business does not respond to an opt-out preference signal by:

                1. Intentionally degrading the functionality of the consumer experience.

                2. Charging the consumer a fee in response to the consumer’s opt-out preferences.

                3. Making any products or services not function properly or fully for the consumer, as compared to consumers who do not use the opt-out preference signal.

                4. Attempting to coerce the consumer to opt in to the sale or sharing of the consumer’s personal information, or the use or disclosure of the consumer’s sensitive personal information, by stating or implying that the use of the opt-out preference signal will adversely affect the consumer as compared to consumers who do not use the opt-out preference signal, including stating or implying that the consumer will not be able to use the business’ products or services or that those products or services may not function properly or fully.

                5. Displaying any notification or pop-up in response to the consumer’s opt-out preference signal.

              3. Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in:

                1. Is not part of a popup, notice, banner, or other intrusive design that obscures any part of the web page the consumer intended to visit from full view or that interferes with or impedes in any way the consumer’s experience visiting or browsing the web page or website the consumer intended to visit.

                2. Does not require or imply that the consumer must click the link to receive full functionality of any products or services, including the website.

                3. Does not make use of any dark patterns.

                4. Applies only to the business with which the consumer intends to interact.

              4. Strive to curb coercive or deceptive practices in response to an opt-out preference signal but should not unduly restrict businesses that are trying in good faith to comply with Section 1798.135.

            21. Review existing Insurance Code provisions and regulations relating to consumer privacy, except those relating to insurance rates or pricing, to determine whether any provisions of the Insurance Code provide greater protection to consumers than the provisions of this title. Upon completing its review, the agency shall adopt a regulation that applies only the more protective provisions of this title to insurance companies. For the purpose of clarity, the Insurance Commissioner shall have jurisdiction over insurance rates and pricing.

            22. Harmonizing the regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms in this title to promote clarity and the functionality of this title for consumers.
          2. The Attorney General may adopt additional regulations as necessary to further the purposes of this title.

          3. The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

          4. Notwithstanding subdivision (a), the timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022. Beginning the later of July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking under this title, the authority assigned to the Attorney General to adopt regulations under this section shall be exercised by the California Privacy Protection Agency. Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 21. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.190: Intermediate Steps or Transactions to Be Disregarded
          If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

          (Added by Stats. 2018, Ch. 55, Sec. 3. (AB 375) Effective January 1, 2019. Section operative January 1, 2020, pursuant to Section 1798.198. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.192: Waivers and Limitations Unenforceable
          Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt-out of a business’s sale of the consumer’s personal information, or authorizing a business to sell the consumer’s personal information after previously opting out.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 14. (SB 1121) Effective September 23, 2018. Section operative January 1, 2020, pursuant to Section 1798.198. Superseded on January 1, 2023; see amendment by Proposition 24.)
           
        • 1798.194: Construction
          This title shall be liberally construed to effectuate its purposes.

          (Added by Stats. 2018, Ch. 55, Sec. 3. (AB 375) Effective January 1, 2019. Section operative January 1, 2020, pursuant to Section 1798.198.)
           
        • 1798.196: Federal Preemption
          This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 15. (SB 1121) Effective September 23, 2018. Section operative January 1, 2020, pursuant to Section 1798.198.)
           
        • 1798.198: Operative Date
          1. Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020.

          2. This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 16. (SB 1121) Effective September 23, 2018.)
           
        • 1798.199
          Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.

          (Added by Stats. 2018, Ch. 735, Sec. 17. (SB 1121) Effective September 23, 2018. Operative September 23, 2018.)
           
        • 1798.199.10
          1. There is hereby established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018. The agency shall be governed by a five-member board, including the chairperson. The chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

          2. The initial appointments to the agency shall be made within 90 days of the effective date of the act adding this section.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.1. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.100
          The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.19. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.15
          Members of the agency board shall:

          1. Have qualifications, experience, and skills, in particular in the areas of privacy and technology, required to perform the duties of the agency and exercise its powers.

          2. Maintain the confidentiality of information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers, except to the extent that disclosure is required by the Public Records Act.

          3. Remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from another.

          4. Refrain from any action incompatible with their duties and engaging in any incompatible occupation, whether gainful or not, during their term.

          5. Have the right of access to all information made available by the agency to the chairperson.

          6. Be precluded, for a period of one year after leaving office, from accepting employment with a business that was subject to an enforcement action or civil action under this title during the member’s tenure or during the five-year period preceding the member’s appointment.

          7. Be precluded for a period of two years after leaving office from acting, for compensation, as an agent or attorney for, or otherwise representing, any other person in a matter pending before the agency if the purpose is to influence an action of the agency.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.2. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.20
          Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.3. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.25
          For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted biennially to reflect changes in the cost of living, and shall be reimbursed for expenses incurred in performance of their official duties.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.4. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.30
          The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.5. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.35
          The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.6. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.40
          The agency shall perform the following functions:

          1. Administer, implement, and enforce through administrative actions this title.

          2. On and after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018, including regulations specifying record keeping requirements for businesses to ensure compliance with this title.

          3. Through the implementation of this title, protect the fundamental privacy rights of natural persons with respect to the use of their personal information.

          4. Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the agency pursuant to paragraph (15) of subdivision (a) of Section 1798.185 while ensuring that data security is not compromised.

          5. Provide guidance to consumers regarding their rights under this title.

          6. Provide guidance to businesses regarding their duties and responsibilities under this title and appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted pursuant to paragraph (18) of subdivision (a) of Section 1798.185.

          7. Provide technical assistance and advice to the Legislature, upon request, with respect to privacy-related legislation.

          8. Monitor relevant developments relating to the protection of personal information and in particular, the development of information and communication technologies and commercial practices.

          9. Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.

          10. Establish a mechanism pursuant to which persons doing business in California that do not meet the definition of business set forth in paragraph (1), (2), or (3) of subdivision (d) of Section 1798.140 may voluntarily certify that they are in compliance with this title, as set forth in paragraph (4) of subdivision (d) of Section 1798.140, and make a list of those entities available to the public.

          11. Solicit, review, and approve applications for grants to the extent funds are available pursuant to paragraph (2) of subdivision (b) of Section 1798.160.

          12. Perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdiction and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.7. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.45
          1. Upon the sworn complaint of any person or on its own initiative, the agency may investigate possible violations of this title relating to any business, service provider, contractor, or person. The agency may decide not to investigate a complaint or decide to provide a business with a time period to cure the alleged violation. In making a decision not to investigate or provide more time to cure, the agency may consider the following:

            1. Lack of intent to violate this title.

            2. Voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the agency of the complaint.

          2. The agency shall notify in writing the person who made the complaint of the action, if any, the agency has taken or plans to take on the complaint, together with the reasons for that action or nonaction.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.8. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.50
          No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.9. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.55
          1. When the agency determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred. Notice shall be given and the hearing conducted in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500), Part 1, Division 3, Title 2, Government Code). The agency shall have all the powers granted by that chapter. If the agency determines on the basis of the hearing conducted pursuant to this subdivision that a violation or violations have occurred, it shall issue an order that may require the violator to do all or any of the following:

            1. Cease and desist violation of this title.

            2. Subject to Section 1798.155, pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state. When the agency determines that no violation has occurred, it shall publish a declaration so stating.

          2. If two or more persons are responsible for any violation or violations, they shall be jointly and severally liable.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.10. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.60
          Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.11. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.65
          The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.12. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.70
          No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

          1. The service of the probable cause hearing notice, as required by Section 1798.199.50, upon the person alleged to have violated this title shall constitute the commencement of the administrative action.

          2. If the person alleged to have violated this title engages in the fraudulent concealment of the person’s acts or identity, the five-year period shall be tolled for the period of the concealment. For purposes of this subdivision, “fraudulent concealment” means the person knows of material facts related to the person’s duties under this title and knowingly conceals them in performing or omitting to perform those duties for the purpose of defrauding the public of information to which it is entitled under this title.

          3. If, upon being ordered by a superior court to produce any documents sought by a subpoena in any administrative proceeding under this title, the person alleged to have violated this title fails to produce documents in response to the order by the date ordered to comply therewith, the five-year period shall be tolled for the period of the delay from the date of filing of the motion to compel until the date the documents are produced.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.13. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.75
          1. In addition to any other available remedies, the agency may bring a civil action and obtain a judgment in superior court for the purpose of collecting any unpaid administrative fines imposed pursuant to this title after exhaustion of judicial review of the agency’s action. The action may be filed as a small claims, limited civil, or unlimited civil case depending on the jurisdictional amount. The venue for this action shall be in the county where the administrative fines were imposed by the agency. In order to obtain a judgment in a proceeding under this section, the agency shall show, following the procedures and rules of evidence as applied in ordinary civil actions, all of the following:

            1. That the administrative fines were imposed following the procedures set forth in this title and implementing regulations.

            2. That the defendant or defendants in the action were notified, by actual or constructive notice, of the imposition of the administrative fines.

            3. That a demand for payment has been made by the agency and full payment has not been received.

          2. A civil action brought pursuant to subdivision (a) shall be commenced within four years after the date on which the administrative fines were imposed.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.14. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.80
          1. If the time for judicial review of a final agency order or decision has lapsed, or if all means of judicial review of the order or decision have been exhausted, the agency may apply to the clerk of the court for a judgment to collect the administrative fines imposed by the order or decision, or the order as modified in accordance with a decision on judicial review.

          2. The application, which shall include a certified copy of the order or decision, or the order as modified in accordance with a decision on judicial review, and proof of service of the order or decision, constitutes a sufficient showing to warrant issuance of the judgment to collect the administrative fines. The clerk of the court shall enter the judgment immediately in conformity with the application.

          3. An application made pursuant to this section shall be made to the clerk of the superior court in the county where the administrative fines were imposed by the agency.

          4. A judgment entered in accordance with this section has the same force and effect as, and is subject to all the provisions of law relating to, a judgment in a civil action and may be enforced in the same manner as any other judgment of the court in which it is entered.

          5. The agency may bring an application pursuant to this section only within four years after the date on which all means of judicial review of the order or decision have been exhausted.

          6. The remedy available under this section is in addition to those available under any other law.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.15. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.85
          Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.16. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.90
          1. Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.

          2. Any civil penalty recovered by an action brought by the Attorney General for a violation of this title, and the proceeds of any settlement of any said action, shall be deposited in the Consumer Privacy Fund.

          3. The agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action. The agency may not limit the authority of the Attorney General to enforce this title.

          4. No civil action may be filed by the Attorney General under this section for any violation of this title after the agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation.

          5. This section shall not affect the private right of action provided for in Section 1798.150.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.17. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.95
          1. There is hereby appropriated from the General Fund of the state to the agency the sum of five million dollars ($5,000,000) during the fiscal year 2020–2021, and the sum of ten million dollars ($10,000,000) adjusted for cost-of-living changes, during each fiscal year thereafter, for expenditure to support the operations of the agency pursuant to this title. The expenditure of funds under this appropriation shall be subject to the normal administrative review given to other state appropriations. The Legislature shall appropriate those additional amounts to the commission and other agencies as may be necessary to carry out the provisions of this title.

          2. The Department of Finance, in preparing the state budget and the Budget Act bill submitted to the Legislature, shall include an item for the support of this title that shall indicate all of the following:

            1. The amounts to be appropriated to other agencies to carry out their duties under this title, which amounts shall be in augmentation of the support items of those agencies.

            2. The additional amounts required to be appropriated by the Legislature to the agency to carry out the purposes of this title, as provided for in this section.

            3. In parentheses, for informational purposes, the continuing appropriation during each fiscal year of ten million dollars ($10,000,000), adjusted for cost-of-living changes made pursuant to this section.

          3. The Attorney General shall provide staff support to the agency until the agency has hired its own staff. The Attorney General shall be reimbursed by the agency for these services.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.18. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
    • California Privacy Rights Act (CPRA)
      • Right to Know
        • 1798.100: General Duties of Businesses that Collect Personal Information
          1. A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:

            1. The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.

            2. If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.

            3. The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

          2. A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.

          3. A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

          4. A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:

            1. Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.

            2. Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.

            3. Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.

            4. Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.

            5. Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

          5. A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

          6. Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 4. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.105: Consumers’ Right to Delete Personal Information
          1. A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

          2. A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.

          3. A business that receives

            1. a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records, notify any service providers or contractors to delete the consumer’s personal information from their records, and notify all third parties to whom the business has sold or shared the personal information to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.

            2. The business may maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws or for other purposes, solely to the extent permissible under this title.

            3. A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete and shall notify any of its own service providers or contractors to delete personal information about the consumer collected, used, processed, or retained by the service provider or the contractor. The service provider or contractor shall notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer’s personal information in its role as a service provider or contractor to the business.

          4. A business, or a service provider or contractor acting pursuant to its contract with the business, another service provider, or another contractor, shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is reasonably necessary for the business, service provider, or contractor to maintain the consumer’s personal information in order to:

            1. Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

            2. Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.

            3. Debug to identify and repair errors that impair existing intended functionality.

            4. Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.

            5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

            6. Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent.

            7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and compatible with the context in which the consumer provided the information.

            8. Comply with a legal obligation.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 5. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.106: Consumers’ Right to Correct Inaccurate Personal Information
          1. A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

          2. A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s right to request correction of inaccurate personal information.

          3. A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer, pursuant to Section 1798.130 and regulations adopted pursuant to paragraph (8) of subdivision (a) of Section 1798.185.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 6. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.110: Consumers’ Right to Know What Personal Information is Being Collected. Right to Access
          1. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

            1. The categories of personal information it has collected about that consumer.

            2. The categories of sources from which the personal information is collected.

            3. The business or commercial purpose for collecting, selling, or sharing personal information.

            4. The categories of third parties to whom the business discloses personal information.

            5. The specific pieces of personal information it has collected about that consumer.

          2. A business that collects personal information about a consumer shall disclose to the consumer, pursuant to subparagraph (B) of paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer, provided that a business shall be deemed to be in compliance with paragraphs (1) to (4), inclusive, of subdivision (a) to the extent that the categories of information and the business or commercial purpose for collecting, selling, or sharing personal information it would be required to disclose to the consumer pursuant to paragraphs (1) to (4), inclusive, of subdivision (a) is the same as the information it has disclosed pursuant to paragraphs (1) to (4), inclusive, of subdivision (c).

          3. A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:

            1. The categories of personal information it has collected about consumers.

            2. The categories of sources from which the personal information is collected.

            3. The business or commercial purpose for collecting, selling, or sharing personal information.

            4. The categories of third parties to whom the business discloses personal information.

            5. That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 7. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
      • Sale
        • 1798.115: Consumers’ Right to Know What Personal Information Is Sold or Shared and to Whom
          1. A consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

            1. The categories of personal information that the business collected about the consumer.

            2. The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared.

            3. The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

          2. A business that sells or shares personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

          3. A business that sells or shares consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:

            1. The category or categories of consumers’ personal information it has sold or shared, or if the business has not sold or shared consumers’ personal information, it shall disclose that fact.

            2. The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed consumers’ personal information for a business purpose, it shall disclose that fact.

          4. A third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 8. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.120: Consumers’ Right to Opt Out of Sale or Sharing of Personal Information
          1. A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.

          2. A business that sells consumers’ personal information to, or shares it with, third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold or shared and that consumers have the “right to opt-out” of the sale or sharing of their personal information.

          3. Notwithstanding subdivision (a), a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.

          4. A business that has received direction from a consumer not to sell or share the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell or share the minor consumer’s personal information, shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from selling or sharing the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides consent, for the sale or sharing of the consumer’s personal information.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 9. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
      • Sensitive Information
        • 1798.121: Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
          1. A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.

          2. A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes.

          3. A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.

          4. Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 10. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
      • Non-Discrimination
        • 1798.125: Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights
          1. A business shall not:

            1. Discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:

              1. Denying goods or services to the consumer.

              2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

              3. Providing a different level or quality of goods or services to the consumer.

              4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

              5. Retaliating against an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145, for exercising their rights under this title.

            2. Nothing in this subdivision prohibits a business, pursuant to subdivision (b), from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.

            3. This subdivision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this title.

          2. 1.    A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer’s data.

            1. A business that offers any financial incentives pursuant to this subdivision, shall notify consumers of the financial incentives pursuant to Section 1798.130.

            2. A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. If a consumer refuses to provide opt-in consent, then the business shall wait for at least 12 months before next requesting that the consumer provide opt-in consent, or as prescribed by regulations adopted pursuant to Section 1798.185.

            3. A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
          Amended November 3, 2020, by initiative Proposition 24, Sec. 11. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
      • Rights Methods
        • 1798.130: Notice, Disclosure, Correction, and Deletion Requirements
          1. In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

            1. A.   Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

              1. If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

            2. A.   Disclose and deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer’s personal information, based on the consumer’s request, within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information, to correct inaccurate personal information, or to delete personal information within 45 days of receipt of the consumer’s request. The time period to provide the required information, to correct inaccurate personal information, or to delete personal information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure of the required information shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request provided that if the consumer, has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request.

              1. The disclosure of the required information shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request provided that, upon the adoption of a regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request required information beyond the 12-month period, and a business’s obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to keep personal information for any length of time.

            3. A.   A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’ response to a verifiable consumer request, including, but not limited to, by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100, taking into account the nature of the processing.

              1. For purposes of subdivision (b) of Section 1798.110:

                1. To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

                2. Identify by category or categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected; the categories of sources from which the consumer’s personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer’s personal information; and the categories of third parties to whom the business discloses the consumer’s personal information.

                3. Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. Personal information is not considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer’s personal information from one business to another in the context of switching services.

            4. For purposes of subdivision (b) of Section 1798.115:

              1. Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

              2. Identify by category or categories the personal information of the consumer that the business sold or shared during the applicable period of time by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold or shared during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold or shared. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

              3. Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of persons to whom the consumer’s personal information was disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

            5. Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:

              1. A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided in subparagraph (A) of paragraph (1) of subdivision (a).

              2. For purposes of subdivision (c) of Section 1798.110:

                1. A list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

                2. The categories of sources from which consumers’ personal information is collected.

                3. The business or commercial purpose for collecting, selling, or sharing consumers’ personal information.

                4. The categories of third parties to whom the business discloses consumers’ personal information.

              3. For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

                1. A list of the categories of personal information it has sold or shared about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold or shared, or if the business has not sold or shared consumers’ personal information in the preceding 12 months, the business shall prominently disclose that fact in its privacy policy.

                2. A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

            6. Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

            7. Use any personal information collected from the consumer in connection with the business’ verification of the consumer’s request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

          2. A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

          3. The categories of personal information required to be disclosed pursuant to Sections 1798.100, 1798.110, and 1798.115 shall follow the definitions of personal information and sensitive personal information in Section 1798.140 by describing the categories of personal information using the specific terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section 1798.140 and by describing the categories of sensitive personal information using the specific terms set forth in paragraphs (1) to (9), inclusive, of subdivision (ae) of Section 1798.140.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 12. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.135: Methods of Limiting Sale, Sharing, and Use of Personal and Sensitive Information
          1. A business that sells or shares consumers’ personal information or uses or discloses consumers’ sensitive personal information for purposes other than those authorized by subdivision (a) of Section 1798.121 shall, in a form that is reasonably accessible to consumers:

            1. Provide a clear and conspicuous link on the business’s internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer’s personal information.

            2. Provide a clear and conspicuous link on the business’ internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information to those uses authorized by subdivision (a) of Section 1798.121.

            3. At the business’ discretion, utilize a single, clearly labeled link on the business’ internet homepages, in lieu of complying with paragraphs (1) and (2), if that link easily allows a consumer to opt out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.

            4. In the event that a business responds to opt-out requests received pursuant to paragraph (1), (2), or (3) by informing the consumer of a charge for the use of any product or service, present the terms of any financial incentive offered pursuant to subdivision (b) of Section 1798.125 for the retention, use, sale, or sharing of the consumer’s personal information.

          2. 1.    A business shall not be required to comply with subdivision (a) if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185, to the business indicating the consumer’s intent to opt out of the business’ sale or sharing of the consumer’s personal information or to limit the use or disclosure of the consumer’s sensitive personal information, or both.

            1. A business that allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business’ sale or sharing of the consumer’s personal information or the use of the consumer’s sensitive personal information for additional purposes provided that:

              1. The consent web page also allows the consumer or a person authorized by the consumer to revoke the consent as easily as it is affirmatively provided.
              2. The link to the web page does not degrade the consumer’s experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same web page.
              3. The consent web page complies with technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185.

            2. A business that complies with subdivision (a) is not required to comply with subdivision (b). For the purposes of clarity, a business may elect whether to comply with subdivision (a) or subdivision (b).

          3. A business that is subject to this section shall:

            1. Not require a consumer to create an account or provide additional information beyond what is necessary in order to direct the business not to sell or share the consumer’s personal information or to limit use or disclosure of the consumer’s sensitive personal information.

            2. Include a description of a consumer’s rights pursuant to Sections 1798.120 and 1798.121, along with a separate link to the “Do Not Sell or Share My Personal Information” internet web page and a separate link to the “Limit the Use of My Sensitive Personal Information” internet web page, if applicable, or a single link to both choices, or a statement that the business responds to and abides by opt-out preference signals sent by a platform, technology, or mechanism in accordance with subdivision (b), in:

              1. Its online privacy policy or policies if the business has an online privacy policy or policies.

              2. Any California-specific description of consumers’ privacy rights.

            3. Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.120, 1798.121, and this section and how to direct consumers to exercise their rights under those sections.

            4. For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, refrain from selling or sharing the consumer’s personal information or using or disclosing the consumer’s sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer’s personal information or the use and disclosure of the consumer’s sensitive personal information for additional purposes, or as authorized by regulations.

            5. For consumers under 16 years of age who do not consent to the sale or sharing of their personal information, refrain from selling or sharing the personal information of the consumer under 16 years of age and wait for at least 12 months before requesting the consumer’s consent again, or as authorized by regulations or until the consumer attains 16 years of age.

            6. Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.

          4. Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.

          5. A consumer may authorize another person to opt-out of the sale or sharing of the consumer’s personal information and to limit the use of the consumer’s sensitive personal information on the consumer’s behalf, including through an opt-out preference signal, as defined in paragraph (1) of subdivision (b), indicating the consumer’s intent to opt out, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General regardless of whether the business has elected to comply with subdivision (a) or (b). For purposes of clarity, a business that elects to comply with subdivision (a) may respond to the consumer’s opt-out consistent with Section 1798.125.

          6. If a business communicates a consumer’s opt-out request to any person authorized by the business to collect personal information, the person shall thereafter only use that consumer’s personal information for a business purpose specified by the business, or as otherwise permitted by this title, and shall be prohibited from:

            1. Selling or sharing the personal information.

            2. Retaining, using, or disclosing that consumer’s personal information.

              1. For any purpose other than for the specific purpose of performing the services offered to the business.

              2. Outside of the direct business relationship between the person and the business.

              3. For a commercial purpose other than providing the services to the business.

          7. A business that communicates a consumer’s opt-out request to a person pursuant to subdivision (f) shall not be liable under this title if the person receiving the opt-out request violates the restrictions set forth in the title provided that, at the time of communicating the opt-out request, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation. Any provision of a contract or agreement of any kind that purports to waive or limit in any way this subdivision shall be void and unenforceable.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 13. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
      • Definitions
        • 1798.140: Definitions
          For purposes of this title:

          1. “Advertising and marketing” means a communication by a business or a person acting on the business’ behalf in any medium intended to induce a consumer to obtain goods, services, or employment.

          2. “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.

          3. “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

          4. “Business” means:

            1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

              1. As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

              2. Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.

              3. Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

            2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.

            3. A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.

            4. A person that does business in California, that is not covered by paragraph (1), (2), or (3) and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.

          5. “Business purpose” means the use of personal information for the business’s operational purposes, or other notified purposes, or for the service provider or contractor’s operational purposes, as defined by regulations adopted pursuant to paragraph (11) of subdivision (a) of Section 1798.185, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes are:

            1. Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

            2. Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.

            3. Debugging to identify and repair errors that impair existing intended functionality.

            4. Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.

            5. Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

            6. Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.

            7. Undertaking internal research for technological development and demonstration.

            8. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

          6. “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

          7. “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.

          8. “Consent” means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

          9. “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.

          10. “Contractor” means

            1. A person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:

              1. Prohibits the contractor from:

                1. Selling or sharing the personal information.

                2. Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title.

                3. Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.

                4. Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) and in regulations adopted by the California Privacy Protection Agency.

              2. Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.

              3. Permits, subject to agreement with the contractor, the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

            2. If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

          11. “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

          12. “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.

          13. “Deidentified” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:

            1. Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.

            2. Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.

            3. Contractually obligates any recipients of the information to comply with all provisions of this subdivision.

          14. “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.

          15. “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

          16. “Homepage” means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,’’ or settings page, and any other location that allows consumers to review the notices required by this title, including, but not limited to, before downloading the application.

          17. “Household” means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.

          18. “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

          19. “Intentionally interacts” means when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person’s website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a person.

          20. “Nonpersonalized advertising” means advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business with the exception of the consumer’s precise geolocation.

          21. “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

          22. “Personal information” means

            1. Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

              1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

              2. Any personal information described in subdivision (e) of Section 1798.80.

              3. Characteristics of protected classifications under California or federal law.

              4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

              5. Biometric information.

              6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.

              7. Geolocation data.

              8. Audio, electronic, visual, thermal, olfactory, or similar information.

              9. Professional or employment-related information.

              10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

              11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

              12. Sensitive personal information.

            2. “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

            3. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

          23. “Precise geolocation” means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.

          24. “Probabilistic identifier” means the identification of a consumer or a consumer’s device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

          25. “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.

          26. “Profiling” means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

          27. “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

          28. “Research” means scientific analysis, systematic study and observation, including basic research or applied research that is designed to develop or contribute to public or scientific knowledge and that adheres or otherwise conforms to all other applicable ethics and privacy laws, including, but not limited to, studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:

            1. Compatible with the business purpose for which the personal information was collected.

            2. Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, by a business.

            3. Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, other than as needed to support the research.

            4. Subject to business processes that specifically prohibit reidentification of the information, other than as needed to support the research.

            5. Made subject to business processes to prevent inadvertent release of deidentified information.

            6. Protected from any reidentification attempts.

            7. Used solely for research purposes that are compatible with the context in which the personal information was collected.

            8. Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals as are necessary to carry out the research purpose.
          29. “Security and integrity” means the ability of:

            1. Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.

            2. Businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.

            3. Businesses to ensure the physical safety of natural persons.

          30. “Sell,” “selling,” “sale,” or “sold,’’ means

            1. Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.

            2. For purposes of this title, a business does not sell personal information when:

              1. A consumer uses or directs the business to intentionally:

                1. Disclose personal information.

                2. Interact with one or more third parties.

              2. The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.

              3. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

          31. “Sensitive personal information” means:

            1. Personal information that reveals:

              1. A consumer’s social security, driver’s license, state identification card, or passport number.

              2. A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

              3. A consumer’s precise geolocation.

              4. A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.

              5. The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

              6. A consumer’s genetic data.

            2. The processing of

              1. Biometric information for the purpose of uniquely identifying a consumer.

              2. Personal information collected and analyzed concerning a consumer’s health.

              3. Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

            3. Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.

          32. “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.

          33. “Service provider” means

            1. A person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from:

              1. Selling or sharing the personal information.

              2. Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title.

              3. Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business.

              4. Combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

            2. If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

          34. “Share,” “shared,” or “sharing” means

            1. Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

            2. For purposes of this title, a business does not share personal information when:

              1. A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.

              2. The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.

              3. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

          35. “Third party” means a person who is not any of the following:

            1. The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business under this title.

            2. A service provider to the business.

            3. A contractor.

          36. “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, “family” means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.

          37. “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115, to delete personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 14. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
      • Exemptions
        • 1798.145: Exemptions
          1. The obligations imposed on businesses by this title shall not restrict a business’s ability to:

            1. Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.

            2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriff’s departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumer’s personal information, and upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer’s personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumer’s personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumer’s personal information shall not use the consumer’s personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumer’s deletion request is subject to an exemption from deletion under this title.

            3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.

            4. Cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury provided that:

              1. The request is approved by a high-ranking agency officer for emergency access to a consumer’s personal information.

              2. The request is based on the agency’s good faith determination that it has a lawful basis to access the information on a nonemergency basis.

              3. The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.

            5. Exercise or defend legal claims.

            6. Collect, use, retain, sell, share, or disclose consumers’ personal information that is deidentified or aggregate consumer information.

            7. Collect, sell, or share a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

          2. The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

          3. This title shall

            1. Not apply to any of the following:

              1. Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

              2. A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

              3. Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and if it is inconsistent, that participants be informed of that use and provide consent.

            2. For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

          4. This title shall not

            1. Apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.

            2. Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.

            3. This subdivision shall not apply to Section 1798.150.

          5. This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.

          6. This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

          7. Section 1798.120 shall not

            1. Apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.

            2. For purposes of this subdivision:

              1. “Vehicle information” means the vehicle information number, make, model, year, and odometer reading.

              2. “Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.

          8. Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:

            1. A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.

            2. If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.

            3. If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.

          9. A business that discloses personal information to a service provider or contractor in compliance with this title shall not

            1. Be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.

            2. A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumer’s rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.

          10. This title shall not be construed to require a business, service provider, or contractor to:

            1. Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

            2. Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.

            3. Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.

          11. The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumer’s personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’ possession.

          12. The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

          13. This title shall not

            1. Apply to any of the following:

              1. Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.

              2. Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.

              3. Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

            2. For purposes of this subdivision:

              1. “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.

              2. “Director” means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

              3. “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.

              4. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.

              5. “Owner” means a natural person who meets one of the following criteria:

                1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

                2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

                3. Has the power to exercise a controlling influence over the management of a company.

            3. This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.

            4. This subdivision shall become inoperative on January 1, 2023.

          14. The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not

            1. Apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.

            2. For purposes of this subdivision:

              1. “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.

              2. “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

              3. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.

              4. “Owner” means a natural person who meets one of the following:

                1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

                2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

                3. Has the power to exercise a controlling influence over the management of a company.

            3. This subdivision shall become inoperative on January 1, 2023.

          15. Sections 1798.105 and 1798.120 shall not

            1. Apply to a commercial credit reporting agency’s collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer’s role as the owner, director, officer, or management employee of the business.

            2. For the purposes of this subdivision:

              1. “Business controller information” means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.

              2. “Commercial credit reporting agency” has the meaning set forth in subdivision (b) of Section 1785.42.

              3. “Owner” means a natural person that meets one of the following:

                1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

                2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

                3. Has the power to exercise a controlling influence over the management of a company.

              4. “Director” means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

              5. “Officer” means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.

              6. “Management employee” means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural person’s role as the primary manager of the business.

          16. The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.

          17. This title does not

            1. Require a business to comply with a verifiable consumer request to delete a consumer’s personal information under Section 1798.105 to the extent the verifiable consumer request applies to a student’s grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.

            2. This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumer’s specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.

            3. For purposes of this subdivision:

              1. “Educational standardized assessment or educational assessment” means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.

              2. “Jeopardize the validity and reliability of that educational standardized assessment or educational assessment” means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.

          18. Sections 1798.105 and 1798.120 shall not apply to a business’ use, disclosure, or sale of particular pieces of a consumer’s personal information if the consumer has consented to the business’ use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumer’s photograph if:

            1. The business has incurred significant expense in reliance on the consumer’s consent.

            2. Compliance with the consumer’s request to opt out of the sale of the consumer’s personal information or to delete the consumer’s personal information would not be commercially reasonable.

            3. The business complies with the consumer’s request as soon as it is commercially reasonable to do so.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 15. Effective December 16, 2020. Operative January 1, 2023, by Sec. 31 of Prop. 24, but subdivisions (m) and (n) are operative immediately. Subdivisions (m) and (n) inoperative January 1, 2023, by their own provisions.)
        • 1798.146: Medical Information Exemption
          1. This title shall not apply to any of the following:

            1. Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5).

            2. A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

            3. A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

            4. Information that

              1. Meets both of the following conditions:

                1. It is deidentified in accordance with the requirements for deidentification set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations.

                2. It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

              2. Information that met the requirements of subparagraph (A) but is subsequently reidentified shall no longer be eligible for the exemption in this paragraph, and shall be subject to applicable federal and state data privacy and security laws, including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, and this title.

            5. Information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.

          2. For purposes of this section, all of the following shall apply:

            1. “Business associate” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            2. “Covered entity” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            3. “Identifiable private information” has the same meaning as defined in Section 46.102 of Title 45 of the Code of Federal Regulations.

            4. “Individually identifiable health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            5. “Medical information” has the same meaning as defined in Section 56.05.

            6. “Patient information” shall mean identifiable private information, protected health information, individually identifiable health information, or medical information.

            7. “Protected health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            8. “Provider of health care” has the same meaning as defined in Section 56.05.

          (Added by Stats. 2020, Ch. 172, Sec. 2. (AB 713) Effective September 25, 2020.)
           
        • 1798.148: Reidentification of Medical Information
          1. A business or other person shall not reidentify, or attempt to reidentify, information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, except for one or more of the following purposes:

            1. Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity. For purposes of this paragraph, “treatment,” “payment,” “health care operations,” “covered entity,” and “business associate” have the same meaning as defined in Section 164.501 of Title 45 of the Code of Federal Regulations.

            2. Public health activities or purposes as described in Section 164.512 of Title 45 of the Code of Federal Regulations.

            3. Research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, that is conducted in accordance with Part 46 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

            4. Pursuant to a contract where the lawful holder of the deidentified information that met the requirements of paragraph (4) of subdivision (a) of Section 1798.146 expressly engages a person or entity to attempt to reidentify the deidentified information in order to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract.

            5. If otherwise required by law.

          2. In accordance with paragraph (4) of subdivision (a) of Section 1798.146, information reidentified pursuant this section shall be subject to applicable federal and state data privacy and security laws including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, and this title.

          3. Beginning January 1, 2021, any contract for the sale or license of deidentified information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, where one of the parties is a person residing or doing business in the state, shall include the following, or substantially similar, provisions:

            1. A statement that the deidentified information being sold or licensed includes deidentified patient information.

            2. A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to this section.

            3. A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

          4. For purposes of this section, “reidentify” means the process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

          (Added by Stats. 2020, Ch. 172, Sec. 3. (AB 713) Effective September 25, 2020.)
           
        • 1798.150: Personal Information Security Breaches
          1. Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is

            1. Subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

              1. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

              2. Injunctive or declaratory relief.

              3. Any other relief the court deems proper.

            2. In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

          2. Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. The implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

          3. The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 16. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.155: Administrative Enforcement
          1. Any business, service provider, contractor, or other person that violates this title shall be liable for an administrative fine of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, in an administrative enforcement action brought by the California Privacy Protection Agency.

          2. Any administrative fine assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (a), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts, the Attorney General, and the California Privacy Protection Agency in connection with this title.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 17. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.160: Consumer Privacy Fund
          1. A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature first to offset any costs incurred by the state courts in connection with actions brought to enforce this title, the costs incurred by the Attorney General in carrying out the Attorney General’s duties under this title, and then for the purposes of establishing an investment fund in the State Treasury, with any earnings or interest from the fund to be deposited in the General Fund, and making grants to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

          2. Funds transferred to the Consumer Privacy Fund shall be used exclusively as follows:

            1. To offset any costs incurred by the state courts and the Attorney General in connection with this title.

            2. After satisfying the obligations under paragraph (1), the remaining funds shall be allocated each fiscal year as follows:

              1. Ninety-one percent shall be invested by the Treasurer in financial assets with the goal of maximizing long term yields consistent with a prudent level of risk. The principal shall not be subject to transfer or appropriation, provided that any interest and earnings shall be transferred on an annual basis to the General Fund for appropriation by the Legislature for General Fund purposes.

              2. Nine percent shall be made available to the California Privacy Protection Agency for the purposes of making grants in California, with 3 percent allocated to each of the following grant recipients:

                1. Nonprofit organizations to promote and protect consumer privacy.

                2. Nonprofit organizations and public agencies, including school districts, to educate children in the area of online privacy.

                3. State and local law enforcement agencies to fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

          3. Funds in the Consumer Privacy Fund shall not be subject to appropriation or transfer by the Legislature for any other purpose.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 18. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.175: Conflicting Provisions
          This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 19. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.180: Preemption
          This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 20. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.185: Regulations
          1. On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

            1. Updating or adding categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (v) of Section 1798.140, and updating or adding categories of sensitive personal information to those enumerated in subdivision (ae) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

            2. Updating as needed the definitions of “deidentified” and “unique identifier” to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and adding, modifying, or deleting categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130. The authority to update the definition of “deidentified” shall not apply to deidentification standards set forth in Section 164.514 of Title 45 of the Code of Federal Regulations, where such information previously was “protected health information” as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

            3. Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter, with the intention that trade secrets should not be disclosed in response to a verifiable consumer request.

            4. Establishing rules and procedures for the following:

              1. To facilitate and govern the submission of a request by a consumer to opt-out of the sale or sharing of personal information pursuant to Section 1798.120 and to limit the use of a consumer’s sensitive personal information pursuant to Section 1798.121 to ensure that consumers have the ability to exercise their choices without undue burden and to prevent business from engaging in deceptive or harassing conduct, including in retaliation against consumers for exercising their rights, while allowing businesses to inform consumers of the consequences of their decision to opt out of the sale or sharing of their personal information or to limit the use of their sensitive personal information.

              2. To govern business compliance with a consumer’s opt-out request.

              3. For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

            5. Adjusting the monetary thresholds, in January of every odd-numbered year to reflect any increase in the Consumer Price Index, in: subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.140; subparagraph (A) of paragraph (1) of subdivision (a) of Section 1798.150; subdivision (a) of Section 1798.155; Section 1798.199.25; and subdivision (a) of Section 1798.199.90.

            6. Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentives within one year of passage of this title and as needed thereafter.

            7. Establishing rules and procedures to further the purposes of Sections 1798.105, 1798.106, 1798.110, and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to delete personal information, correct inaccurate personal information pursuant to Section 1798.106, or obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received from a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.

            8. Establishing how often, and under what circumstances, a consumer may request a correction pursuant to Section 1798.106, including standards governing the following:

              1. How a business responds to a request for correction, including exceptions for requests to which a response is impossible or would involve disproportionate effort, and requests for correction of accurate information.

              2. How concerns regarding the accuracy of the information may be resolved.

              3. The steps a business may take to prevent fraud.

              4. If a business rejects a request to correct personal information collected and analyzed concerning a consumer’s health, the right of a consumer to provide a written addendum to the business with respect to any item or statement regarding any such personal information that the consumer believes to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item and shall clearly indicate in writing that the consumer requests the addendum to be made a part of the consumer’s record.

            9. Establishing the standard to govern a business’ determination, pursuant to subparagraph (B) of paragraph (2) of subdivision (a) of Section 1798.130, that providing information beyond the 12-month period in a response to a verifiable consumer request is impossible or would involve a disproportionate effort.

            10. Issuing regulations further defining and adding to the business purposes, including other notified purposes, for which businesses, service providers, and contractors may use consumers’ personal information consistent with consumers’ expectations, and further defining the business purposes for which service providers and contractors may combine consumers’ personal information obtained from different sources, except as provided for in paragraph (6) of subdivision (e) of Section 1798.140.

            11. Issuing regulations identifying those business purposes, including other notified purposes, for which service providers and contractors may use consumers’ personal information received pursuant to a written contract with a business, for the service provider or contractor’s own business purposes, with the goal of maximizing consumer privacy.

            12. Issuing regulations to further define “intentionally interacts,” with the goal of maximizing consumer privacy.

            13. Issuing regulations to further define “precise geolocation,” including if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.

            14. Issuing regulations to define the term “specific pieces of information obtained from the consumer” with the goal of maximizing a consumer’s right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful to the consumer, including system log information and other technical data. For delivery of the most sensitive personal information, the regulations may require a higher standard of authentication provided that the agency shall monitor the impact of the higher standard on the right of consumers to obtain their personal information to ensure that the requirements of verification do not result in the unreasonable denial of verifiable consumer requests.

            15. Issuing regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to:

              1. Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.

              2. Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.

            16. Issuing regulations governing access and opt-out rights with respect to businesses’ use of automated decisionmaking technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer.

            17. Issuing regulations to further define a “law enforcement agency-approved investigation” for purposes of the exception in paragraph (2) of subdivision (a) of Section 1798.145.

            18. Issuing regulations to define the scope and process for the exercise of the agency’s audit authority, to establish criteria for selection of persons to audit, and to protect consumers’ personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena.

            19. Issuing regulations to define the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate

              1. A consumer’s intent to opt out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information. The requirements and specifications for the opt-out preference signal should be updated from time to time to reflect the means by which consumers interact with businesses, and should:

                1. Ensure that the manufacturer of a platform or browser or device that sends the opt-out preference signal cannot unfairly disadvantage another business.

                2. Ensure that the opt-out preference signal is consumer-friendly, clearly described, and easy to use by an average consumer and does not require that the consumer provide additional information beyond what is necessary.

                3. Clearly represent a consumer’s intent and be free of defaults constraining or presupposing that intent.

                4. Ensure that the opt-out preference signal does not conflict with other commonly used privacy settings or tools that consumers may employ.

                5. Provide a mechanism for the consumer to selectively consent to a business’ sale of the consumer’s personal information, or the use or disclosure of the consumer’s sensitive personal information, without affecting the consumer’s preferences with respect to other businesses or disabling the opt-out preference signal globally.

                6. State that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

                  1. Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.

                  2. Choice to “Limit the Use of My Sensitive Personal Information.”

                  3. Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”

              2. Issuing regulations to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.

              3. Issuing regulations, with the goal of strengthening consumer privacy while considering the legitimate operational interests of businesses, to govern the use or disclosure of a consumer’s sensitive personal information, notwithstanding the consumer’s direction to limit the use or disclosure of the consumer’s sensitive personal information, including:

                1. Determining any additional purposes for which a business may use or disclose a consumer’s sensitive personal information.

                2. Determining the scope of activities permitted under paragraph (8) of subdivision (e) of Section 1798.140, as authorized by subdivision (a) of Section 1798.121, to ensure that the activities do not involve health-related research.

                3. Ensuring the functionality of the business’ operations.

                4. Ensuring that the exemption in subdivision (d) of Section 1798.121 for sensitive personal information applies to information that is collected or processed incidentally, or without the purpose of inferring characteristics about a consumer, while ensuring that businesses do not use the exemption for the purpose of evading consumers’ rights to limit the use and disclosure of their sensitive personal information under Section 1798.121.

            20. Issuing regulations to govern how a business that has elected to comply with subdivision (b) of Section 1798.135 responds to the opt-out preference signal and provides consumers with the opportunity subsequently to consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information for purposes in addition to those authorized by subdivision (a) of Section 1798.121. The regulations should:

              1. Strive to promote competition and consumer choice and be technology neutral.

              2. Ensure that the business does not respond to an opt-out preference signal by:

                1. Intentionally degrading the functionality of the consumer experience.

                2. Charging the consumer a fee in response to the consumer’s opt-out preferences.

                3. Making any products or services not function properly or fully for the consumer, as compared to consumers who do not use the opt-out preference signal.

                4. Attempting to coerce the consumer to opt in to the sale or sharing of the consumer’s personal information, or the use or disclosure of the consumer’s sensitive personal information, by stating or implying that the use of the opt-out preference signal will adversely affect the consumer as compared to consumers who do not use the opt-out preference signal, including stating or implying that the consumer will not be able to use the business’ products or services or that those products or services may not function properly or fully.

                5. Displaying any notification or pop-up in response to the consumer’s opt-out preference signal.

              3. Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in:

                1. Is not part of a popup, notice, banner, or other intrusive design that obscures any part of the web page the consumer intended to visit from full view or that interferes with or impedes in any way the consumer’s experience visiting or browsing the web page or website the consumer intended to visit.

                2. Does not require or imply that the consumer must click the link to receive full functionality of any products or services, including the website.

                3. Does not make use of any dark patterns.

                4. Applies only to the business with which the consumer intends to interact.

              4. Strive to curb coercive or deceptive practices in response to an opt-out preference signal but should not unduly restrict businesses that are trying in good faith to comply with Section 1798.135.

            21. Review existing Insurance Code provisions and regulations relating to consumer privacy, except those relating to insurance rates or pricing, to determine whether any provisions of the Insurance Code provide greater protection to consumers than the provisions of this title. Upon completing its review, the agency shall adopt a regulation that applies only the more protective provisions of this title to insurance companies. For the purpose of clarity, the Insurance Commissioner shall have jurisdiction over insurance rates and pricing.

            22. Harmonizing the regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms in this title to promote clarity and the functionality of this title for consumers.

          2. The Attorney General may adopt additional regulations as necessary to further the purposes of this title.

          3. The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

          4. Notwithstanding subdivision (a), the timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022. Beginning the later of July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking under this title, the authority assigned to the Attorney General to adopt regulations under this section shall be exercised by the California Privacy Protection Agency. Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 21. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.190: Anti-Avoidance
          A court or the agency shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title:

          1. If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell or share.

          2. If steps or transactions were taken to purposely avoid the definition of sell or share by eliminating any monetary or other valuable consideration, including by entering into contracts that do not include an exchange for monetary or other valuable consideration, but where a party is obtaining something of value or use.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 22. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.192: Waiver
          Any provision of a contract or agreement of any kind, including a representative action waiver, that purports to waive or limit in any way rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt out of a business’s sale of the consumer’s personal information, or authorizing a business to sell or share the consumer’s personal information after previously opting out.

          (Amended November 3, 2020, by initiative Proposition 24, Sec. 23. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.194
          This title shall be liberally construed to effectuate its purposes.

          (Added by Stats. 2018, Ch. 55, Sec. 3. (AB 375) Effective January 1, 2019. Section operative January 1, 2020, pursuant to Section 1798.198.)
        • 1798.196
          This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 15. (SB 1121) Effective September 23, 2018. Section operative January 1, 2020, pursuant to Section 1798.198.)
        • 1798.198
          1. Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020.

          2. This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

          (Amended (as added by Stats. 2018, Ch. 55, Sec. 3) by Stats. 2018, Ch. 735, Sec. 16. (SB 1121) Effective September 23, 2018.)
        • 1798.199
          Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.

          (Added by Stats. 2018, Ch. 735, Sec. 17. (SB 1121) Effective September 23, 2018. Operative September 23, 2018.)
        • 1798.199.10
          1. There is hereby established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018. The agency shall be governed by a five-member board, including the chairperson. The chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

          2. The initial appointments to the agency shall be made within 90 days of the effective date of the act adding this section.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.1. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.15
          Members of the agency board shall:
          1. Have qualifications, experience, and skills, in particular in the areas of privacy and technology, required to perform the duties of the agency and exercise its powers.

          2. Maintain the confidentiality of information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers, except to the extent that disclosure is required by the Public Records Act.

          3. Remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from another.

          4. Refrain from any action incompatible with their duties and engaging in any incompatible occupation, whether gainful or not, during their term.

          5. Have the right of access to all information made available by the agency to the chairperson.

          6. Be precluded, for a period of one year after leaving office, from accepting employment with a business that was subject to an enforcement action or civil action under this title during the member’s tenure or during the five-year period preceding the member’s appointment.

          7. Be precluded for a period of two years after leaving office from acting, for compensation, as an agent or attorney for, or otherwise representing, any other person in a matter pending before the agency if the purpose is to influence an action of the agency.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.2. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.20
          Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.3. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.25
          For each day on which they engage in official duties, members of the agency board shall be compensated at the rate of one hundred dollars ($100), adjusted biennially to reflect changes in the cost of living, and shall be reimbursed for expenses incurred in performance of their official duties.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.4. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.30
          The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.5. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.35
          The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.6. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.40
          The agency shall perform the following functions:

          1. Administer, implement, and enforce through administrative actions this title.

          2. On and after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018, including regulations specifying record keeping requirements for businesses to ensure compliance with this title.

          3. Through the implementation of this title, protect the fundamental privacy rights of natural persons with respect to the use of their personal information.

          4. Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the agency pursuant to paragraph (15) of subdivision (a) of Section 1798.185 while ensuring that data security is not compromised.

          5. Provide guidance to consumers regarding their rights under this title.

          6. Provide guidance to businesses regarding their duties and responsibilities under this title and appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted pursuant to paragraph (18) of subdivision (a) of Section 1798.185.

          7. Provide technical assistance and advice to the Legislature, upon request, with respect to privacy-related legislation.

          8. Monitor relevant developments relating to the protection of personal information and in particular, the development of information and communication technologies and commercial practices.

          9. Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.

          10. Establish a mechanism pursuant to which persons doing business in California that do not meet the definition of business set forth in paragraph (1), (2), or (3) of subdivision (d) of Section 1798.140 may voluntarily certify that they are in compliance with this title, as set forth in paragraph (4) of subdivision (d) of Section 1798.140, and make a list of those entities available to the public.

          11. Solicit, review, and approve applications for grants to the extent funds are available pursuant to paragraph (2) of subdivision (b) of Section 1798.160.

          12. Perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdiction and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.7. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.45
          1. Upon the sworn complaint of any person or on its own initiative, the agency may investigate possible violations of this title relating to any business, service provider, contractor, or person. The agency may decide not to investigate a complaint or decide to provide a business with a time period to cure the alleged violation. In making a decision not to investigate or provide more time to cure, the agency may consider the following:

            1. Lack of intent to violate this title.

            2. Voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the agency of the complaint.

          2. The agency shall notify in writing the person who made the complaint of the action, if any, the agency has taken or plans to take on the complaint, together with the reasons for that action or nonaction.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.8. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.50
          No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency’s consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.9. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.55
          1. When the agency determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred. Notice shall be given and the hearing conducted in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500), Part 1, Division 3, Title 2, Government Code). The agency shall have all the powers granted by that chapter. If the agency determines on the basis of the hearing conducted pursuant to this subdivision that a violation or violations have occurred, it shall issue an order that may require the violator to do all or any of the following:

            1. Cease and desist violation of this title.

            2. Subject to Section 1798.155, pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state. When the agency determines that no violation has occurred, it shall publish a declaration so stating.

          2. If two or more persons are responsible for any violation or violations, they shall be jointly and severally liable.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.10. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.60
          Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.11. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.65
          The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency’s duties or exercise of its powers, including, but not limited to, its power to audit a business’ compliance with this title.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.12. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.70
          No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

          1. The service of the probable cause hearing notice, as required by Section 1798.199.50, upon the person alleged to have violated this title shall constitute the commencement of the administrative action.

          2. If the person alleged to have violated this title engages in the fraudulent concealment of the person’s acts or identity, the five-year period shall be tolled for the period of the concealment. For purposes of this subdivision, “fraudulent concealment” means the person knows of material facts related to the person’s duties under this title and knowingly conceals them in performing or omitting to perform those duties for the purpose of defrauding the public of information to which it is entitled under this title.

          3. If, upon being ordered by a superior court to produce any documents sought by a subpoena in any administrative proceeding under this title, the person alleged to have violated this title fails to produce documents in response to the order by the date ordered to comply therewith, the five-year period shall be tolled for the period of the delay from the date of filing of the motion to compel until the date the documents are produced.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.13. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.75
          1. In addition to any other available remedies, the agency may bring a civil action and obtain a judgment in superior court for the purpose of collecting any unpaid administrative fines imposed pursuant to this title after exhaustion of judicial review of the agency’s action. The action may be filed as a small claims, limited civil, or unlimited civil case depending on the jurisdictional amount. The venue for this action shall be in the county where the administrative fines were imposed by the agency. In order to obtain a judgment in a proceeding under this section, the agency shall show, following the procedures and rules of evidence as applied in ordinary civil actions, all of the following:

            1. That the administrative fines were imposed following the procedures set forth in this title and implementing regulations.

            2. That the defendant or defendants in the action were notified, by actual or constructive notice, of the imposition of the administrative fines.

            3. That a demand for payment has been made by the agency and full payment has not been received.

          2. A civil action brought pursuant to subdivision (a) shall be commenced within four years after the date on which the administrative fines were imposed.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.14. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.80
          1. If the time for judicial review of a final agency order or decision has lapsed, or if all means of judicial review of the order or decision have been exhausted, the agency may apply to the clerk of the court for a judgment to collect the administrative fines imposed by the order or decision, or the order as modified in accordance with a decision on judicial review.

          2. The application, which shall include a certified copy of the order or decision, or the order as modified in accordance with a decision on judicial review, and proof of service of the order or decision, constitutes a sufficient showing to warrant issuance of the judgment to collect the administrative fines. The clerk of the court shall enter the judgment immediately in conformity with the application.

          3. An application made pursuant to this section shall be made to the clerk of the superior court in the county where the administrative fines were imposed by the agency.

          4. A judgment entered in accordance with this section has the same force and effect as, and is subject to all the provisions of law relating to, a judgment in a civil action and may be enforced in the same manner as any other judgment of the court in which it is entered.

          5. The agency may bring an application pursuant to this section only within four years after the date on which all means of judicial review of the order or decision have been exhausted.

          6. The remedy available under this section is in addition to those available under any other law.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.15. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.85
          Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.16. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
        • 1798.199.90
          1. Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.

          2. Any civil penalty recovered by an action brought by the Attorney General for a violation of this title, and the proceeds of any settlement of any said action, shall be deposited in the Consumer Privacy Fund.

          3. The agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action. The agency may not limit the authority of the Attorney General to enforce this title.

          4. No civil action may be filed by the Attorney General under this section for any violation of this title after the agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation.

          5. This section shall not affect the private right of action provided for in Section 1798.150.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.17. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.95
          1. There is hereby appropriated from the General Fund of the state to the agency the sum of five million dollars ($5,000,000) during the fiscal year 2020–2021, and the sum of ten million dollars ($10,000,000) adjusted for cost-of-living changes, during each fiscal year thereafter, for expenditure to support the operations of the agency pursuant to this title. The expenditure of funds under this appropriation shall be subject to the normal administrative review given to other state appropriations. The Legislature shall appropriate those additional amounts to the commission and other agencies as may be necessary to carry out the provisions of this title.

          2. The Department of Finance, in preparing the state budget and the Budget Act bill submitted to the Legislature, shall include an item for the support of this title that shall indicate all of the following:

            1. The amounts to be appropriated to other agencies to carry out their duties under this title, which amounts shall be in augmentation of the support items of those agencies.

            2. The additional amounts required to be appropriated by the Legislature to the agency to carry out the purposes of this title, as provided for in this section.

            3. In parentheses, for informational purposes, the continuing appropriation during each fiscal year of ten million dollars ($10,000,000), adjusted for cost-of-living changes made pursuant to this section.

          3. The Attorney General shall provide staff support to the agency until the agency has hired its own staff. The Attorney General shall be reimbursed by the agency for these services.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.18. Effective December 16, 2020. Operative December 16, 2020, pursuant to Sec. 31 of Proposition 24.)
           
        • 1798.199.100
          The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.

          (Added November 3, 2020, by initiative Proposition 24, Sec. 24.19. Effective December 16, 2020. Operative January 1, 2023, pursuant to Sec. 31 of Proposition 24.)
    • CCPA regulations
      • Article 1. General Provisions
        • § 999.300. Title and Scope
          1. This Chapter shall be known as the California Consumer Privacy Act Regulations. It may be cited as such and will be referred to in this Chapter as “these regulations.” These regulations govern compliance with the California Consumer Privacy Act and do not limit any other rights that consumers may have.

          2. A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.
        • § 999.301. Definitions
          In addition to the definitions set forth in Civil Code section 1798.140, for purposes of these regulations:

          1. “Affirmative authorization” means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information. Within the context of a parent or guardian acting on behalf of a consumer under 13 years of age, it means that the parent or guardian has provided consent to the sale of the consumer’s personal information in accordance with the methods set forth in section 999.330. For consumers 13 years of age and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.

          2. “Attorney General” means the California Attorney General or any officer or employee of the California Department of Justice acting under the authority of the California Attorney General.

          3. “Authorized agent” means a natural person or a business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf subject to the requirements set forth in section 999.326.

          4. “Categories of sources” means types or groupings of persons or entities from which a business collects personal information about consumers, described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity. They may include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.

          5. “Categories of third parties” means types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party. They may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.

          6. “CCPA” means the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq.

          7. “COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6508 and 16 Code of Federal Regulations part 312.5.

          8. “Employment benefits” means retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.

          9. “Employment-related information” means personal information that is collected by the business about a natural person for the reasons identified in Civil Code section 1798.145, subdivision (h)(1). The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.

          10. “Financial incentive” means a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.

          11. “Household” means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.

          12. “Notice at collection” means the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer as required by Civil Code section 1798.100, subdivision (b), and specified in these regulations.

          13. “Notice of right to opt-out” means the notice given by a business informing consumers of their right to opt-out of the sale of their personal information as required by Civil Code sections 1798.120 and 1798.135 and specified in these regulations.

          14. “Notice of financial incentive” means the notice given by a business explaining each financial incentive or price or service difference as required by Civil Code section 1798.125, subdivision (b), and specified in these regulations.

          15. “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer.

          16. “Privacy policy,” as referred to in Civil Code section 1798.130, subdivision (a)(5), means the statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.

          17. “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil Code section 1798.105.

          18. “Request to know” means a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:

            1. Specific pieces of personal information that a business has collected about the consumer;

            2. Categories of personal information it has collected about the consumer;

            3. Categories of sources from which the personal information is collected;

            4. Categories of personal information that the business sold or disclosed for a business purpose about the consumer;

            5. Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and

            6. The business or commercial purpose for collecting or selling personal information.

          19. “Request to opt-in” means the affirmative authorization that the business may sell personal information about the consumer by a parent or guardian of a consumer less than 13 years of age, by a consumer at least 13 and less than 16 years of age, or by a consumer who had previously opted out of the sale of their personal information.

          20. “Request to opt-out” means a consumer request that a business not sell the consumer’s personal information to third parties, pursuant to Civil Code section 1798.120, subdivision (a).

          21. “Signed” means that the written attestation, declaration, or permission has either been physically signed or provided electronically in accordance with the Uniform Electronic Transactions Act, Civil Code section 1633.1 et seq.

          22. “Third-party identity verification service” means a security process offered by an independent third party that verifies the identity of the consumer making a request to the business. Third-party identity verification services are subject to the requirements set forth in Article 4 regarding requests to know and requests to delete.

          23. “Value of the consumer’s data” means the value provided to the business by the consumer’s data as calculated under section 999.337.

          24. “Verify” means to determine that the consumer making a request to know or request to delete is the consumer about whom the business has collected information, or if that consumer is less than 13 years of age, the consumer’s parent or legal guardian.
      • Article 2. Notices To Consumers
        • § 999.304. Overview of Required Notices.
          1. Every business that must comply with the CCPA and these regulations shall provide a privacy policy in accordance with the CCPA and section 999.308.

          2. A business that collects personal information from a consumer shall provide a notice at collection in accordance with the CCPA and section 999.305.

          3. A business that sells personal information shall provide a notice of right to opt-out in accordance with the CCPA and section 999.306.

          4. A business that offers a financial incentive or price or service difference shall provide a notice of financial incentive in accordance with the CCPA and section 999.307.
        • § 999.305. Notice at Collection of Personal Information.
          1. Purpose and General Principles

            1. The purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.

            2. The notice at collection shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:

              1. Use plain, straightforward language and avoid technical or legal jargon.

              2. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.

              3. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.

              4. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.

            3. The notice at collection shall be made readily available where consumers will encounter it at or before the point of collection of any personal information. Illustrative examples follow:

              1. When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.

              2. When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.

              3. When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online.

              4. When a business collects personal information over the telephone or in person, it may provide the notice orally.

            4. When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, that contains the information required by this subsection.

            5. A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.

            6. If a business does not give the notice at collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer.

          2. A business shall include the following in its notice at collection:

            1. A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

            2. The business or commercial purpose(s) for which the categories of personal information will be used.

            3. If the business sells personal information, the link titled “Do Not Sell My Personal Information” required by section 999.315, subsection (a), or in the case of offline notices, where the webpage can be found online.

            4. A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.

          3. If a business collects personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the section of the business’s privacy policy that contains the information required in subsection (b).

          4. A business that does not collect personal information directly from the consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.

          5. A data broker registered with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

          6. A business collecting employment-related information shall comply with the provisions of section 999.305 except with regard to the following:

            1. The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information”.

            2. The notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.

          7. Subsection (f) shall become inoperative on January 1, 2021, unless the CCPA is amended otherwise.
        • § 999.306. Notice of Right to Opt-Out of Sale of Personal Information.
          1. Purpose and General Principles

            1. The purpose of the notice of right to opt-out is to inform consumers of their right to direct a business that sells their personal information to stop selling their personal information.

            2. The notice of right to opt-out shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:

              1. Use plain, straightforward language and avoid technical or legal jargon.

              2. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.
              3. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.

              4. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.

          2. A business that sells the personal information of consumers shall provide the notice of right to opt-out to consumers as follows:

            1. A business shall post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” link on the website homepage or the download or landing page of a mobile application. In addition, a business that collects personal information through a mobile application may provide a link to the notice within the application, such as through the application’s settings menu. The notice shall include the information specified in subsection (c) or link to the section of the business’s privacy policy that contains the same information.

            2. A business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to opt-out. That method shall comply with the requirements set forth in subsection (a)(2).

            3. A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. Illustrative examples follow:

              1. A business that sells personal information that it collects from consumers in a brick-and-mortar store may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.

              2. A business that sells personal information that it collects over the phone may inform consumers of their right to opt-out orally during the call when the information is collected.

          3. A business shall include the following in its notice of right to opt-out:

            1. A description of the consumer’s right to opt-out of the sale of their personal information by the business;

            2. The interactive form by which the consumer can submit their request to opt-out online, as required by section 999.315, subsection (a), or if the business does not operate a website, the offline method by which the consumer can submit their request to opt-out; and

            3. Instructions for any other method by which the consumer may submit their request to opt-out.

          4. A business does not need to provide a notice of right to opt-out if:

            1. It does not sell personal information; and

            2. It states in its privacy policy that it does not sell personal information.

          5. A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out posted unless it obtains the affirmative authorization of the consumer.

          6. Opt-Out Icon.

            1. The following opt-out icon may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link as required by Civil Code section 1798.135 and these regulations.

            checkbox

            1. The icon shall be approximately the same size as any other icons used by the business on its webpage.
        • § 999.307. Notice of Financial Incentive.
          1. Purpose and General Principles

            1. The purpose of the notice of financial incentive is to explain to the consumer the material terms of a financial incentive or price or service difference the business is offering so that the consumer may make an informed decision about whether to participate. A business that does not offer a financial incentive or price or service difference is not required to provide a notice of financial incentive.

            2. The notice of financial incentive shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:

              1. Use plain, straightforward language and avoid technical or legal jargon.

              2. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.

              3. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.

              4. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.

              5. Be readily available where consumers will encounter it before opting-in to the financial incentive or price or service difference.

            3. If the business offers the financial incentive or price or service difference online, the notice may be given by providing a link to the section of a business’s privacy policy that contains the information required in subsection (b).

          2. A business shall include the following in its notice of financial incentive:

            1. A succinct summary of the financial incentive or price or service difference offered;

            2. A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;

            3. How the consumer can opt-in to the financial incentive or price or service difference;

            4. A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and

            5. An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:

              1. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and

              2. A description of the method the business used to calculate the value of the consumer’s data.
        • § 999.308. Privacy Policy.
          1. Purpose and General Principles

            1. The purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.

            2. The privacy policy shall be designed and presented in a way that is easy to read and understandable to consumers. The policy shall:

              1. Use plain, straightforward language and avoid technical or legal jargon.

              2. Use a format that makes the policy readable, including on smaller screens, if applicable.

              3. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.

              4. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the policy in an alternative format.

              5. Be available in a format that allows a consumer to print it out as a document.

          2. The privacy policy shall be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application’s settings menu.

          3. The privacy policy shall include the following information:

            1. Right to Know About Personal Information Collected, Disclosed, or Sold.

              1. Explanation that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.

              2. Instructions for submitting a verifiable consumer request to know and links to an online request form or portal for making the request, if offered by the business.

              3. General description of the process the business will use to verify the consumer request, including any information the consumer must provide.

              4. Identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described in a manner that provides consumers a meaningful understanding of the information being collected.

              5. Identification of the categories of sources from which the personal information is collected.

              6. Identification of the business or commercial purpose for collecting or selling personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.

              7. Disclosure or Sale of Personal Information.

                1. Identification of the categories of personal information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding 12 months.

                2. For each category of personal information identified, the categories of third parties to whom the information was disclosed or sold.

                3. Statement regarding whether the business has actual knowledge that it sells the personal information of consumers under 16 years of age.

            2. Right to Request Deletion of Personal Information.

              1. Explanation that the consumer has a right to request the deletion of their personal information collected by the business.

              2. Instructions for submitting a verifiable consumer request to delete and links to an online request form or portal for making the request, if offered by the business.

              3. General description of the process the business will use to verify the consumer request, including any information the consumer must provide.

            3. Right to Opt-Out of the Sale of Personal Information.

              1. Explanation that the consumer has a right to opt-out of the sale of their personal information by a business.

              2. Statement regarding whether or not the business sells personal information. If the business sells personal information, include either the contents of the notice of right to opt-out or a link to it in accordance with section 999.306.

            4. Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights.

              1. Explanation that the consumer has a right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by the CCPA.

            5. Authorized Agent.

              1. Instructions on how an authorized agent can make a request under the CCPA on the consumer’s behalf.

            6. Contact for More Information.

              1. A contact for questions or concerns about the business’s privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumer.

            7. Date the privacy policy was last updated.

            8. If subject to the requirements set forth in section 999.317, subsection (g), the information compiled in section 999.317, subsection (g)(1), or a link to it.

            9. If the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by sections 999.330 and 999.331.
      • Article 3. Business Practices For Handling Consumer Requests
        • § 999.312. Methods for Submitting Requests to Know and Requests to Delete.
          1. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. All other businesses shall provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.

          2. A business shall provide two or more designated methods for submitting requests to delete. Acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a link or form available online through a business’s website, a designated email address, a form submitted in person, and a form submitted through the mail.

          3. A business shall consider the methods by which it primarily interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete. If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone with which the consumer can call the business’s toll-free number.

          4. A business may use a two-step process for online requests to delete where the consumer must first, submit the request to delete and then second, separately confirm that they want their personal information deleted.

          5. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either:

            1. Treat the request as if it had been submitted in accordance with the business’s designated manner, or

            2. Provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable.
        • § 999.313. Responding to Requests to Know and Requests to Delete.
          1. Upon receiving a request to know or a request to delete, a business shall confirm receipt of the request within 10 business days and provide information about how the business will process the request. The information provided shall describe in general the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request. The confirmation may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given orally during the phone call.

          2. Businesses shall respond to requests to know and requests to delete within 45 calendar days. The 45-day period will begin on the day that the business receives the request, regardless of time required to verify the request. If the business cannot verify the consumer within the 45-day time period, the business may deny the request. If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.

          3. Responding to Requests to Know.

            1. For requests that seek the disclosure of specific pieces of information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 4, the business shall not disclose any specific pieces of personal information to the requestor and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the business shall also evaluate the consumer’s request as if it is seeking the disclosure of categories of personal information about the consumer pursuant to subsection (c)(2).

            2. For requests that seek the disclosure of categories of personal information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 4, the business may deny the request to disclose the categories and other information requested and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the business shall provide or direct the consumer to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy.

            3. In responding to a request to know, a business is not required to search for personal information if all of the following conditions are met:

              1. The business does not maintain the personal information in a searchable or reasonably accessible format;

              2. The business maintains the personal information solely for legal or compliance purposes;

              3. The business does not sell the personal information and does not use it for any commercial purpose; and

              4. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

            4. A business shall not disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The business shall, however, inform the consumer with sufficient particularity that it has collected the type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.

            5. If a business denies a consumer’s verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, the business shall disclose the other information sought by the consumer.

            6. A business shall use reasonable security measures when transmitting personal information to the consumer.

            7. If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4.

            8. Unless otherwise specified by the business to cover a longer period of time, the 12-month period covered by a consumer’s verifiable request to know referenced in Civil Code section 1798.130, subdivision (a)(2), shall run from the date the business receives the request, regardless of the time required to verify the request.

            9. In responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA. It shall not refer the consumer to the businesses’ general practices outlined in its privacy policy unless its response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be in a response to a request to know such categories.

            10. In responding to a verified request to know categories of personal information, the business shall provide:

              1. The categories of personal information the business has collected about the consumer in the preceding 12 months;

              2. The categories of sources from which the personal information was collected;

              3. The business or commercial purpose for which it collected or sold the personal information;

              4. The categories of third parties with whom the business shares personal information;

              5. The categories of personal information that the business sold in the preceding 12 months, and for each category identified, the categories of third parties to whom it sold that particular category of personal information; and

              6. The categories of personal information that the business disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.

            11. A business shall identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed.

          4. Responding to Requests to Delete.

            1. For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified.

            2. A business shall comply with a consumer’s request to delete their personal information by:

              1. Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;

              2. Deidentifying the personal information; or

              3. Aggregating the consumer information.

            3. If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.

            4. In responding to a request to delete, a business shall inform the consumer whether or not it has complied with the consumer’s request.

            5. If the business complies with the consumer’s request, the business shall inform the consumer that it will maintain a record of the request as required by section 999.317, subsection (b). A business may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from the business’s records.

            6. In cases where a business denies a consumer’s request to delete, the business shall do all of the following:

              1. Inform the consumer that it will not comply with the consumer’s request and describe the basis for the denial, including any conflict with federal or state law, or exception to the CCPA, unless prohibited from doing so by law;

              2. Delete the consumer’s personal information that is not subject to the exception; and

              3. Not use the consumer’s personal information retained for any other purpose than provided for by that exception.

            7. If a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt-out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306.

            8. In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered and more prominently presented than the other choices.
        • § 999.314. Service Providers.
          1. A business that provides services to a person or organization that is not a business, and that would otherwise meet the requirements and obligations of a “service provider” under the CCPA and these regulations, shall be deemed a service provider for purposes of the CCPA and these regulations.

          2. To the extent that a business directs a second entity to collect personal information directly from a consumer, or about a consumer, on the first business’s behalf, and the second entity would otherwise meet the requirements and obligations of a “service provider” under the CCPA and these regulations, the second entity shall be deemed a service provider of the first business for purposes of the CCPA and these regulations.

          3. A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except:

            1. To process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA;

            2. To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations;

            3. For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source;

            4. To detect data security incidents or protect against fraudulent or illegal activity; or

            5. For the purposes enumerated in Civil Code section 1798.145, subdivisions (a)(1) through (a)(4).

          4. A service provider shall not sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.

          5. If a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

          6. A service provider that is a business shall comply with the CCPA and these regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.
        • § 999.315. Requests to Opt-Out.
          1. A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.

          2. A business shall consider the methods by which it interacts with consumers, the manner in which the business sells personal information to third parties, available technology, and ease of use by the consumer when determining which methods consumers may use to submit requests to opt-out. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer.

          3. If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

            1. Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.

            2. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.

          4. In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sale for certain uses of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.

          5. A business shall comply with a request to opt-out as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. If a business sells a consumer’s personal information to any third parties after the consumer submits their request but before the business complies with that request, it shall notify those third parties that the consumer has exercised their right to opt-out and shall direct those third parties not to sell that consumer’s information.

          6. A consumer may use an authorized agent to submit a request to opt-out on the consumer’s behalf if the consumer provides the authorized agent written permission signed by the consumer. A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf. User-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.

          7. A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.

          8. A business’s methods for submitting request to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out. Illustrative examples follow:

            1. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-out in completion of the request.

            2. A business shall not use confusing language, such as double-negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt-out.

            3. Except as permitted by these regulations, a business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.

            4. The business’s process for submitting a request to opt-out shall not require the consumer to provide personal information that is not necessary to implement the request.

            5. Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
        • § 999.316. Requests to Opt-In After Opting-Out of the Sale of Personal Information.
          1. Requests to opt-in to the sale of personal information shall use a two-step opt-in process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.

          2. If a consumer who has opted-out of the sale of their personal information initiates a transaction or attempts to use a product or service that requires the sale of their personal information, a business may inform the consumer that the transaction, product, or service requires the sale of their personal information and provide instructions on how the consumer can opt-in.
        • § 999.317. Training; Record-Keeping.
          1. All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.

          2. A business shall maintain records of consumer requests made pursuant to the CCPA and how it responded to the requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records.

          3. The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

          4. A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations.

          5. Information maintained for record-keeping purposes shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and these regulations. Information maintained for record-keeping purposes shall not be shared with any third party except as necessary to comply with a legal obligation.

          6. Other than as required by subsection (b), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

          7. A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall:

            1. Compile the following metrics for the previous calendar year:

              1. The number of requests to know that the business received, complied with in whole or in part, and denied;

              2. The number of requests to delete that the business received, complied with in whole or in part, and denied;

              3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and

              4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

            2. Disclose, by July 1 of every calendar year, the information compiled in subsection (g)(1) within their privacy policy or posted on their website and accessible from a link included in their privacy policy.

              1. In its disclosure pursuant to subsection (g)(2), a business may choose to disclose the number of requests that it denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

            3. Establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

          8. A business may choose to compile and disclose the information required by subsection (g)(1) for requests received from all individuals, rather than requests received from consumers. The business shall state whether it has done so in its disclosure and shall, upon request, compile and provide to the Attorney General the information required by subsection (g)(1) for requests received from consumers.
        • § 999.318. Requests to Know or Delete Household Information.
          1. Where a household does not have a password-protected account with a business, a business shall not comply with a request to know specific pieces of personal information about the household or a request to delete household personal information unless all of the following conditions are satisfied:

            1. All consumers of the household jointly request to know specific pieces of information for the household or the deletion of household personal information;

            2. The business individually verifies all the members of the household subject to the verification requirements set forth in section 999.325; and

            3. The business verifies that each member making the request is currently a member of the household.

          2. Where a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and requests to delete relating to household information through the business’s existing business practices and in compliance with these regulations.

          3. If a member of a household is a consumer under the age of 13, a business must obtain verifiable parental consent before complying with a request to know specific pieces of information for the household or the deletion of household personal information pursuant to the parental consent provisions in section 999.330.
      • Article 4. Verification Of Requests
        • § 999.323. General Rules Regarding Verification.
          1. A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.

          2. In determining the method by which the business will verify the consumer’s identity, the business shall:

            1. Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.

            2. Avoid collecting the types of personal information identified in Civil Code section 1798.81.5, subdivision (d), unless necessary for the purpose of verifying the consumer.

            3. Consider the following factors:

              1. The type, sensitivity, and value of the personal information collected and maintained about the consumer. Sensitive or valuable personal information shall warrant a more stringent verification process. The types of personal information identified in Civil Code section 1798.81.5, subdivision (d), shall be considered presumptively sensitive;

              2. The risk of harm to the consumer posed by any unauthorized access or deletion. A greater risk of harm to the consumer by unauthorized access or deletion shall warrant a more stringent verification process;

              3. The likelihood that fraudulent or malicious actors would seek the personal information. The higher the likelihood, the more stringent the verification process shall be;

              4. Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;

              5. The manner in which the business interacts with the consumer; and

              6. Available technology for verification.

          3. A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud-prevention. The business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with section 999.317.

          4. A business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.

          5. A business shall implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.

          6. If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.
        • § 999.324. Verification for Password-Protected Accounts.
          1. If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 999.323. The business shall also require a consumer to re-authenticate themself before disclosing or deleting the consumer’s data.

          2. If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information. The business may use the procedures set forth in section 999.325 to further verify the identity of the consumer.
        • § 999.325. Verification for Non-Accountholders.
          1. If a consumer does not have or cannot access a password-protected account with a business, the business shall comply with this section, in addition to section 999.323.

          2. A business’s compliance with a request to know categories of personal information requires that the business verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business that it has determined to be reliable for the purpose of verifying the consumer.

          3. A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business that it has determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. If a business uses this method for verification, the business shall maintain all signed declarations as part of its record-keeping obligations.

          4. A business’s compliance with a request to delete may require that the business verify the identity of the consumer to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs may require a reasonably high degree of certainty, while the deletion of browsing history may require only a reasonable degree of certainty. A business shall act in good faith when determining the appropriate standard to apply when verifying the consumer in accordance with these regulations.

          5. Illustrative examples follow:

            1. Example 1: If a business maintains personal information in a manner associated with a named actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if a retailer maintains a record of purchases made by a consumer, the business may require the consumer to identify items that they recently purchased from the store or the dollar amount of their most recent purchase to verify their identity to a reasonable degree of certainty.

            2. Example 2: If a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the personal information. For example, a business may have a mobile application that collects personal information about the consumer but does not require an account. The business may determine whether, based on the facts and considering the factors set forth in section 999.323, subsection (b)(3), it may reasonably verify a consumer by asking them to provide information that only the person who used the mobile application may know or by requiring the consumer to respond to a notification sent to their device.

          6. A business shall deny a request to know specific pieces of personal information if it cannot verify the identity of the requestor pursuant to these regulations.

          7. If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and explain why it has no reasonable method by which it can verify the identity of the requestor. If the business has no reasonable method by which it can verify any consumer, the business shall explain why it has no reasonable verification method in its privacy policy. The business shall evaluate and document whether a reasonable method can be established at least once every 12 months, in connection with the requirement to update the privacy policy set forth in Civil Code section 1798.130, subdivision (a)(5).
        • § 999.326. Authorized Agent.
          1. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:

            1. Verify their own identity directly with the business.

            2. Directly confirm with the business that they provided the authorized agent permission to submit the request.

          2. Subsection (a) does not apply when a consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130.

          3. An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information.

          4. An authorized agent shall not use a consumer’s personal information, or any information collected from or about the consumer, for any purposes other than to fulfill the consumer’s requests, verification, or fraud prevention.
      • Article 5. Special Rules Regarding Consumers Under 16 Years Of Age
        • § 999.330. Consumers Under 13 Years of Age.
          1. Process for Opting-In to Sale of Personal Information

            1. A business that has actual knowledge that it sells the personal information of a consumer under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA.

            2. Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include, but are not limited to:

              1. Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;

              2. Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

              3. Having a parent or guardian call a toll-free telephone number staffed by trained personnel;

              4. Having a parent or guardian connect to trained personnel via video-conference;

              5. Having a parent or guardian communicate in person with trained personnel; and

              6. Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

          2. When a business receives an affirmative authorization pursuant to subsection (a), the business shall inform the parent or guardian of the right to opt-out and of the process for doing so on behalf of their child pursuant to section 999.315, subsections (a)-(f).

          3. A business shall establish, document, and comply with a reasonable method, in accordance with the methods set forth in subsection (a)(2), for determining that a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.
        • § 999.331. Consumers 13 to 15 Years of Age.
          1. A business that has actual knowledge that it sells the personal information of consumers at least 13 years of age and less than 16 years of age shall establish, document, and comply with a reasonable process for allowing such consumers to opt-in to the sale of their personal information, pursuant to section 999.316.

          2. When a business receives a request to opt-in to the sale of personal information from a consumer at least 13 years of age and less than 16 years of age, the business shall inform the consumer of the right to opt-out at a later date and of the process for doing so pursuant to section 999.315.
      • Article 6. Non-Discrimination
        • § 999.332. Notices to Consumers Under 16 Years of Age.
          1. A business subject to sections 999.330 and/or 999.331 shall include a description of the processes set forth in those sections in its privacy policy.

          2. A business that exclusively targets offers of goods or services directly to consumers under 16 years of age and does not sell the personal information without the affirmative authorization of consumers at least 13 years of age and less than 16 years of age, or the affirmative authorization of their parent or guardian for consumers under 13 years of age, is not required to provide the notice of right to opt-out.
        • § 999.336. Discriminatory Practices.
          1. A financial incentive or a price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125, if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.

          2. A business may offer a financial incentive or price or service difference if it is reasonably related to the value of the consumer’s data. If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference.

          3. A business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.

          4. Illustrative examples follow:

            1. Example 1: A music streaming business offers a free service as well as a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5-per-month payment is reasonably related to the value of the consumer’s data to the business.

            2. Example 2: A clothing business offers a loyalty program whereby customers receive a $5-off coupon by email after spending $100 with the business. A consumer submits a request to delete all personal information the business has collected about them but also informs the business that they want to continue to participate in the loyalty program. The business may deny their request to delete with regard to their email address and the amount the consumer has spent with the business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with them pursuant to Civil Code section 1798.105, subdivision (d)(1).

            3. Example 3: A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.

            4. Example 4: An online bookseller collects information about consumers, including their email addresses. It offers coupons to consumers through browser pop-up windows while the consumer uses the bookseller’s website. A consumer submits a request to delete all personal information that the bookseller has collected about them, including their email address and their browsing and purchasing history. The bookseller complies with the request but stops providing the periodic coupons to the consumer. The bookseller’s failure to provide coupons is discriminatory unless the value of the coupons is reasonably related to the value provided to the business by the consumer’s data. The bookseller may not deny the consumer’s request to delete with regard to the email address because the email address is not necessary to provide the coupons or reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

          5. A business shall notify consumers of any financial incentive or price or service difference subject to Civil Code section 1798.125 that it offers in accordance with section 999.307.

          6. A business’s charging of a reasonable fee pursuant to Civil Code section 1798.145, subdivision (i)(3), shall not be considered a financial incentive subject to these regulations.

          7. A price or service difference that is the direct result of compliance with a state or federal law shall not be considered discriminatory.
        • § 999.337. Calculating the Value of Consumer Data
          1. A business offering a financial incentive or price or service difference subject to Civil Code section 1798.125 shall use and document a reasonable and good faith method for calculating the value of the consumer’s data. The business shall consider one or more of the following:

            1. The marginal value to the business of the sale, collection, or deletion of a consumer’s data.

            2. The average value to the business of the sale, collection, or deletion of a consumer’s data.

            3. The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers.

            4. Revenue generated by the business from sale, collection, or retention of consumers’ personal information.

            5. Expenses related to the sale, collection, or retention of consumers’ personal information.

            6. Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference.

            7. Profit generated by the business from sale, collection, or retention of consumers’ personal information.

            8. Any other practical and reasonably reliable method of calculation used in good faith.

          2. For the purpose of calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States and not just consumers.
  • Colorado
    • Colorado Privacy Act (CPA)
      • Legislative Declaration
        • 6-1-1301. Short Title.
          The short title of this part 13 is the "Colorado privacy act".
        • 6-1-1302. Legislative Declaration.
          1. The general assembly hereby:

            1. Finds that:

              1. The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom;

              2. Colorado's constitution explicitly provides the right to privacy under section 7 of article ii, and fundamental privacy rights have long been, and continue to be, integral to protecting and to safeguarding our democratic republic;

              3. Ongoing advances in technology have produced exponential growth in the volume and variety of personal data being generated, collected, stored, and analyzed and these advances present both promise and potential peril;

              4. The ability to harness and use data in positive ways is driving innovation and brings beneficial technologies to society, but it has also created risks to privacy and freedom; and

              5. The unauthorized disclosure of personal information and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm;

            2. Determines that:

              1. Technological innovation and new uses of data can help solve societal problems and improve lives, and it is possible to build a world where technological innovation and privacy can coexist; and

              2. States across the united states are looking to this part 13 and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level; and

            3. Declares that:

              1. By enacting this part 13, Colorado will be among the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate;

              2. This part 13 addresses issues of statewide concern and:

                1. Provides consumers the right to access, correct, and delete personal data and the right to opt out not only of the sale of personal data but also of the collection and use of personal data;

                2. Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data; and

                3. Empowers the attorney general and district attorneys to access and evaluate a company's data protection assessments, to impose penalties where violations occur, and to prevent future violations.
        • 6-1-1303. Definitions.
          As used in this part 13, unless the context otherwise requires:
           
          1. "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. as used in this subsection (1), "control" means:

            1. Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;

            2. Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or

            3. The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.

          2. "Authenticate" means to use reasonable means to determine that a request to exercise any of the rights in section 6-1-1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights.

          3. "Business associate" has the meaning established in 45 CFR 160.103.

          4. "Child" means an individual under thirteen years of age.

          5. "Consent" means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. the following does not constitute consent:

            1. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;

            2. Hovering over, muting, pausing, or closing a given piece of content; and

            3. Agreement obtained through dark patterns.

          6. "Consumer":

            1. Means an individual who is a Colorado resident acting only in an individual or household context; and

            2. Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

          7. "Controller" means a person that, alone or jointly with others, determines the purposes for and means of processing personal data.

          8. "Covered entity" has the meaning established in 45 CFR 160.103.

          9. "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

          10. "Decisions that produce legal or similarly significant effects concerning a consumer" means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.

          11. "De-identified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

            1. Takes reasonable measures to ensure that the data cannot be associated with an individual;

            2. Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and

            3. Contractually obligates any recipients of the information to comply with the requirements of this subsection (11).

          12. "Health-care facility" means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state.

          13. "Health-care information" means individually identifiable information relating to the past, present, or future health status of an individual.

          14. "Health-care provider" means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under Title 12.

          15. "HIPAA" means the federal "Health Insurance Portability and Accountability act of 1996", as amended, 42 U.S.C. secs. 1320d to 1320d-9.

          16. "Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.

          17. "Personal data":

            1. Means information that is linked or reasonably linkable to an identified or identifiable individual; and

            2. Does not include de-identified data or publicly available Information. As used in this subsection (17)(b), "publicly available information" means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.

          18. "Process" or "processing" means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

          19. "Processor" means a person that processes personal data on behalf of a controller.

          20. "Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

          21. "Protected health information" has the meaning established in 45 CFR 160.103.

          22. "Pseudonymous data" means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.

          23. (a)  "Sale", "sell", or "sold" means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.

            1. "Sale", "sell", or "sold" does not include the following:

              1. The disclosure of personal data to a processor that processes the personal data on behalf of a controller;

              2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

              3. The disclosure or transfer of personal data to an affiliate of the controller;

              4. The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or

              5. The disclosure of personal data:

                1. That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
                2. Intentionally made available by a consumer to the general public via a channel of mass media.

          24. "Sensitive data" means:

            1. Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;

            2. Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or

            3. Personal data from a known child.

          25. "Targeted advertising":

            1. Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and

            2. Does not include:

              1. Advertising to a consumer in response to the consumer's request for information or feedback;

              2. Advertisements based on activities within a controller's own websites or online applications;

              3. Advertisements based on the context of a consumer's current search query, visit to a website, or online application; or

              4.  Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

          26. "Third party" means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.
        • 6-1-1304. Applicability of Part.
          1. Except as specified in subsection (2) of this section, this part 13 applies to a controller that:

            1. Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and

            2. Satisfies one or both of the following thresholds:

              1. Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or

              2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.

          2. This part 13 does not apply to:

            1. Protected health information that is collected, stored, and processed by a covered entity or its business associates;

            2. Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;

            3. Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd-2;

            4. Identifiable private information, as defined in 45 CFR 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);

            5. Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;

            6. Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b-21 to 299b-26;

            7. Information that is:

              1. De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and

              2. Derived from any of the health-care-related information described in this section.

            8. Information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:

              1. A covered entity or business associate;

              2. A health-care facility or health-care provider; or

              3. A program of a qualified service organization as defined in 42 CFR 2.11;

            9. Except as provided in subsection (2)(i)(ii) of this section

              1. An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:

                1. A consumer reporting agency as defined in 15 U.S.C. sec. 1681a(f);

                2. A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a(d); or

                3. A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.

              2. This subsection (2)(i) applies only to the extent that the activity is regulated by the federal "Fair Credit Reporting Act", 15 U.S.C. sec. 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal "Fair Credit Reporting Act", as amended.

            10. Personal data:

              1. Collected and maintained for purposes of article 22 of title 10;

              2. Collected, processed, sold, or disclosed pursuant to the federal "Gramm-Leach-Bliley Act", 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;

              3. Collected, processed, sold, or disclosed pursuant to the federal "Driver's Privacy Protection Act of 1994", 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;

              4. Regulated by the federal "Children's Online Privacy Protection Act of 1998", 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or (V) regulated by the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;

            11. Data maintained for employment records purposes;

            12. An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as amended, and 49 U.S.C. sec. 41713, as amended;

            13. A national securities association registered pursuant to the federal "Securities Exchange Act of 1934", 15 U.S.C. sec. 78o-3, as amended, or implementing regulations;

            14. Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(i) or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;

            15. Data maintained by a state institution of higher education, as defined in section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not effect any other exemption available under this part 13.

            16. Information used and disclosed in compliance with 45 CFR 164.512; or

            17. A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal "Gramm-Leach-Bliley Act", 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR 1016.

          3. The obligations imposed on controllers or processors under this part 13 do not:

            1. Restrict a controller's or processor's ability to:

              1. Comply with federal, state, or local laws, rules, or regulations;

              2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

              3. Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;

              4. Investigate, exercise, prepare for, or defend actual or anticipated legal claims;

              5. Conduct internal research to improve, repair, or develop products, services, or technology;

              6. Identify and repair technical errors that impair existing or intended functionality;

              7. Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller;

              8. Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;

              9. Protect the vital interests of the consumer or of another individual;

              10. Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

              11. Process personal data for reasons of public interest the area of public health, but solely to the extent that the processing:

                1. Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and

                2. Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or

              12. assist another person with any of the activities set forth in this subsection (3);

            2. Apply where compliance by the controller or processor with this part 13 would violate an evidentiary privilege under Colorado law;

            3. Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;

            4. Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law; and

            5. Apply to the processing of personal data by an individual in the

            6. Course of a purely personal or household activity.

          4. Personal data that are processed by a controller pursuant to an exception provided by this section:

            1. Shall not be processed for any purpose other than a purpose expressly listed in this section or as otherwise authorized by this part 13; and

            2. Shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized by this part 13.

          5. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (4) of this section.
        • 6-1-1305. Responsibility according to role.
          1. Controllers and processors shall meet their respective obligations established under this part 13.

          2. Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:

            1. Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 6-1-1306;

            2. Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and

            3. Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6-1-1309. The controller and processor are each responsible for only the measures allocated to them.

          3. Notwithstanding the instructions of the controller, a processor shall:

            1. Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and

            2. Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

          4. Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

          5. Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out:

            1. The processing instructions to which the processor is bound, including the nature and purpose of the processing;

            2. The type of personal data subject to the processing, and the duration of the processing;

            3. The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and

            4. The following requirements:

              1. At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

              2. The processor shall make:

                1. Available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and

                2. The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures ii\i support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. the processor shall provide a report of the audit to the controller upon request.

          6. In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by this part 13.

          7. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.

          8. A controller or processor that discloses personal data to another controller or processor in compliance with this part 13 does not:

            1. Violate this part 13 if the recipient processes the personal data in violation of this part 13, and, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

            2. A controller or processor receiving personal data from a controller or processor in compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this part 13 if the controller or processor from which it receives the personal data fails to comply with applicable obligations under this part 13.
        • 6-1-1306. Consumer Personal Data Rights - Repeal.
          1. Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6-1-1308 ( 1 )(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to this section but may require a consumer to use an existing account. A consumer may submit a request at any time to a controller specifying which of the following rights the consumer wishes to exercise:

            1. Right to Opt Out.

              1. A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:

                1. Targeted advertising;

                2. The sale of personal data; or

                3. Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

              2. A consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in subsection (1)(a)(i) of this section, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. a controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

              3. A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(i) of this section. the controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice.

              4. A controller that processes personal data for purposes of targeted advertising or the sale of personal data may:

                1. Allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(i)(a) and (1)(a)(i)(b) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(iv)(a) is repealed, effective July 1, 2024.

                2. Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(i)(a) and (1)(a)(i)(b) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.

                3. Notwithstanding a consumer's decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(iv)(b) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. before obtaining a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(iv)(c), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. the web page, application, or other means by which a controller obtains a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

            2. Right of Access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data.

            3. Right to Correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

            4. Right to Deletion. A consumer has the right to delete personal data concerning the consumer.

            5. Right to Data Portability. When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. a consumer may exercise this right no more than two times per calendar year. nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets.

          2. Responding To Consumer Requests.

            1. A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. the controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. the controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay.

            2. If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section.

            3. Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24-72-205 (5)(a).

            4. A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.

          3. A controller shall establish an internal process whereby consumers may:

            1. Appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer's receipt of the notice sent by the controller under subsection (2)(b) of this section. the appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section.

            2. Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. the controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. the controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay.

            3. The controller shall inform the consumer of the consumer's ability to contact the attorney general if the consumer has concerns about the result of the appeal.
        • 6-1-1307. Processing De-Identified Data.
          1. This part 13 does not require a controller or processor to do any of the following solely for purposes of complying with this part 13:

            1. Reidentify de-identified data;

            2. Comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to section 6-1-1306 (1), if all of the following are true:

              1. The controller is:

                1. Not reasonably capable of associating the request with the personal data; or

                2. It would be unreasonably burdensome for the controller to associate the request with the personal data;

              2. The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

              3. the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or

            3. Maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.

          2. A controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and shall take appropriate steps to address any breaches of contractual commitments.

          3. The rights contained in section 6-1-1306 (1)(b) to (1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
        • 6-1-1308. Duties of Controllers.
          1. Duty of Transparency.

            1. A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

              1. The categories of personal data collected or processed by the controller or a processor;

              2. The purposes for which the categories of personal data are processed;

              3. How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;

              4. The categories of personal data that the controller shares with third parties, if any; and

              5. The categories of third parties, if any, with whom the controller shares personal data.

            2. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

            3. A controller shall not:

              1. Require a consumer to create a new account in order to exercise a right; or

              2. Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.

            4. Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

          2. Duty of Purpose Specification. A controller shall specify the express purposes for which personal data are collected and processed.

          3. Duty of Data Minimization. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.

          4. Duty to Avoid Secondary Use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.

          5. Duty of Care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. the data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

          6. Duty to Avoid Unlawful Discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

          7. Duty Regarding Sensitive Data. A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.
        • 6-1-1309. Data Protection Assessments - Attorney General Access And Evaluation - Definition.
          1. A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that present a heightened risk of harm to a consumer.

          2. For purposes of this section, "processing that presents a heightened risk of harm to a consumer" includes the following:

            1. Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:

              1. Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

              2. Financial or physical injury to consumers;

              3. A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or

              4. Other substantial injury to consumers;

            2. Selling personal data; and

            3. Processing sensitive data.

          3. Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. the controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

          4. A controller shall make the data protection assessment available to the attorney general upon request. the attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. data protection assessments are confidential and exempt from public inspection and copying under the "Colorado Open Records Act", part 2 of article 72 of title 24. the disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.

          5. A single data protection assessment may address a comparable set of processing operations that include similar activities.

          6. Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.
        • 6-1-1310. Liability.
          1. Notwithstanding any provision in part 1 of this article 1, this part 13 does not authorize a private right of action for a violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including this article 1, the state constitution, or the United States Constitution.

          2. Where more than one controller or processor, or both a controller and a processor, involved in the same processing violates this part 13, the liability shall be allocated among the parties according to principles of comparative fault.
        • 6-1-1311. Enforcement - Penalties - Repeal.
          1. Notwithstanding any other provision of this article 1:

            1. The attorney general and district attorneys have exclu sive authority to enforce this part 13 by bringing an action in the name of the State or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.

            2. Notwithstanding any other provision of this article 1, nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.

            3. For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part 13 is a deceptive trade practice.

            4. Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. if the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. this subsection (1)(d) is repealed, effective January 1, 2025.

          2. The state treasurer shall credit all receipts from the imposition of civil penalties under this part 13 pursuant to section 24-31-108.
        • 6-1-1312. Preemption - Local Governments.
          1. This part 13 supersedes and preempts laws, ordinances, resolutions, regulations, or the equivalent adopted by any statutory or home rule municipality, county, or city and county regarding the processing of personal data by controllers or processors.
        • 6-1-1313. Rules - Opt-Out Mechanism.
          1. The attorney general may promulgate rules for the purpose of carrying out this part 13.

          2. By July 1, 2023, the attorney general shall adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(i)(a) or (1)(a)(i)(b). the attorney general may update the rules that detail the technical specifications for the mechanisms from time to time to reflect the means by which consumers interact with controllers. the rules must:

            1. Not permit the manufacturer of a platform, browser, device, or any other product offering a universal opt-out mechanism to unfairly disadvantage another controller;

            2. Require controllers to inform consumers about the opt-out choices available under section 6-1-1306 (1)(a)(i);

            3. Not adopt a mechanism that is a default setting, but rather clearly represents the consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to section 6-1-1306 (1)(a)(i)(a) or (1)(a)(i)(b);

            4. Adopt a mechanism that is consumer-friendly, clearly described, and easy to use by the average consumer;

            5. Adopt a mechanism that is as consistent as possible with any other similar mechanism required by law or regulation in the united states; and

            6. Permit the controller to accurately authenticate the consumer as a resident of this state and determine that the mechanism represents a legitimate request to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to section 6-1-1306 (1)(a)(i)(a) or (1)(a)(i)(b).

          3. By January 1, 2025, the attorney general may adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that may otherwise constitute a violation of this part 13. The rules must become effective by July 1, 2025.
  • Virginia
    • Virginia Consumer Data Protection Act
      • Definitions
        • § 59.1-575
          As used in this chapter, unless the context requires a different meaning:

          “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, “control” or “controlled” means (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; (ii) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or (iii) the power to exercise controlling influence over the management of a company.

          “Authenticate” means verifying through reasonable means that the consumer, entitled to exercise his consumer rights in § 59.1-577, is the same consumer exercising such consumer rights with respect to the personal data at issue.

          “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

          “Business associate” means the same meaning as the term established by HIPAA.

          “Child” means any natural person younger than 13 years of age.

          “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

          “Consumer” means a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.

          “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

          “Covered entity” means the same as the term is established by HIPAA.

          “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.

          “De-identified data” means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. A controller that possesses “de-identified data” shall comply with the requirements of subsection A of § 59.1-581.

          “Fund” means the Consumer Privacy Fund established pursuant to § 59.1-585.

          “Health record” means the same as that term is defined in § 32.1-127.1:03.

          “Health care provider” means the same as that term is defined in § 32.1-276.3.

          “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.).

          “Identified or identifiable natural person” means a person who can be readily identified, directly or indirectly.

          “Institution of higher education” means a public institution and private institution of higher education, as those terms are defined in § 23.1-100.

          “Nonprofit organization” means any corporation organized under the Virginia Nonstock Corporation Act (§ 13.1-801 et seq.) or any organization exempt from taxation under § 501(c)(3), 501(c)(6), or 501 (c)(12) of the Internal Revenue Code, and any subsidiaries and affiliates of entities organized pursuant to Chapter 9.1 (§ 56-231.15 et seq.) of Title 56.

          “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.

          “Precise geolocation data” means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

          “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

          “Processor” means a natural or legal entity that processes personal data on behalf of a controller.

          “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

          “Protected health information” means the same as the term is established by HIPAA.

          “Pseudonymous data” means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

          “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

          “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party. “Sale of personal data” does not include:
           
          1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller;

          2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

          3. The disclosure or transfer of personal data to an affiliate of the controller;

          4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or

          5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

          “Sensitive data” means a category of personal data that includes:
           
          1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

          2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

          3. The personal data collected from a known child; or

          4. Precise geolocation data.

          “State agency” means the same as that term is defined in § 2.2-307.

          “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” does not include:
           
          1. Advertisements based on activities within a controller’s own websites or online applications;

          2. Advertisements based on the context of a consumer’s current search query, visit to a website, or online application;

          3. Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or

          4. Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

          “Third party” means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
           
      • Scope; Exemptions
        • § 59.1-576
          1. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

          2. This chapter shall not apply to any (i) body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5); (iv) nonprofit organization; or (v) institution of higher education.

          3. The following information and data is exempt from this chapter:

            1. Protected health information under HIPAA;

            2. Health records for purposes of Title 32.1;

            3. Patient identifying information for purposes of 42 U.S.C. § 290dd-2;

            4. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law;

            5. Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.);

            6. Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);

            7. Information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;

            8. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2;

            9. Information used only for public health activities and purposes as authorized by HIPAA;

            10. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);

            11. Personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.);

            12. Personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.);

            13. Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.); and

            14. Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; (ii) as the emergency contact information of an individual under this chapter used for emergency contact purposes; or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits.

          4. Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter.
      • Personal Data Rights; Consumers
        • § 59.1-577
          1. A consumer may invoke the consumer rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child’s parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the known child. A controller shall comply with an authenticated consumer request to exercise the right:

            1. To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;

            2. To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;

            3. To delete personal data provided by or obtained about the consumer;

            4. To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and

            5. To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

          2. Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to subsection A as follows:

            1. A controller shall respond to the consumer without undue delay, but in all cases within 45 days of receipt of the request submitted pursuant to the methods described in § 59.1-577 A. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.

            2. If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision pursuant to subsection C.

            3. Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.

            4. If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection A and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.

          3. A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision pursuant to subdivision B 2. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to subsection A. Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.
      • Data Controller Responsibilities; Transparency
        • § 59.1-578
          1. A controller shall:

            1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;

            2. Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;

            3. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue;

            4. Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this subdivision shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-577 or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and

            5. Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).

          2. Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to § 59.1-577 shall be deemed contrary to public policy and shall be void and unenforceable.

          3. Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

            1. The categories of personal data processed by the controller;

            2. The purpose for processing personal data;

            3. How consumers may exercise their consumer rights pursuant § 59.1-577, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;

            4. The categories of personal data that the controller shares with third parties, if any; and

            5. The categories of third parties, if any, with whom the controller shares personal data.

          4. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

          5. A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to § 59.1-577 but may require a consumer to use an existing account.
      • Responsibility According To Role; Controller And Processor
        • § 59.1-579
          1. A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under this chapter. Such assistance shall include:

            1. Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests pursuant to § 59.1-577.

            2. Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor pursuant to § 18.2-186.6 in order to meet the controller’s obligations.

            3. Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to § 59.1-580.

          2. A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall:

            1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

            2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

            3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter;

            4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request; and

            5. Engage any subcontractor pursuant to a written contract in accordance with subsection C that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

          3. Nothing in this section shall be construed to relieve a controller or a processor from the liabilities imposed on it by virtue of its role in the processing relationship as defined by this chapter.

          4. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.
      • Data Protection Assessments
        • § 59.1-580
          1. A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:

            1. The processing of personal data for purposes of targeted advertising;

            2. The sale of personal data;

            3. The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;

            4. The processing of sensitive data; and

            5. Any processing activities involving personal data that present a heightened risk of harm to consumers.

          2. Data protection assessments conducted pursuant to subsection A shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.

          3. The Attorney General may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in § 59.1-578. Data protection assessments shall be confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act (§ 2.2-3700 et seq.). The disclosure of a data protection assessment pursuant to a request from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.

          4. A single data protection assessment may address a comparable set of processing operations that include similar activities.

          5. Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect.

          6. Data protection assessment requirements shall apply to processing activities created or generated after January 1, 2023, and are not retroactive.
      • Processing De-Identified Data; Exemptionis
        • § 59.1-581
          1. The controller in possession of de-identified data shall:

            1. Take reasonable measures to ensure that the data cannot be associated with a natural person;

            2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and

            3. Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.

          2. Nothing in this chapter shall be construed to (i) require a controller or processor to re-identify de-identified data or pseudonymous data or (ii) maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

          3. Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated consumer rights request, pursuant to § 59.1-577, if all of the following are true:

            1. The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

            2. The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and

            3. The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

          4. The consumer rights contained in subdivisions A 1 through 4 of § 59.1-577 and § 59.1-578 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

          5. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.
      • Limitations
        • § 59.1-582
          1. Nothing in this chapter shall be construed to restrict a controller’s or processor’s ability to:

            1. Comply with federal, state, or local laws, rules, or regulations;

            2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

            3. Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;

            4. nvestigate, establish, exercise, prepare for, or defend legal claims;

            5. Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract;

            6. Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;

            7. Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

            8. Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: (i) if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or

            9. Assist another controller, processor, or third party with any of the obligations under this subsection.

          2. The obligations imposed on controllers or processors under this chapter shall not restrict a controller’s or processor’s ability to collect, use, or retain data to:

            1. Conduct internal research to develop, improve, or repair products, services, or technology;

            2. Effectuate a product recall;

            3. Identify and repair technical errors that impair existing or intended functionality; or

            4. Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

          3. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under the laws of the Commonwealth. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the Commonwealth as part of a privileged communication.

          4. A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of this chapter, is not in violation of this chapter if the third-party controller or processor that receives and processes such personal data is in violation of this chapter, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is likewise not in violation of this chapter for the transgressions of the controller or processor from which it receives such personal data.

          5. Nothing in this chapter shall be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech pursuant to the First Amendment to the United States Constitution, or applies to the processing of personal data by a person in the course of a purely personal or household activity.

          6. Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by this chapter. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is:

            1. Reasonably necessary and proportionate to the purposes listed in this section; and

            2. Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection B shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

          7. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in subsection F.

          8. Processing personal data for the purposes expressly identified in subdivisions A 1 through 9 shall not solely make an entity a controller with respect to such processing.
      • Investigative Authority
        • § 59.1-583
          Whenever the Attorney General has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the Attorney General is empowered to issue a civil investigative demand. The provisions of § 59.1-9.10 shall apply mutatis mutandis to civil investigative demands issued under this section.
           
      • Enforcement; Civil Penalty; Expenses
        • § 59.1-584
          1. The Attorney General shall have exclusive authority to enforce the provisions of this chapter.

          2. Prior to initiating any action under this chapter, the Attorney General shall provide a controller or processor 30 days’ written notice identifying the specific provisions of this chapter the Attorney General alleges have been or are being violated. If within the 30-day period, the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the controller or processor.

          3. If a controller or processor continues to violate this chapter following the cure period in subsection B or breaches an express written statement provided to the Attorney General under that subsection, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter.

          4. The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under this chapter.

          5. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.
      • Consumer Privacy Fund
        • § 59.1-585
          There is hereby created in the state treasury a special nonreverting fund to be known as the Consumer Privacy Fund. The Fund shall be established on the books of the Comptroller. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Fund. Interest earned on moneys in the Fund shall remain in the Fund and be credited to it. Any moneys remaining in the Fund, including interest thereon, at the end of each fiscal year shall not revert to the general fund but shall remain in the Fund. Moneys in the Fund shall be used to support the work of the Office of the Attorney General to enforce the provisions of this chapter, subject to appropriation.