Modified text of the proposed CCPA regulations

Page 1 of 73
MODIFIED TEXT OF PROPOSED REGULATIONS
The original text published in the California Code of Regulations has no underline. The initial
proposal (noticed on July 8, 2022) is illustrated by single blue underline for proposed additions
and single red strikethrough for proposed deletions. Changes made after the 45-day comment
period are illustrated by green double-underline for proposed additions and orange double
strikethrough for proposed deletions.
CALIFORNIA PRIVACY PROTECTION AGENCY
TITLE 11. LAW
DIVISION 6. CALIFORNIA PRIVACY PROTECTION AGENCY
CHAPTER 1. CALIFORNIA CONSUMER PRIVACY ACT REGULATIONS
Article 1. GENERAL PROVISIONS
§ 7000. Title and Scope.
(a) This Chapter shall be known as the California Consumer Privacy Act Regulations. It may
be cited as such and will be referred to in this Chapter as “these regulations.” These
regulations govern compliance with the California Consumer Privacy Act and do not limit
any other rights that consumers may have.
(b) A violation of these regulations shall constitute a violation of the CCPA and be subject to
the remedies provided for therein.
Note: Authority cited: Sections 1798.175 and 1798.185, Civil Code. Reference: Sections
1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130,
1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.175, and 1798.185, 1798.199.40,
1798.199.45, 1798.199.50, 1798.199.55, and 1798.199.65, Civil Code.
§ 7001. Definitions.
In addition to the definitions set forth in Civil Code section 1798.140, for purposes of these
regulations:
(a) “Affirmative authorization” means an action that demonstrates the intentional decision by
the consumer to opt-in to the sale of personal information. Within the context of a parent or
guardian acting on behalf of a consumer under 13 years of age, it means that the parent or
guardian has provided consent to the sale of the consumer’s personal information in
accordance with the methods set forth in section 7070. For consumers 13 years of age and
older, it is demonstrated through a two-step process whereby the consumer shall first,
clearly request to opt-in and then second, separately confirm their choice to opt-in.
Page 2 of 73
(a) “Agency” means the California Privacy Protection Agency established by Civil Code
section 1798.199.10 et seq.
(b) “Alternative Opt-Out Link” means the alternative opt-out link that a business may provide
instead of posting the two separate “Do Not Sell or Share My Personal Information” and
“Limit the Use of My Sensitive Personal Information” links as set forth in Civil Code
section 1798.135, subdivision (a)(3), and specified in section 7015.
(c) (b) “Attorney General” means the California Attorney General or any officer or employee of
the California Department of Justice acting under the authority of the California Attorney
General.
(d) (c) “Authorized agent” means a natural person or a business entity registered with the
Secretary of State to conduct business in California that a consumer has authorized to act on
their behalf subject to the requirements set forth in section 7063.
(e) (d) “Categories of sources” means types or groupings of persons or entities from which a
business collects personal information about consumers, described with enough particularity
to provide consumers with a meaningful understanding of the type of person or entity. They
may include the consumer directly, advertising networks, internet service providers, data
analytics providers, government entities, operating systems and platforms, social networks,
and data brokers.
(f) (e) “Categories of third parties” means types or groupings of third parties with whom the
business shares personal information, described with enough particularity to provide
consumers with a meaningful understanding of the type of third party. They may include
advertising networks, internet service providers, data analytics providers, government
entities, operating systems and platforms, social networks, and data brokers.
(g) (f) “CCPA” means the California Consumer Privacy Act of 2018, Civil Code section
1798.100 et seq.
(h) (g) “COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501
to 6506 6508 and 16 Code of Federal Regulations part 312.5.
(i) (h) “Disproportionate effort” within the context of a business, service provider, contractor,
or third party responding to a consumer request means the time and/or resources expended
by the business, service provider, contractor, or third party to respond to the individualized
request significantly outweighs the reasonably foreseeable impact to the consumer by not
responding, taking into account applicable circumstances such as, the size of the business,
service provider, contractor, or third party, the nature of the request, and the technical
limitations impacting their ability to respond benefit provided to the consumer by
responding to the request. For example, responding to a consumer request to know may
require disproportionate effort when the personal information which that is the subject of the
request is not in a searchable or readily-accessible format, is maintained only for legal or
compliance purposes, is not sold or used for any commercial purpose, and there is no
reasonably foreseeable material impact to the consumer by not responding would not impact
the consumer in any material manner. In contrast, the impact benefit to the consumer of
denying responding to a request to correct inaccurate information that the business uses
and/or sells may outweigh the burden on the business, service provider, contractor, or third
Page 3 of 73
party in honoring the request when the reasonably foreseeable consequence of denying the
request would be high because it could have a material impact on the consumer, such as the
denial of services or opportunities to the consumer. Accordingly, in order for the business
to claim “disproportionate effort,” the business would have to demonstrate that the time
and/or resources needed to correct the information would be significantly higher than that
material impact on the consumer. A business, service provider, contractor, or third party
that has failed to put in place adequate processes and procedures to receive and process
comply with consumer requests in accordance with the CCPA and these regulations cannot
claim that responding to a consumer’s request requires disproportionate effort.
(j) (i) (h) “Employment benefits” means retirement, health, and other benefit programs,
services, or products to which consumers and their dependents or their beneficiaries receive
access through the consumer’s employer.
(k) (j) (i) “Employment-related information” means personal information that is collected by
the business about a natural person for the reasons identified in Civil Code section
1798.145, subdivision (hm)(1). The collection of employment-related information,
including for the purpose of administering employment benefits, shall be considered a
bBusiness pPurpose.
(k) “Household” means a person or group of people who: (1) reside at the same address,
(2) share a common device or the same service provided by a business, and (3) are identified
by the business as sharing the same group account or unique identifier.
(l) (k) (j) “Financial incentive” means a program, benefit, or other offering, including payments
to consumers, related to for the collection, deletion, retention, or sale, or sharing of personal
information. Price or service differences are types of financial incentives.
(m) (l) “First party” means the a the consumer-facing business with which the consumer intends
and expects to interact.
(n) (m) “Frictionless manner” means a business’s processing of an opt-out preference signal
that complies with the requirements set forth in section 7025, subsection (f).
(o) “Information Practices” means practices regarding the collection, use, disclosure, sale,
sharing, and retention of personal information.
(p) “Nonbusiness” means a person or entity that does not meet the definition of a “business” as
defined in Civil Code section 1798.140, subdivision (d). For example, non-profits and
government entities are Nonbusinesses because “business” is defined, among other things,
to include only entities “organized or operated for the profit or financial benefit of its
shareholders or other owners.”
(q) (n) (l) “Notice at cCollection” means the notice given by a business to a consumer at or
before the point at which a business collects personal information from the consumer as
required by Civil Code section 1798.100, subdivision (b), and specified in these regulations.
(r) (o) “Notice of rRight to lLimit” means the notice given by a business informing consumers
of their right to limit the use or disclosure of the consumer’s sensitive personal information
as required by Civil Code sections 1798.121 and 1798.135 and specified in these
regulations.
Page 4 of 73
(s) (p) (m) “Notice of rRight to oOpt-out of sSale/sSharing” means the notice given by a
business informing consumers of their right to opt-out of the sale or sharing of their personal
information as required by Civil Code sections 1798.120 and 1798.135 and specified in
these regulations.
(t) (q) (n) “Notice of fFinancial iIncentive” means the notice given by a business explaining
each financial incentive or price or service difference as required by Civil Code section
1798.125, subdivision (b), and specified in these regulations.
(u) (r) “Opt-out preference signal” means a signal that is sent by a platform, technology, or
mechanism, on behalf of the consumer, that communicates the consumer choice to opt-out
of the sale and sharing of personal information and that complies with the requirements set
forth in section 7025, subsection (b).
(v) (s) (o) “Price or service difference” means (1) any difference in the price or rate charged for
any goods or services to any consumer related to the collection, retention, or sale or sharing
of personal information, including through the use of discounts, financial payments, or other
benefits or penalties; or (2) any difference in the level or quality of any goods or services
offered to any consumer related to the collection, retention, or sale, or sharing of personal
information, including the denial of goods or services to the consumer.
(w) (t) (p) “Privacy policy,” as referred to in Civil Code section 1798.130, subdivision (a)(5),
means the statement that a business shall make available to consumers describing the
business’s practices, both online and offline Information Practices, regarding the collection,
use, disclosure, and sale of personal information, and of the rights of consumers regarding
their own personal information.
(x) (u) “Request to correct” means a consumer request that a business correct inaccurate
personal information that it maintains about the consumer, pursuant to Civil Code section
1798.106.
(y) (v) (q) “Request to delete” means a consumer request that a business delete personal
information about the consumer that the business has collected from the consumer, pursuant
to Civil Code section 1798.105.
(z) (w) (r) “Request to know” means a consumer request that a business disclose personal
information that it has collected about the consumer pursuant to Civil Code sections
1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
(1) Specific pieces of personal information that a business has collected about the
consumer;
(2) Categories of personal information it has collected about the consumer;
(3) Categories of sources from which the personal information is collected;
(4) Categories of personal information that the business sold or disclosed for a
business purpose about the consumer;
(5) Categories of third parties to whom the personal information was sold or
disclosed for a business purpose; and
Page 5 of 73
(6) The business or commercial purpose for collecting or selling personal
information.
(aa) (x) “Request to limit” means a consumer request that a business limit the use and
disclosure of the consumer’s sensitive personal information, pursuant to Civil Code
section 1798.121, subdivision (a).
(bb) (y) (s) “Request to opt-in to sale/sharing” means the affirmative authorization an
action demonstrating that the consumer has consented to the business’s sale or
sharing of that the business may sell personal information about the consumer by a
parent or guardian of a consumer less than 13 years of age, or by a consumer at least
13 and less than 16 years of age, or by a consumer who had previously opted out of
the sale of their personal information.
(cc) (z) (t) “Request to opt-out of sale/sharing” means a consumer request that a business
not neither sell nor share the consumer’s personal information to third parties,
pursuant to Civil Code section 1798.120, subdivision (a).
(dd) (aa) “Right to correct” means the consumer’s right to request that a business to
correct inaccurate personal information that it maintains about the consumer as set
forth in Civil Code section 1798.106.
(ee) (bb) “Right to delete” means the consumer’s right to request that a business delete
any personal information about the consumer that the business has collected from the
consumer as set forth in Civil Code section 1798.105.
(ff) (cc) “Right to know” means the consumer’s right to request that a business disclose
personal information that it has collected, sold, or shared about the consumer as set
forth in Civil Code sections 1798.110 and 1798.115.
(gg) (dd) “Right to limit” means the consumer’s right to request that a the business limit
the use and disclosure of a consumer’s sensitive personal information as set forth in
Civil Code section 1798.121.
(hh) (ee) “Right to opt-out of sale/sharing” means the consumer’s right to direct a
business that sells or shares personal information about the consumer to third parties
to stop doing so as set forth in Civil Code section 1798.120.
(ii) (ff) (u) “Signed” means that the written attestation, declaration, or permission has
either been physically signed or provided electronically in accordance with the
Uniform Electronic Transactions Act, Civil Code section 1633.1 et seq.
(jj) (gg) (v) “Third-party identity verification service” means a security process offered
by an independent third party that verifies the identity of the consumer making a
request to the business. Third-party identity verification services are subject to the
requirements set forth in Article 5 regarding requests to know and requests to delete,
requests to correct, or requests to know.
(kk) (hh) “Unstructured” as it relates to personal information means personal information
that is not organized in a pre-defined manner and could not be retrieved or organized
Page 6 of 73
in a pre-defined manner without disproportionate effort on behalf of the business,
service provider, contractor, or third party, such as text, video files, and audio files.
(ll) (ii) (w) “Value of the consumer’s data” means the value provided to the business by
the consumer’s data as calculated under section 7081.
(mm) (jj) (x) “Verify” means to determine that the consumer making a request to know or
request to delete, request to correct, or request to know is the consumer about whom
the business has collected information, or if that consumer is less than 13 years of
age, the consumer’s parent or legal guardian.
Note: Authority cited: Sections 1798.175 and 1798.185, Civil Code. Reference: Sections
1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130,
1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.175, and 1798.185, 1798.199.40,
1798.199.45, 1798.199.50, 1798.199.55, and 1798.199.65, Civil Code.
§ 7002. Restrictions on the Collection and Use of Personal Information.
(a) In accordance with Civil Code section 1798.100, subdivision (c), aA business’s collection,
use, retention, and/or sharing of a consumer’s personal information shall be reasonably
necessary and proportionate to achieve:
(1) tThe purpose(s) for which the personal information was collected or processed., which
shall comply with the requirements set forth in subsection (b).
(2) Another disclosed purpose that is compatible with the context in which the personal
information was collected, which shall comply with the requirements set forth in
subsection (c).
(b) The purpose(s) for which the personal information was collected or processed shall be
consistent with the reasonable expectations of the consumer(s) whose personal information
is collected or processed. The consumer’s reasonable expectations concerning the purpose
for which their personal information will be collected or processed shall be based on the
following:
(1) The relationship between the consumer(s) and the business. For example, if the
consumer is intentionally interacting with the business on its website to purchase a
good or service, the consumer likely expects that the purpose for collecting or
processing the personal information is to provide that good or service. By contrast, for
example, the consumer of a business’s mobile flashlight application would not expect
the business to collect the consumer’s geolocation information to provide the flashlight
service.
(2) The type, nature, and amount of personal information that the business seeks to collect
or process. For example, if a business’s mobile communication application requests
access to the consumer’s contact list in order to call a specific individual, the consumer
who is providing their contact list likely expects that the purpose of the business’s use
of that contact list will be to connect the consumer with the specific contact they
selected. Similarly, if a business collects the consumer’s fingerprint in connection
with setting up the security feature of unlocking the device using the fingerprint, the
Page 7 of 73
consumer likely expects that the business’s use of the consumer’s fingerprint is only
for the purpose of unlocking their mobile device.
(3) The source of the personal information and the business’s method for collecting or
processing it. For example, if the consumer is providing their personal information
directly to the business while using the business’s product or service, the consumer
likely expects that the business will use the personal information to provide that
product or service. However, the consumer may not expect that the business will use
that same personal information for a different product or service offered by the
business or the business’s subsidiary.
(4) The specificity, explicitness, prominence, and clarity of disclosures to the consumer(s)
about the purpose for collecting or processing their personal information, such as in
the Notice at Collection and in the marketing materials to the consumer(s) about the
business’s good or service. For example, the consumer that receives a pop-up notice
that the business wants to collect the consumer’s phone number to verify their identity
when they log in likely expects that the business will use their phone number for the
purpose of verifying the consumer’s identity and not for marketing purposes.
Similarly, the consumer may expect that a mobile application that markets itself as a
service that finds cheap gas close to the consumer will collect and use the consumer’s
geolocation information for that specific purpose when they are using the service.
(5) The degree to which the involvement of service providers, contractors, third parties, or
other entities in the collecting or processing of personal information is apparent to the
consumer(s). For example, the consumer likely expects an online retailer’s disclosure
of the consumer’s name and address to a delivery service provider in order for that
service provider to deliver a purchased product, because that service provider’s
involvement is apparent to the consumer. By contrast, the consumer may not expect
the disclosure of personal information to a service provider if the consumer is not
directly interacting with the service provider or the service provider’s role in the
processing is not apparent to the consumer.
(c) To be reasonably necessary and proportionate, the business’s collection, use, retention,
and/or sharing must be consistent with what an average consumer would expect when the
personal information was collected. A business’s collection, use, retention, and/or sharing
of a consumer’s personal information may also be for other disclosed purpose(s) if they are
compatible with what is reasonably expected by the average consumer. Whether another
disclosed purpose is compatible with the context in which the personal information was
collected shall be based on the following:
(1) At the time of collection of the personal information, the reasonable expectations of
the consumer(s) whose personal information is collected or processed concerning the
purpose for which their personal information will be collected or processed, based on
the factors set forth in subsection (b).
(2) The other disclosed purpose for which the business seeks to further collect or process
the consumer’s personal information, including whether it is a Business Purpose listed
in Civil Code section 1798.140, subdivisions (e)(1) through (e)(8).
Page 8 of 73
(3) The strength of the link between subsection (c)(1) and subsection (c)(2). For example,
a strong link exists between the consumer’s expectations that the personal information
will be used to provide them with a requested service at the time of collection, and the
use of the information to repair errors that impair the intended functionality of that
requested service. This would weigh in favor of compatibility. By contrast, for
example, a weak link exists between the consumer’s reasonable expectations that the
personal information will be collected to provide a requested cloud storage service at
the time of collection, and the use of the information to research and develop an
unrelated facial recognition service.
(d) For each purpose identified in subsection (a)(1) or (a)(2), the collection, use, retention,
and/or sharing of a consumer’s personal information to achieve that purpose shall be
reasonably necessary and proportionate. The business’s collection, use, retention, and/or
sharing of a consumer’s personal information shall also be reasonably necessary and
proportionate to achieve any purpose for which the business obtains the consumer’s consent
in compliance with subsection (e). Whether a business’s collection, use, retention, and/or
sharing of a consumer’s personal information is reasonably necessary and proportionate to
achieve the purpose identified in subsection (a)(1) or (a)(2), or any purpose for which the
business obtains consent, shall be based on the following:
(1) The minimum personal information that is necessary to achieve the purpose identified
in subsection (a)(1) or (a)(2), or any purpose for which the business obtains consent.
For example, to complete an online purchase and send an email confirmation of the
purchase to the consumer, an online retailer may need the consumer’s order
information, payment and shipping information, and email address.
(2) The possible negative impacts on consumers posed by the business’s collection or
processing of the personal information. For example, a possible negative impact of
collecting precise geolocation information is that it may reveal other sensitive personal
information about the consumer, such as health information based on visits to
healthcare providers.
(3) The existence of additional safeguards for the personal information to specifically
address the possible negative impacts on consumers considered by the business in
subsection (d)(2). For example, a business may consider encryption or automatic
deletion of personal information within a specific window of time as potential
safeguards.
(e) A business shall obtain the consumer’s explicit consent in accordance with section 7004
before collecting or processing , using, retaining, and/or sharing the consumer’s personal
information for any purpose that does not meet the requirements set forth in subsection (a).
is unrelated or incompatible with the purpose(s) for which the personal information
collected or processed.
(b) Illustrative examples follow.
(1) Business A provides a mobile flashlight application. Business A should not collect, or
allow another business to collect, consumer geolocation information through its mobile
flashlight application without the consumer’s explicit consent because the collection of
Page 9 of 73
geolocation information is incompatible with the context in which the personal
information is collected, i.e., provision of flashlight services. The collection of
geolocation data is not within the reasonable expectations of an average consumer, nor
is it reasonably necessary and proportionate to achieve the purpose of providing a
flashlight function.
(2) Business B provides cloud storage services for consumers. An average consumer
expects that the purpose for which the personal information is collected is to provide
those cloud storage services. Business B may use the personal information uploaded by
the consumer to improve the cloud storage services provided to and used by the
consumer because it is reasonably necessary and proportionate to achieve the purpose
for which the personal information was collected. However, Business B should not use
the personal information to research and develop unrelated or unexpected new products
or services, such as a facial recognition service, without the consumer’s explicit consent
because such a use is not reasonably necessary, proportionate, or compatible with the
purpose of providing cloud storage services. In addition, if a consumer deletes their
account with Business B, Business B should not retain files the consumer stored in
Business B’s cloud storage service because such retention is not reasonably necessary
and proportionate to achieve the purpose of providing cloud storage services.
(3) Business C is an internet service provider that collects consumer personal information,
including geolocation information, in order to provide its services. Business C may use
the geolocation information for compatible uses, such as tracking service outages,
determining aggregate bandwidth use by location, and related uses that are reasonably
necessary to maintain the health of the network. However, Business C should not sell
to or share consumer geolocation information with data brokers without the consumer’s
explicit consent because such selling or sharing is not reasonably necessary and
proportionate to provide internet services, nor is it compatible or related to the
provision of internet services.
(4) Business D is an online retailer that collects personal information from consumers who
buy its products in order to process and fulfill their orders. Business D’s provision of
the consumer’s name, address, and phone number to Business E, a delivery company, is
compatible and related to the reasonable expectations of the consumer when this
personal information is used for the purpose of shipping the product to the consumer.
However, Business E’s use of the consumer’s personal information for the marketing of
other businesses’ products would not be necessary and proportionate, nor compatible
with the consumer’s expectations. Business E would have to obtain the consumer’s
explicit consent to do so.
(f) (c) A business shall not collect categories of personal information other than those disclosed
in its nNotice at cCollection in accordance with the CCPA and section 7012. If the business
intends to collect additional categories of personal information or intends to use the personal
information for additional purposes that are incompatible with the disclosed purpose for
which the personal information was collected, the business shall provide a new nNotice at
cCollection. However, any additional collecting or use processing of personal information
shall comply with subsection (a).
Page 10 of 73
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.106,
1798.121, 1798.130, 1798.135 and 1798.185, Civil Code.
§ 7003. Requirements for Disclosures and Communications to Consumers.
(a) Disclosures and communications to consumers shall be easy to read and understandable to
consumers. For example, they shall use plain, straightforward language and avoid technical
or legal jargon.
(b) Disclosures required under Article 2 shall also:
(1) Use a format that makes the disclosure readable, including on smaller screens, if
applicable.
(2) Be available in the languages in which the business in its ordinary course provides
contracts, disclaimers, sale announcements, and other information to consumers in
California.
(3) Be reasonably accessible to consumers with disabilities. For notices provided online,
the business shall follow generally recognized industry standards, such as the Web
Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide
Web Consortium, incorporated herein by reference. In other contexts, the business
shall provide information on how a consumer with a disability may access the policy in
an alternative format.
(c) For websites, a conspicuous link required under the CCPA or these regulations shall appear
in a similar manner as other similarly-posted links used by the business on its
hHomepage(s). For example, the business shall use a font size and color that is at least the
approximate size or color as other links next to it that are used by the business on its
hHomepage(s).
(d) For mobile applications, a conspicuous link shall be accessible within the application, such
as through the application’s settings menu. It shall also be included in the business’s
privacy policy, which must be accessible through the mobile application’s platform page or
download page. It may also be accessible through a link within the application, such as
through the application’s settings menu.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil
Code.
§ 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining
Consumer Consent.
(a) Except as expressly allowed by the CCPA and these regulations, businesses shall design and
implement methods for submitting CCPA requests and obtaining consumer consent that
incorporate the following principles.
Page 11 of 73
(1) Easy to understand. The methods shall use language that is easy for consumers to read
and understand. When applicable, they shall comply with the requirements for
disclosures to consumers set forth in section 7003.
(2) Symmetry in choice. The path for a consumer to exercise a more privacy-protective
option shall not be longer or more difficult or time-consuming than the path to exercise
a less privacy-protective option because that would impair or interfere with the
consumer’s ability to make a choice. Illustrative examples follow.
(A) It is not symmetrical when a A business’s process for submitting a request to optout of sale/sharing shall not requires more steps than that business’s process for a
consumer to opt-in to the sale of personal information after having previously
opted out. The number of steps for submitting a request to opt-out of sale/sharing
is measured from when the consumer clicks on the “Do Not Sell or Share My
Personal Information” link to completion of the request. The number of steps for
submitting a request to opt-in to the sale of personal information is measured from
the first indication by the consumer to the business of their interest to opt-in to
completion of the request.
(B) A choice to opt-in to the sale of personal information that only provides the two
choices, “Yes” and “Ask me later,” is not equal or symmetrical because there is
no option to decline the opt-in. “Ask me later” implies that the consumer has not
declined but delayed the decision and that the business will continue to ask the
consumer to opt-in. Framing the consumer’s options in this manner impairs the
consumer’s ability to make a choice. An equal or symmetrical choice would
could be “Yes” and “No.”
(C) A website banner that serves as a method for opting out of the sale of personal
information that only provides only the two choices when seeking the consumer’s
consent to use their personal information, “Accept All” and “More Information,”
or “Accept All” and “Preferences,” is not equal or symmetrical because the
method allows the consumer to “Accept All” in one step, but requires the
consumer to take additional steps to exercise their rights over to opt-out of the
sale or sharing of their personal information. Framing the consumer’s options in
this manner impairs the consumer’s ability to make a choice. An equal or
symmetrical choice would could be “Accept All” and “Decline All.”
(D) A choice where the “yes” button is more prominent (i.e., larger in size or in a
more eye-catching color) than the “no” button is not symmetrical.
(E) A choice where the option to participate in a financial incentive program is
selected by default or featured more prominently (i.e., larger in size or in a more
eye-catching color) than the choice not to participate in the program is neither
equal nor symmetrical.
Page 12 of 73
(3) Avoid language or interactive elements that are confusing to the consumer. The
methods should not use double negatives. Toggles or buttons must clearly indicate the
consumer’s choice. Illustrative examples follow.
(A) Giving the choice of “Yes” or “No” next to the statement “Do Not Sell or Share
My Personal Information” is a double negative and a confusing choice for a
consumer.
(B) Toggles or buttons that state “on” or “off” may be confusing to a consumer and
may require further clarifying language.
(C) Unintuitive placement of buttons to confirm a consumer’s choice may be
confusing to the consumer. For example, it is confusing to the consumer when a
business at first consistently offers choices in the order of Yes, then No, but then
offers choices in the opposite order—No, then Yes—when asking the consumer
something that would benefit the business and/or contravene the consumer’s
expectation.
(4) Avoid manipulative language or choice architecture that impairs or interferes with the
consumer’s ability to make a choice. Businesses should also not design their methods
in a manner that would impair the consumer’s ability to exercise their choice because
consent must be freely given, specific, informed, and unambiguous. The methods
should not use language or wording that guilts or shames the consumer into making a
particular choice or bundles consent so as to subvert the consumer’s choice. Illustrative
examples follow.
(A) When offering a financial incentive, pairing choices such as, “Yes” (to accept the
financial incentive) with “No, I like paying full price” or “No, I don’t want to
save money,” is manipulative and shaming.
(A) (B) Requiring the consumer to click through disruptive screens before they are
able to reasons why submitting a request to opt-out of sale/sharing is allegedly a
bad choice before is a choice architecture that impairs or interferes with the
consumer’s ability to exercise their choice. being able to execute their choice to
opt-out is manipulative and shaming.
(B) (C) It is manipulative to bundle Bundling choices so that the consumer is only
offered the option to consent to using personal information for purposes that meet
the requirements set forth in section 7002, subsection (a), reasonably expected
purposes together with purposes that are incompatible to with the context in
which the personal information was collected is a choice architecture that impairs
or interferes with the consumer’s ability to make a choice. For example, a
business that provides a location-based service, such as a mobile application that
posts gas prices within the consumer’s location, shall not require the consumer to
consent to incompatible uses (e.g., sale of the consumer’s geolocation to data
brokers) together with a reasonably necessary and proportionate the expected use
of geolocation information for providing the location-based services, which does
Page 13 of 73
not require consent. This type of choice architecture is manipulative because the
consumer is forced does not allow consent to be freely given, specific, informed,
or unambiguous because it requires the consumer to consent to incompatible uses
in order to obtain the expected service. The business should provide the
consumer a separate option to consent to the business’s use of personal
information that does not meet the requirements set forth in section 7002,
subsection (a) for unexpected or incompatible uses.
(5) Easy to execute. The business shall not add unnecessary burden or friction to the
process by which the consumer submits a CCPA request. Methods should be tested to
ensure that they are functional and do not undermine the consumer’s choice to submit
the request. Illustrative examples follow.
(A) Upon clicking the “Do Not Sell or Share My Personal Information” link, the
business shall not require the consumer to search or scroll through the text of a
privacy policy or similar document or webpage to locate the mechanism for
submitting a request to opt-out of sale/sharing.
(B) A business that knows of, but does not remedy, cCircular or broken links, and
nonfunctional email addresses, such as inboxes that are not monitored or have
aggressive filters that screen emails from the public, may be in violation of this
regulation.
(C) Businesses that require the consumer to unnecessarily wait on a webpage as the
business processes the request may be in violation of this regulation.
(b) A method that does not comply with subsection (a) may be considered a dark pattern. Any
agreement obtained through the use of dark patterns shall not constitute consumer consent.
For example, a business that uses dark patterns to obtain consent from a consumer to sell
their personal information shall be in the position of never having obtained the consumer’s
consent to do so.
(c) A user interface is a dark pattern if the interface has the effect of substantially subverting or
impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent. A
business’s intent in designing the interface is not determinative in whether the user interface
is a dark pattern, but a factor to be considered. If a business did not intend to design the user
interface to subvert or impair user choice, but the business knows of and does not remedy a
user interface that has that effect, the user interface may still be a dark pattern. Similarly, a
business’s deliberate ignorance of the effect of its user interface may also weigh in favor of
establishing a dark pattern.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140
and 1798.185, Civil Code.
Page 14 of 73
ARTICLE 2. NOTICES REQUIRED DISCLOSURES TO CONSUMERS
§ 7010. Overview of Required Notices Disclosures.
(a) Every business that must comply with the CCPA and these regulations shall provide a
privacy policy in accordance with the CCPA and section 7011.
(b) A business that controls the collection of a consumer’s collects personal information from a
consumer from a consumer shall provide a nNotice at cCollection in accordance with the
CCPA and section 7012.
(c) Except as set forth in section 7025, subsection (g), aA business that sells or shares personal
information shall provide a nNotice of rRight to oOpt-out of sSale/sSharing or the
aAlternative oOpt-out lLink in accordance with the CCPA and sections 7013 and 7015.
(d) A business that uses or discloses a consumer’s sensitive personal information for purposes
other than those specified in section 7027, subsection (lm), shall provide a nNotice of rRight
to lLimit or the aAlternative oOpt-out lLink in accordance with the CCPA and sections 7014
and 7015.
(e) A business that offers a financial incentive or price or service difference shall provide a
nNotice of fFinancial iIncentive in accordance with the CCPA and section 7016.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil
Code.
§ 7011. Privacy Policy.
(a) Purpose and General Principles (1) The purpose of the privacy policy is to provide
consumers with a comprehensive description of a business’s online and offline Information
pPractices regarding the collection, use, disclosure, and sale, sharing, and retention of
personal information. It shall also inform consumers about and of the rights of consumers
they have regarding their personal information and provide any information necessary for
them to exercise those rights.
(b) The privacy policy shall comply with section 7003, subsections (a) and (b).
(c) (2) The privacy policy shall be designed and presented in a way that is easy to read and
understandable to consumers. The policy shall:
(A) Use plain, straightforward language and avoid technical or legal jargon.
(B) Use a format that makes the policy readable, including on smaller screens, if
applicable.
(C) Be available in the languages in which the business in its ordinary course
provides contracts, disclaimers, sale announcements, and other information to
consumers in California.
Page 15 of 73
(D) Be reasonably accessible to consumers with disabilities. For notices provided
online, the business shall follow generally recognized industry standards, such as
the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the
World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a
disability may access the policy in an alternative format. (E) Bbe available in a
format that allows a consumer to print it out as a document.
(d) (b) The privacy policy shall be posted online and accessible through a conspicuous link that
complies with section 7003, subsections (c) and (d), using the word “privacy” on the
business’s website hHomepage(s) or on the download or landing page of a mobile
application. If the business has a California-specific description of consumers’ privacy
rights on its website, then the privacy policy shall be included in that description. A
business that does not operate a website shall make the privacy policy conspicuously
available to consumers. A mobile application may shall may include a link to the privacy
policy in the application’s settings menu.
(e) (c) The privacy policy shall include the following information:
(1) A comprehensive description of the business’s online and offline Information
pPractices egarding the collection, use, sale, sharing, and retention of personal
information, which includes the following:
(A) Identification of the categories of personal information the business has collected
about consumers in the preceding 12 months. The categories shall be described
using the specific terms set forth in Civil Code section 1798.140, subdivisions
(v)(1)(A) to (K) and (ae)(1) to (93). To the extent that the business has
discretion in its description, the business shall describe the category in a manner
that provides consumers a meaningful understanding of the information being
collected.
(B) Identification of the categories of sources from which the personal information is
collected.
(C) Identification of the specific business or commercial purpose for collecting
personal information from consumers. The purpose shall be described in a
manner that provides consumers a meaningful understanding of why the
information is collected.
(D) Identification of the categories of personal information, if any, that the business
has sold or shared to third parties in the preceding 12 months. If the business has
not sold or shared consumers’ personal information in the preceding 12 months,
the business shall disclose that fact.
(E) For each category of personal information identified in subsection (e)(1)(D), the
categories of third parties to whom the information was sold or shared.
(F) Identification of the specific business or commercial purpose for selling or
sharing consumers’ personal information. The purpose shall be described in a
Page 16 of 73
manner that provides consumers a meaningful understanding of why the
information is sold or shared.
(G) A statement regarding whether the business has actual knowledge that it sells or
shares the personal information of consumers under 16 years of age.
(H) Identification of the categories of personal information, if any, that the business
has disclosed for a business purpose to third parties in the preceding 12 months.
If the business has not disclosed consumers’ personal information for a business
purpose in the preceding 12 months, the business shall disclose that fact.
(I) For each category of personal information identified in subsection (e)(1)(H), the
categories of third parties to whom the information was disclosed.
(J) Identification of the specific business or commercial purpose for disclosing the
consumer’s personal information. The purpose shall be described in a manner
that provides consumers a meaningful understanding of why the information is
disclosed.
(K) A statement regarding whether or not the business uses or discloses sensitive
personal information for purposes other than those specified in section 7027,
subsection (lm).
(2) An explanation of the rights that the CCPA confers on consumers regarding their
personal information, which includes the following:
(A) The right to know what personal information the business has collected about the
consumer, including the categories of personal information, the categories of
sources from which the personal information is collected, the business or
commercial purpose for collecting, selling, or sharing personal information, the
categories of third parties to whom the business discloses personal information,
and the specific pieces of personal information the business has collected about
the consumer;
(B) The right to delete personal information that the business has collected from the
consumer, subject to certain exceptions;
(C) The right to correct inaccurate personal information that a business maintains
about a consumer;
(D) If the business sells or shares personal information, the right to opt-out of the
sale or sharing of their personal information by the business;
(E) If the business uses or discloses sensitive personal information for reasons other
than those set forth in section 7027, subsection (lm), the right to limit the use or
disclosure of sensitive personal information by the business; and
(F) The right not to receive discriminatory treatment by the business for the exercise
of privacy rights conferred by the CCPA, including an employee’s, applicant’s,
or independent contractor’s right not to be retaliated against for the exercise of
their CCPA rights.
Page 17 of 73
(3) An explanation of how consumers can exercise their CCPA rights and what consumers
can expect from that process, which includes the following:
(A) An explanation of the methods by which the consumer can exercise their CCPA
rights;
(B) Instructions for submitting a request under the CCPA, including any links to an
online request form or portal for making such a request, if offered by the
business;
(C) If the business sells or shares personal information, and is required to provide a
nNotice of rRight to oOpt-out of sSale/sSharing, the contents of the nNotice of
rRight to oOpt-out of sSale/sSharing or a link to that notice in accordance with
section 7013, subsection (f);
(D) If the business uses or discloses sensitive personal information for purposes other
than those specified in section 7027, subsection (lm), and is required to provide a
nNotice of rRight to lLimit, the contents of the nNotice of rRight to lLimit or a
link to that notice in accordance with section 7014, subsection (f);
(E) A general description of the process the business uses to verify a consumer
request to know, request to delete, and request to correct, when applicable,
including any information the consumer must provide;
(F) Explanation of how an opt-out preference signal will be processed for the
consumer (i.e., whether the signal applies to the device, browser, consumer
account, and/or offline sales, and in what circumstances) and how the consumer
can use an opt-out preference signal;
(G) If the business processes opt-out preference signals in a frictionless manner,
information on how consumers can implement opt-out preference signals for the
business to process in a frictionless manner;
(H) Instructions on how an authorized agent can make a request under the CCPA on
the consumer’s behalf;
(I) If the business has actual knowledge that it sells the personal information of
consumers under 16 years of age, a description of the processes required by
sections 7070 and 7071; and
(J) A contact for questions or concerns about the business’s privacy policies and
Information pPractices using a method reflecting the manner in which the
business primarily interacts with the consumer.
(4) Date the privacy policy was last updated.
(5) If subject to the data reporting requirements set forth in section 7102, the information
required under section 7102, or a link to such information.
(1) Right to Know About Personal Information Collected, Disclosed, or Sold.
Page 18 of 73
a. Explanation that a consumer has the right to request that the business disclose
what personal information it collects, uses, discloses, and sells.
b. Instructions for submitting a verifiable consumer request to know and links to an
online request form or portal for making the request, if offered by the business.
c. General description of the process the business will use to verify the consumer
request, including any information the consumer must provide.
d. Identification of the categories of personal information the business has collected
about consumers in the preceding 12 months. The categories shall be described in
a manner that provides consumers a meaningful understanding of the information
being collected.
e. Identification of the categories of sources from which the personal information is
collected.
f. Identification of the business or commercial purpose for collecting or selling
personal information. The purpose shall be described in a manner that provides
consumers a meaningful understanding of why the information is collected or
sold.
g. Disclosure or Sale of Personal Information.
1. Identification of the categories of personal information, if any, that the
business has disclosed for a business purpose or sold to third parties in the
preceding 12 months.
2. For each category of personal information identified, the categories of third
parties to whom the information was disclosed or sold.
3. Statement regarding whether the business has actual knowledge that it sells
the personal information of consumers under 16 years of age.
(2) Right to Request Deletion of Personal Information.
a. Explanation that the consumer has a right to request the deletion of their personal
information collected by the business.
b. Instructions for submitting a verifiable consumer request to delete and links to an
online request form or portal for making the request, if offered by the business.
c. General description of the process the business will use to verify the consumer
request, including any information the consumer must provide.
(3) Right to Opt-Out of the Sale of Personal Information.
a. Explanation that the consumer has a right to opt-out of the sale of their personal
information by a business.
b. Statement regarding whether or not the business sells personal information. If the
business sells personal information, include either the contents of the notice of
right to opt-out or a link to it in accordance with section 7013.
Page 19 of 73
(4) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights.
a. Explanation that the consumer has a right not to receive discriminatory treatment
by the business for the exercise of the privacy rights conferred by the CCPA.
(5) Authorized Agent.
a. Instructions on how an authorized agent can make a request under the CCPA on
the consumer’s behalf.
(6) Contact for More Information.
a. A contact for questions or concerns about the business’s privacy policies and
practices using a method reflecting the manner in which the business primarily
interacts with the consumer.
(7) Date the privacy policy was last updated.
(8) If subject to the requirements set forth in section 7102, subsection (a), the information
compiled in section 7102, subsection (a)(1), or a link to it.
(9) If the business has actual knowledge that it sells the personal information of
consumers under 16 years of age, a description of the processes required by sections
7070 and 7071.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, and 1798.130 and 1798.135,
Civil Code.
§ 7012. Notice at Collection of Personal Information.
(a) Purpose and General Principles (1) The purpose of the nNotice at cCollection is to provide
consumers with timely notice, at or before the point of collection, about the categories of
personal information to be collected from them, and the purposes for which the personal
information will be used. is collected or used, and whether that information is sold or
shared, so that consumers have a tool to can exercise meaningful control over the business’s
use of their personal information. Meaningful control in this context means to provide
consumers with the opportunity to choose how to engage with the business in light of its
information practices. For example, upon receiving the nNotice at cCollection, the
consumer can use the information in the notice as a tool should have all the information
necessary to choose whether or not to engage with the business, or to direct the business not
to sell or share their personal information and to limit the use and disclosure of their
sensitive personal information.
(2) The notice at collection shall be designed and presented in a way that is easy to read
and understandable to consumers. The notice shall:
(A) Use plain, straightforward language and avoid technical or legal jargon.
(B) Use a format that draws the consumer’s attention to the notice and makes the
notice readable, including on smaller screens, if applicable.
Page 20 of 73
(C) Be available in the languages in which the business in its ordinary course
provides contracts, disclaimers, sale announcements, and other information to
consumers in California.
(D) Be reasonably accessible to consumers with disabilities. For notices provided
online, the business shall follow generally recognized industry standards, such as
the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the
World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a
disability may access the notice in an alternative format.
(b) The nNotice at cCollection shall comply with section 7003, subsections (a) and (b).
(c) (3) The nNotice at cCollection shall be made readily available where consumers will
encounter it at or before the point of collection of any personal information. Illustrative
examples follow.:
(1) (A) When a business collects consumers’ personal information online, it may post a
conspicuous link to the notice on the introductory page of the business’s website and on
all webpages where personal information is collected.
(2) When a business collects consumers’ personal information through a webform, it may
post a conspicuous link to the notice in close proximity to the fields in which the
consumer inputs their personal information, or in close proximity to the button by
which the consumer submits their personal information to the business.
(3) (B) When a business collects personal information through a mobile application, it may
provide a link to the notice on the mobile application’s download page and within the
application, such as through the application’s settings menu.
(4) (C) When a business collects consumers’ personal information offline, it may include
the notice on printed forms that collect personal information, provide the consumer
with a paper version of the notice, or post prominent signage directing consumers to
where the notice can be found online.
(5) (D) When a business collects personal information over the telephone or in person, it
may provide the notice orally.
(4) When a business collects personal information from a consumer’s mobile device for a
purpose that the consumer would not reasonably expect, it shall provide a just-in-time
notice containing a summary of the categories of personal information being collected
and a link to the full notice at collection. For example, if the business offers a flashlight
application and the application collects geolocation information, the business shall
provide a just-in-time notice, such as through a pop-up window when the consumer
opens the application, that contains the information required by this subsection.
(5) A business shall not collect categories of personal information other than those
disclosed in the notice at collection. If the business intends to collect additional
categories of personal information, the business shall provide a new notice at
collection.
Page 21 of 73
(d) (6) If a business does not give the nNotice at cCollection to the consumer at or before the
point of collection of their personal information, the business shall not collect personal
information from the consumer.
(e) (b) A business shall include the following in its nNotice at cCollection:
(1) A list of the categories of personal information about consumers, including categories
of sensitive personal information, to be collected. Each category of personal
information shall be written in a manner that provides consumers a meaningful
understanding of the information being collected.
(2) The business or commercial purpose(s) for which the categories of personal
information, including categories of sensitive personal information, are collected will
be and used.
(3) Whether each the category of personal information identified in subsection (e)(1) is
sold or shared.
(4) The length of time the business intends to retain each category of personal information
identified in subsection (e)(1), or if that is not possible, the criteria used to determine
the period of time it will be retained.
(5) (3) If the business sells or shares personal information, the link to the nNotice of rRight
to oOpt-out of sSale/sSharing titled “Do Not Sell or Share My Personal Information”
required by section 7026, subsection (a), or in the case of offline notices, where the
webpage can be found online.
(6) If a business allows third parties to control the collection of personal information, the
names of all the third parties; or, in the alternative, information about the third parties’
business practices.
(7) (4) A link to the business’s privacy policy, or in the case of offline notices, where the
privacy policy can be found online.
(f) (c) If a business collects personal information from a consumer online, the nNotice at
cCollection may be given to the consumer by providing a link that takes the consumer
directly to the specific section of the business’s privacy policy that contains the information
required in subsection (b)(e)(1) through (6). Directing the consumer to the beginning of the
privacy policy, or to another section of the privacy policy that does not contain the required
information, so that the consumer is required to scroll through other information in order to
determine the categories of personal information to be collected and/or whether the business
sells or shares the personal information collected, does not satisfy this standard.
(g) Third Parties that Control the Collection of Personal Information. This subsection shall not
affect the first party’s obligations under the CCPA to comply with a consumer’s request to
opt-out of sale/sharing. If a consumer makes a request to opt-out of sale/sharing with the
first party, both the first party and third parties controlling the collection of personal
information shall comply with sections 7026, subsection (f), and 7052, subsection (a).
(1) For purposes of giving nNotice at cCollection, more than one business may control the
collection of a consumer’s personal information, and thus, have an obligation to
Page 22 of 73
provide a nNotice at cCollection in accordance with the CCPA and these regulations.
For example, a first party may allow another business, acting as a third party, to
control the collection of personal information from consumers browsing the first
party’s website. Both the first party that allows the third parties to collect personal
information via its website, as well as the third party controlling the collection of
personal information, shall provide a nNotice at cCollection. The first party and third
parties may provide a single Notice at Collection that includes the required
information about their collective Information Practices.
(2) A first party that allows another business, acting as a third party, to control the
collection of personal information from a consumer shall include in its notice at
collection the names of all the third parties that the first party allows to collect
personal information from the consumer. In the alternative, a business, acting as a
third party and controlling the collection of personal information, may provide the first
party information about its business practices for the first party to include in the first
party’s notice at collection.
(2) (3) A business that, acting as a third party, controls the collection of personal
information on another business’s physical premises, such as in a retail store or in a
vehicle, shall also provide a nNotice at cCollection in a conspicuous manner at the
physical location(s) where it is collecting the personal information.
(3) (4) Illustrative examples follow.
(A) Business F allows Business G, an analytics business third party ad network, to
collect consumers’ personal information through Business F’s website. Business
F may post a conspicuous link to its nNotice at cCollection, which shall identify
Business G as a third party authorized to collect personal information from the
consumer or information about Business G’s information practices, on its
Homepage(s) the introductory page of its website and on all webpages where
personal information is collected. Business G shall provide a nNotice at
cCollection on its cHomepage(s) or include the required information about its
Information Practices in Business F’s Notice at Collection.
(B) Business H, a coffee shop, allows Business I, a business providing wi-fi Wi-Fi
services, to collect personal information from consumers using Business I’s
services on Business H’s premises. Business H may post conspicuous signage at
the entrance of the store or at the point-of-sale directing consumers to where the
nNotice at cCollection for Business H can be found online. Business H’s notice
at collection shall identify Business I as a third party authorized to collect
personal information from the consumer or include information about Business
I’s practices in its notice. In addition, Business I shall post its own nNotice at
cCollection on the first webpage or other interface consumers see before
connecting to the wi-fi Wi-Fi services offered.
(C) Business J, a car rental business, allows Business K M to collect personal
information from consumers within the vehicles Business J K rents to
consumers. Business J may give its nNotice at cCollection, which shall identify
Business K as a third party authorized to collect personal information from the
Page 23 of 73
consumer or include information about Business K’s practices, to the consumer
at the point of sale, i.e., at the rental counter, either in writing or orally. Business
K may provide its own nNotice at cCollection within the vehicle, such as through
signage on the vehicle’s computer dashboard directing consumers to where the
notice can be found online. Business K shall also provide a notice at collection
on its homepage.
(h) (d) A business that does not neither collects nor controls the collection of personal
information directly from the consumer does not need to provide a nNotice at cCollection to
the consumer if it does not neither sells nor shares the consumer’s personal information.
(i) (e) A data broker registered with the Attorney General pursuant to Civil Code section
1798.99.80 et seq., where it that does not collects personal information from a source other
than directly from the consumer, does not need to provide a nNotice at cCollection to the
consumer if it has included in its registration submission a link to its online privacy policy
that includes instructions on how a consumer can submit a request to opt-out of sale/sharing.
(j) (f) A business collecting employment-related information shall comply with the provisions
of section 7012, except with regard to the following: (1) The notice at collection of
employment-related information does not need to include the link or web address to the link
titled “Do Not Sell My Personal Information”. (2) The that the notice at collection of
employment-related information is not required to provide a link to the business’s privacy
policy.
(k) (g) Subsection (f) (j) shall become inoperative on January 1, 20212023, unless the CCPA is
amended otherwise.
Note: Authority: Section 1798.185, Civil Code. Reference: Sections 1798.99.82, 1798.100,
1798.115, 1798.120, 1798.121, 1798.145 and 1798.185, Civil Code.
§ 7013. Notice of Right to Opt-Out of Sale/Sharing of and the “Do Not Sell or Share My
Personal Information” Link.
(a) Purpose and General Principles (1) The purpose of the nNotice of rRight to oOpt-out of
sSale/sSharing is to inform consumers of their right to direct a business that sells or shares
their personal information to stop selling or sharing their personal information and to
provide them with the opportunity to exercise that right. The purpose of the “Do Not Sell or
Share My Personal Information” link is to immediately effectuate the consumer’s right to
opt-out of sale/sharing, or in the alternative, direct the consumer to the nNotice of rRight to
oOpt-out of sSale/sSharing . Accordingly, clicking the business’s “Do Not Sell or Share My
Personal Information” link will either have the immediate effect of opting the consumer out
of the sale or sharing of personal information or lead the consumer to a webpage where the
consumer can learn about and make that choice.
(2) The notice of right to opt-out shall be designed and presented in a way that is easy to
read and understandable to consumers. The notice shall:
(A) Use plain, straightforward language and avoid technical or legal jargon.
Page 24 of 73
(B) Use a format that draws the consumer’s attention to the notice and makes the
notice readable, including on smaller screens, if applicable.
(C) Be available in the languages in which the business in its ordinary course provides
contracts, disclaimers, sale announcements, and other information to consumers in
California.
(D) Be reasonably accessible to consumers with disabilities. For notices provided
online, the business shall follow generally recognized industry standards, such as
the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the
World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a
disability may access the notice in an alternative format.
(b) The nNotice of rRight to oOpt-out of sSale/sSharing shall comply with section 7003,
subsections (a) and (b).
(c) The “Do Not Sell or Share My Personal Information” link shall be a conspicuous link that
complies with section 7003, subsections (c) and (d) and is located at either the header or
footer of the business’s internet hHomepage(s).
(d) In lieu of posting the “Do Not Sell or Share My Personal Information” link, a business may
provide the aAlternative oOpt-out lLink in accordance with section 7015 or process opt-out
preference signals in a frictionless manner in accordance with section 7025, subsections (f)
and (g). The business must still post a nNotice of rRight to oOpt-out of sSale/sSharing in
accordance with these regulations.
(e) (b) A business that sells or shares the personal information of consumers shall provide the
nNotice of rRight to oOpt-out of sSale/sSharing to consumers as follows:
(1) A business shall post the nNotice of rRight to oOpt-out of sSale/sSharing on the
Iinternet webpage to which the consumer is directed after clicking on the “Do Not Sell
or Share My Personal Information” link on the website homepage or the download or
landing page of a mobile application. In addition, a business that collects personal
information through a mobile application may provide a link to the notice within the
application, such as through the application’s settings menu. The notice shall include
the information specified in subsection (cf) or be a link that takes the consumer
directly to the specific section of the business’s privacy policy that contains the same
information. If clicking on the “Do Not Sell or Share My Personal Information” link
immediately effectuates the consumer’s right to opt-out of sale/sharing or if the
business processes opt-out preference signals in a frictionless manner and chooses not
to post a link, the business shall provide the notice within its privacy policy.
(2) A business that does not operate a website shall establish, document, and comply with
another method by which it informs consumers of their right to opt-out of sale/sharing.
That method shall comply with the requirements set forth in section 7004 subsection
(a)(2).
Page 25 of 73
(3) A business shall also provide the notice to opt-out of sale/sharing in the same manner
in which it collects the personal information that it sells or shares. Illustrative
examples follow.
(A) A business that sells or shares personal information that it collects in the course
of interacting with consumers offline, such as in a brick-and-mortar store, shall
also inform consumers by an offline method of their right to opt-out and provide
instructions on how to submit a request to opt-out provide notice through an
offline method, e.g., . Illustrative examples follow: (A) A business that sells or
shares personal information that it collects from consumers in a brick-and-mortar
store may inform consumers of their right to opt-out on the paper forms that
collect the personal information or by posting signage in the area where the
personal information is collected directing consumers to where the notice opt-out
information can be found online.
(B) A business that sells or shares personal information that it collects over the
phone may shall provide notice inform consumers of their right to opt-out orally
during the call when the information is collected.
(C) A business that sells or shares personal information that it collects through a
connected device (e.g., smart television or smart watch) shall provide notice in a
manner that ensures that the consumer will encounter the notice while using the
device.
(D) A business that sells or shares personal information that it collects in augmented
or virtual reality, such as through gaming devices or mobile applications, shall
provide notice in a manner that ensures that the consumer will encounter the
notice while in the augmented or virtual reality environment.
(f) (c) A business shall include the following in its nNotice of rRight to oOpt-out of
sSale/sSharing:
(1) A description of the consumer’s right to opt-out of the sale or sharing of their personal
information by the business; and
(2) Instructions on how the consumer can submit a request to opt-out of sale/sharing. If
notice is provided online, the notice shall include tThe interactive form by which the
consumer can submit their request to opt-out of sale/sharing online, as required by
section 7026, subsection (a)(1). , or iIf the business does not operate a website, the
notice shall explain the offline method by which the consumer can submit their request
to opt-out of sale/sharing.; and
(3) Instructions for any other method by which the consumer may submit their request to
opt-out.
(g) (d) A business does not need to provide a nNotice of rRight to oOpt-out of sSale/sSharing or
the “Do Not Sell or Share My Personal Information” link if:
(1) It does not sell or share personal information; and
(2) It states in its privacy policy that it does not sell or share personal information.
Page 26 of 73

(h) (e) A business shall not sell or share the personal information it collected during the time the
business did not have a nNotice of rRight to oOpt-out of sSale/sSharing posted unless it
obtains the affirmative authorization consent of the consumer.
(f) Opt-Out Icon.
(1) The following opt-out icon may be used in addition to posting the notice of right to
opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a
“Do Not Sell or Share My Personal Information” link as required by Civil Code
section 1798.135 and these regulations.
(2) The icon shall be approximately the same size as any other icons used by the business
on its webpage.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.
§ 7014. Notice of Right to Limit and the “Limit the Use of My Sensitive Personal
Information” Link.
(a) The purpose of the nNotice of rRight to lLimit is to inform consumers of their right to limit
a business’s use and disclosure of their sensitive personal information and to provide them
with the opportunity to exercise that right. The purpose of the “Limit the Use of My
Sensitive Personal Information” link is to immediately effectuate the consumer’s right to
limit, or in the alternative, direct the consumer to the nNotice of rRight to lLimit.
Accordingly, clicking the business’s “Limit the Use of My Sensitive Personal Information”
link will either have the immediate effect of limiting the use and disclosure of the
consumer’s sensitive personal information or lead the consumer to a webpage where the
consumer can learn about and make that choice.
(b) The nNotice of rRight to lLimit shall comply with section 7003, subsections (a) and (b).
(c) The “Limit the Use of My Sensitive Personal Information” link shall be a conspicuous link
that complies with section 7003, subsections (c) and (d), and is located at either the header
or footer of the business’s internet hHomepage(s).
(d) In lieu of posting the “Limit the Use of My Sensitive Personal Information” link, a business
may provide the aAlternative oOpt-out lLink in accordance with section 7015. The business
shall still post a nNotice of rRight to lLimit in accordance with these regulations.
(e) A business that uses or discloses a consumer’s sensitive personal information for purposes
other than those specified in section 7027, subsection (lm), shall provide the nNotice of
rRight to lLimit to consumers as follows:
(1) A business shall post the nNotice of rRight to lLimit on the internet webpage to which
the consumer is directed after clicking on the “Limit the Use of My Sensitive Personal
Information” link. The notice shall include the information specified in subsection (f)
or be a link that takes the consumer directly to the specific section of the business’s
Page 27 of 73
privacy policy that contains the same information. If clicking on the “Limit the Use of
My Sensitive Personal Information” link immediately effectuates the consumer’s right
to limit, the business shall provide the notice within its privacy policy.
(2) A business that does not operate a website shall establish, document, and comply with
another method by which it informs consumers of their right to limit. That method
shall comply with the requirements set forth in section 7003.
(3) A business shall also provide the notice of right to limit in the same manner in which
it collects the sensitive personal information that it uses or discloses for purposes
other than those specified in section 7027, subsection (l). Illustrative examples
follow:
(A) A business that uses or discloses sensitive personal information that it collected
in the course of interacting with consumers offline, such as in a brick-and-mortar
store, for purposes other than those specified in section 7027, subsection (l), shall
also provide notice through an offline method, e.g., on the paper forms that
collect the sensitive personal information or by posting signage in the area where
the sensitive personal information is collected directing consumers to where the
notice can be found online.
(B) A business that uses or discloses sensitive personal information that it collects
over the phone for purposes other than those specified in section 7027,
subsection (l), shall provide notice orally during the call when the sensitive
personal information is collected.
(C) A business that uses or discloses sensitive personal information that it collects
through a connected device (e.g., smart television or smart watch) for purposes
other than those specified in section 7027, subsection (l), shall provide notice in a
manner that ensures that the consumer will encounter the notice while using the
device.
(D) A business that uses or discloses sensitive personal information that it collects in
augmented or virtual reality, such as through gaming devices or mobile
applications, for purposes other than those specified in section 7027, subsection
(l), shall provide notice in a manner that ensures that the consumer will
encounter the notice while in the augmented or virtual reality environment.
(f) A business shall include the following in its nNotice of rRight to lLimit:
(1) A description of the consumer’s right to limit; and
(2) Instruction on how the consumer can submit a request to limit. If notice is provided
online, the notice shall include the interactive form by which the consumer can submit
their request to limit online, as required by section 7027, subsection (b)(1). If the
business does not operate a website, the notice shall explain the offline method by
which the consumer can submit their request to limit.
(g) A business does not need to provide a nNotice of rRight to lLimit or the “Limit the Use of
My Sensitive Personal Information” link if it does both of the following:
Page 28 of 73
(1) It only uses and discloses sensitive personal information that it collected about the
consumer for the purposes specified in section 7027, subsection (lm), and states so in
its privacy policy; or.
(2) It only collects or processes sensitive personal information without the purpose of
inferring characteristics about a consumer, and states so in its privacy policy states in
its privacy policy that it does not use or disclose sensitive personal information for any
purpose other than what is specified in section 7027, subsection (l).
(h) A business shall not use or disclose sensitive personal information it collected during the
time the business did not have a nNotice of rRight to lLimit posted for purposes other than
those specified in section 7027, subsection (lm), unless it obtains the consent of the
consumer.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.121, 1798.135
and 1798.185, Civil Code.
§ 7015. Alternative Opt-Out Link.
(a) The purpose of the aAlternative oOpt-out lLink is to provide businesses the option of
providing consumers with a single, clearly-labeled link that allows consumers to easily
exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the
two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My
Sensitive Personal Information” links. The aAlternative oOpt-out lLink shall direct the
consumer to a webpage that would inform them of both their right to opt-out of sale/sharing
and right to limit and provide them with the opportunity to exercise both rights.
(b) A business that chooses to use an aAlternative oOpt-out lLink shall title the link, “Your
Privacy Choices” or “Your California Privacy Choices,” and shall include the following optout icon to the right or left of adjacent to the title. The link shall be a conspicuous link that
complies with section 7003, subsections (c) and (d), and is located at either the header or
footer of the business’s internet hHomepage(s). The icon shall be approximately the same
size as any other icons used by the business in the header or footer of on its webpage.

(c) The aAlternative oOpt-out lLink shall direct the consumer to a webpage that includes the
following information:
(1) A description of the consumer’s right to opt-out of sale/sharing and right to limit, which
shall comply with section 7003, subsections (a) and (b); and
(2) The interactive form or mechanism by which the consumer can submit their request to
opt-out of sale/sharing and their right to limit online. The method shall be easy for
consumers to execute, shall require minimal steps, and shall comply with section 7004.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.121,
1798.135 and 1798.185, Civil Code.
Page 29 of 73
§ 7016. Notice of Financial Incentive.
(a) Purpose and General Principles (1) The purpose of the nNotice of fFinancial iIncentive is
to explain to the consumer the material terms of a financial incentive or price or service
difference the business is offering so that the consumer may make an informed decision
about whether to participate. A business that does not offer a financial incentive or price or
service difference is not required to provide a nNotice of fFinancial iIncentive.
(b) The nNotice of fFinancial iIncentive shall comply with section 7003, subsections (a) and
(b).
(c) (2) The nNotice of fFinancial iIncentive shall be designed and presented in a way that is
easy to read and understandable to consumers. The notice shall:
(A) Use plain, straightforward language and avoid technical or legal jargon.
(B) Use a format that draws the consumer’s attention to the notice and makes the notice
readable, including on smaller screens, if applicable.
(C) Be available in the languages in which the business in its ordinary course provides
contracts, disclaimers, sale announcements, and other information to consumers in
California.
(D) Be reasonably accessible to consumers with disabilities. For notices provided online,
the business shall follow generally recognized industry standards, such as the Web
Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide
Web Consortium, incorporated herein by reference. In other contexts, the business
shall provide information on how a consumer with a disability may access the notice in
an alternative format.
(E) Be readily available where consumers will encounter it before opting-in to the financial
incentive or price or service difference. (3) If the business offers the financial incentive
or price or service difference online, the notice may be given by providing a link that
takes the consumer directly to the specific section of a business’s privacy policy that
contains the information required in subsection (bd).
(d) (b) A business shall include the following in its nNotice of fFinancial iIncentive:
(1) A succinct summary of the financial incentive or price or service difference offered;
(2) A description of the material terms of the financial incentive or price or service
difference, including the categories of personal information that are implicated by the
financial incentive or price or service difference and the value of the consumer’s data;
(3) How the consumer can opt-in to the financial incentive or price or service difference;
(4) A statement of the consumer’s right to withdraw from the financial incentive at any
time and how the consumer may exercise that right; and
(5) An explanation of how the financial incentive or price or service difference is
reasonably related to the value of the consumer’s data, including:
Page 30 of 73
(A) A good-faith estimate of the value of the consumer’s data that forms the basis for
offering the financial incentive or price or service difference; and
(B) A description of the method(s) the business used to calculate the value of the
consumer’s data.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125 and
1798.130, Civil Code.
ARTICLE 3. BUSINESS PRACTICES FOR HANDLING CONSUMER REQUESTS
§ 7020. Methods for Submitting Requests to Delete, Requests to Correct, and Requests to
Know and Requests to Delete.
(a) A business that operates exclusively online and has a direct relationship with a consumer
from whom it collects personal information shall only be required to provide an email
address for submitting requests to delete, requests to correct, and requests to know. All
other businesses shall provide two or more designated methods for submitting requests to
know, including, at a minimum, a toll-free telephone number. Other acceptable methods for
submitting these requests include, but are not limited to, a designated email address, a form
submitted in person, and a form submitted through the mail.
(b) A business that does not fit within subsection (a) shall provide two or more designated
methods for submitting requests to delete, requests to correct, and requests to know. One of
those methods must be a toll-free telephone number. If the business maintains an internet
website, one of the methods for submitting these requests shall be through its website, such
as through a webform. Other Acceptable methods for submitting these requests to delete,
requests to correct, and requests to know may include, but are not limited to, a toll-free
phone number, a link or form available online through a business’s website, a designated
email address, a form submitted in person, and a form submitted through the mail.
(c) A business shall consider the methods by which it primarily interacts with consumers when
determining which methods to provide for submitting requests to delete, requests to correct,
and requests to know and requests to delete. If the business interacts with consumers in
person, the business shall consider providing an in-person method such as a printed form the
consumer can directly submit or send by mail, a tablet or computer portal that allows the
consumer to complete and submit an online form, or a telephone with which the consumer
can call the business’s toll-free number.
(d) A business may use a two-step process for online requests to delete where the consumer
must first, submit the request to delete and then second, separately confirm that they want
their personal information deleted provided that the business otherwise complies with
section 7004.
(e) If a consumer submits a request in a manner that is not one of the designated methods of
submission, or is deficient in some manner unrelated to the verification process, the business
shall either:
Page 31 of 73
(1) Treat the request as if it had been submitted in accordance with the business’s
designated manner, or
(2) Provide the consumer with information on how to submit the request or remedy any
deficiencies with the request, if applicable.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.
§ 7021. Timelines for Responding to Requests to Delete, Requests to Correct, and Requests
to Know and Requests to Delete.
(a) No later than 10 business days after Upon receiving a request to delete, request to correct, or
request to know or a request to delete, a business shall confirm receipt of the request within
10 business days and provide information about how the business will process the request.
The information provided shall describe in general the business’s verification process and
when the consumer should expect a response, except in instances where the business has
already granted or denied the request. The confirmation may be given in the same manner
in which the request was received. For example, if the request is made over the phone, the
confirmation may be given orally during the phone call.
(b) Businesses shall respond to a requests to delete, request to correct, and request to know and
requests to delete within no later than 45 calendar days after it receives the request. The 45-
day period will begin on the day that the business receives the request, regardless of time
required to verify the request. If the business cannot verify the consumer within the 45-day
time period, the business may deny the request. If necessary, businesses may take up to an
additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90
calendar days from the day the request is received, provided that the business provides the
consumer with notice and an explanation of the reason that the business will take more than
45 days to respond to the request.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.
§ 7022. Requests to Delete.
(a) For requests to delete, if a business cannot verify the identity of the requestor pursuant to the
regulations set forth in Article 5, the business may deny the request to delete. The business
shall inform the requestor that their identity cannot be verified.
(b) A business shall comply with a consumer’s request to delete their personal information by:
(1) Permanently and completely erasing the personal information on from its existing
systems with the exception of archived or back-up systems; (2) D , deidentifying the
personal information; (3) A , or aggregating the consumer information;.
(2) Notifying the business’s service providers or contractors to delete from their records the
consumer’s personal information obtained in the course of providing services that they
Page 32 of 73
Collected pursuant to their written contract with the business, or if enabled to do so by
the service provider or contractor, the business shall delete the personal information that
the service provider or contractor Collected pursuant to their written contract with the
business; and
(3) Notifying all third parties to whom the business has sold or shared the personal
information to delete the consumer’s personal information unless this proves impossible
or involves disproportionate effort. If a business claims that notifying some or all third
parties would be impossible or would involve disproportionate effort, the business shall
provide the consumer a detailed explanation that includes enough facts to give a
consumer a meaningful understanding as to why the business cannot notify all third
parties. The business shall not simply state that notifying all third parties is impossible
or would require disproportionate effort.
(c) A service provider or contractor shall, with respect to personal information that they
Collected pursuant to their written contract with the business and upon notification by the
business, cooperate with the business in responding to a request to delete by comply with
the consumer’s request to delete their personal information by:
(1) Permanently and completely erasing the personal information from its existing systems
except archived or back-up systems, deidentifying the personal information, or
aggregating the consumer information, or enabling the business to do so;
(2) To the extent that an exception applies to the deletion of personal information, deleting
or enabling the business to delete the consumer’s personal information that is not
subject to the exception and refraining from using the consumer’s personal information
retained for any purpose other than the purpose provided for by that exception;.
(3) Notifying any of its own service providers or contractors to delete from their records in
the same manner the consumer’s personal information that they Collected pursuant to
their written contract with the service provider or contractor obtained in the course of
providing services; and
(4) Notifying any other service providers, contractors, or third parties that may have
accessed personal information from or through the service provider or contractor,
unless the information was accessed at the direction of the business, to delete the
consumer’s personal information unless this proves impossible or involves
disproportionate effort. If the service provider or contractor claims that such a
notification is impossible or would involve disproportionate effort, the service provider
or contractor shall provide the business a detailed explanation that shall be relayed to
the consumer that includes enough facts to give a consumer a meaningful
understanding as to why the notification was not possible or involved disproportionate
effort. The service provider or contractor shall not simply state that notifying those
service providers, contractors, and/or third parties is impossible or would require
disproportionate effort.
Page 33 of 73
(d) (c) If a business, service provider, or contractor stores any personal information on archived
or backup systems, it may delay compliance with the consumer’s request to delete, with
respect to data stored on the archived or backup system, until the archived or backup system
relating to that data is restored to an active system or is next accessed or used for a sale,
disclosure, or commercial purpose.
(e) (d) In responding to a request to delete, a business shall inform the consumer whether or not
it has complied with the consumer’s request. (e) If the business complies with the
consumer’s request, tThe business shall also inform the consumer that it will maintain a
record of the request as required by section 7030 7101, subsection (b)(a). A business,
service provider, contractor, or third party may retain a record of the request for the purpose
of ensuring that the consumer’s personal information remains deleted from the business’s its
records.
(f) In cases where a business denies a consumer’s request to delete in whole or in part, the
business shall do all of the following:
(1) Inform the consumer that it will not comply with the consumer’s request and describe
Provide to the consumer a detailed explanation of the basis for the denial, including
any conflict with federal or state law, or exception to the CCPA, or factual basis for
contending that compliance would be impossible or involve disproportionate effort,
unless prohibited from doing so by law;
(2) Delete the consumer’s personal information that is not subject to the exception; and
(3) Not use the consumer’s personal information retained for any other purpose than
provided for by that exception; and
(4) Instruct its service providers and contractors to delete the consumer’s personal
information that is not subject to the exception and to not use the consumer’s personal
information retained for any purpose other than the purpose provided for by that
exception.
(g) If a business that denies a consumer’s request to delete sells or shares personal information
and the consumer has not already made a request to opt-out of sale/sharing, the business
shall ask the consumer if they would like to opt-out of the sale or sharing of their personal
information and shall include either the contents of, or a link to, the nNotice of rRight to
oOpt-out of sSale/sSharing in accordance with section 7013.
(h) In responding to a request to delete, a business may present the consumer with the choice to
delete select portions of their personal information as long as only if a global a single option
to delete all personal information is also offered and more prominently presented than the
other choices. A business that provides consumers the ability to delete select categories of
personal information (e.g., purchase history, browsing history, voice recordings) in other
contexts, however, must inform consumers of their ability to do so and direct them to how
Page 34 of 73
they can do so. For example, a business may provide the consumer with a link to a support
page or other resource that explains consumers’ data deletion options.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.
§ 7023. Requests to Correct.
(a) For requests to correct, if a business cannot verify the identity of the requestor pursuant to
the regulations set forth in Article 5, the business may deny the request to correct. The
business shall inform the requestor that their identity cannot be verified.
(b) In determining the accuracy of the personal information that is the subject of a consumer’s
request to correct, the business shall consider the totality of the circumstances relating to the
contested personal information. A business may deny a consumer’s request to correct if it
determines that the contested personal information is more likely than not accurate based on
the totality of the circumstances.
(1) Considering the totality of the circumstances includes, but is not limited to,
considering:
(A) The nature of the personal information (e.g., whether it is objective, subjective,
unstructured, sensitive, etc.).
(B) How the business obtained the contested information.
(C) Documentation relating to the accuracy of the information whether provided by
the consumer, the business, or another source. Requirements regarding
documentation are set forth in subsection (d).
(2) If the business is not the source of the personal information and has no documentation
to in support of the accuracy of the information, the consumer’s assertion of
inaccuracy may be sufficient to establish that the personal information is inaccurate.
(c) A business that complies with a consumer’s request to correct shall correct the personal
information at issue on its existing systems and implement measures to ensure that the
information remains corrected. The business shall also instruct all service providers and
contractors that maintain the personal information at issue pursuant to their written contract
with in the course of providing services to the business to make the necessary corrections in
their respective systems. Service providers and contractors shall comply with the business’s
instructions to correct the personal information or enable the business to make the
corrections and shall also ensure that the information remains corrected. Illustrative
examples follow. If a business, service provider, or contractor stores any personal
information that is the subject of the request to correct on archived or backup systems, it
may delay compliance with the consumer’s request to correct, with respect to data stored on
the archived or backup system, until the archived or backup system relating to that data is
restored to an active system or is next accessed or used.
Page 35 of 73
(1) Business L maintains personal information about consumers that it receives from data
brokers on a regular basis. Business L generally refreshes the personal information it
maintains about consumers whenever it receives an update from a data broker.
Business L receives a request to correct from a consumer and determines that the
information is inaccurate. To comply with the consumer’s request, Business L
corrects the inaccurate information in its system and ensures that the corrected
personal information is not overridden by inaccurate personal information
subsequently received from the data broker.
(2) Business M stores personal information about consumers on archived or backup
systems. Business M receives a request to correct from a consumer, determines that
the information is inaccurate, and makes the necessary corrections within its active
system. Business M delays compliance with the consumer’s request to correct with
respect to data stored on the archived or backup system until the archived or backup
system relating to the personal information at issue is restored to an active system or
next accessed or used for a sale, disclosure, or commercial purpose.
(d) Documentation.
(1) A business shall accept, review, and consider any documentation that the consumer
provides in connection with their right to correct whether provided voluntarily or as
required by the business. Consumers should make a good-faith effort to provide
businesses with all necessary information available at the time of the request.
(2) A business may require the consumer to provide documentation if necessary to rebut
its own documentation that the personal information is accurate. In determining the
necessity of the documentation requested, the business shall consider the following:
(A) The nature of the personal information at issue (e.g., whether it is objective,
subjective, unstructured, sensitive, etc.).
(B) The nature of the documentation upon which the business considers the personal
information to be accurate (e.g., whether the documentation is from a trusted
source, whether the documentation is verifiable, etc.)
(C) The purpose for which the business collects, maintains, or uses the personal
information. For example, if the personal information is essential to the
functioning of the business, the business may require more documentation.
(D) The impact on the consumer. For example, if the personal information has a
high negative impact on the consumer, the business may require less
documentation.
(3) Any documentation provided by the consumer in connection with their request to
correct shall only be used and/or maintained by the business for the purpose of
correcting the consumer’s personal information and to comply with the record-keeping
obligations under section 7101.
Page 36 of 73
(4) The business shall implement and maintain reasonable security procedures and
practices in maintaining any documentation relating to the consumer’s request to
correct.
(e) A business may delete the contested personal information as an alternative to correcting the
information if the deletion of the personal information does not negatively impact the
consumer, or the consumer consents to the deletion. For example, if deleting instead of
correcting inaccurate personal information would make it harder for the consumer to obtain
a job, housing, credit, education, or other type of opportunity, the business shall process the
request to correct or obtain the consumer’s consent to delete the information.
(f) In responding to a request to correct, a business shall inform the consumer whether or not it
has complied with the consumer’s request. If the business denies a consumer’s request to
correct in whole or in part, the business shall do the following:
(1) Explain the basis for the denial, including any conflict with federal or state law,
exception to the CCPA, inadequacy in the required documentation, or contention that
compliance proves impossible or involves disproportionate effort.
(2) If a business claims that complying with the consumer’s request to correct would be
impossible or would involve disproportionate effort, the business shall provide the
consumer a detailed explanation that includes enough facts to give a consumer a
meaningful understanding as to why the business cannot comply with the request. The
business shall not simply state that it is impossible or would require disproportionate
effort.
(3) Inform the consumer that, upon the consumer’s request, it will note both internally and
to any person with whom it discloses, shares, or sells the personal information that the
accuracy of the personal information is contested by the consumer. The business does
not have to provide this option for requests that are fraudulent or abusive.
(3) (4) If a business denies a consumer’s request to correct personal information collected
and analyzed concerning a consumer’s health, the business shall also inform the
consumer that they may provide a written statement to the business to be made part of
the consumer’s record per Civil Code section 1798.185, subdivision (a)(8)(D). The
business shall explain to the consumer that the written statement is limited to 250
words per alleged inaccurate piece of personal information and shall include that the
consumer must request that the statement be made part of the consumer’s record.
Upon receipt of such a statement, the business shall include it with the consumer’s
record and make it available to any person with whom it discloses, shares, or sells the
personal information that is the subject of the request to correct.
(4) (5) If the personal information at issue can be deleted pursuant to a request to delete,
inform the consumer that they can make a request to delete the personal information
and provide instructions on how the consumer can make a request to delete.
(g) A business may deny a consumer’s request to correct if the business has denied the
consumer’s request to correct the same alleged inaccuracy within the past six months of
Page 37 of 73
receiving the request. However, the business must treat the request to correct as new if the
consumer provides new or additional documentation to prove that the information at issue is
inaccurate.
(h) A business may deny a request to correct if it has a good-faith, reasonable, and documented
belief that a request to correct is fraudulent or abusive. The business shall inform the
requestor that it will not comply with the request and shall provide an explanation why it
believes the request is fraudulent or abusive.
(i) Where the business is not the source of the information that the consumer contends is
inaccurate, in addition to processing the consumer’s request, the business shall may provide
the consumer with the name of the source from which the business received the alleged
inaccurate information.
(j) Upon request, a business shall disclose all the specific pieces of personal information that
the business maintains and has collected about the consumer to allow the consumer to
confirm that the business has corrected the inaccurate information that was the subject of the
consumer’s request to correct. This disclosure shall not be considered a response to a
request to know that is counted towards the limitation of two requests within a 12-month
period as set forth in Civil Code section 1798.130, subdivision (b). With regard to a
correction to a consumer’s Social Security number, driver’s license number or other
government-issued identification number, financial account number, any health insurance or
medical identification number, an account password, security questions and answers, or
unique biometric data generated from measurements or technical analysis of human
characteristics, a business shall not disclose this information, but may provide a way to
confirm that the personal information it maintains is the same as what the consumer has
provided.
(k) Whether a business, service provider, or contractor has implemented measures to ensure that
personal information that is the subject of a request to correct remains corrected factors into
whether that business, service provider, or contractor has complied with a consumer’s
request to correct in accordance with the CCPA and these regulations. For example, a
business, service provider, or contractor may supplement personal information it maintains
about consumers with information obtained from a data broker. Failing to consider and
address the possibility that corrected information may be overridden by inaccurate
information subsequently received from a data broker may factor into whether that business,
service provider, or contractor has adequately complied with a consumer’s request to
correct.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.106, 1798.130
1798.185, and 1798.81.5, Civil Code.
§ 7024. Requests to Know.
(a) For requests that seek the disclosure of specific pieces of information about the consumer, if
a business cannot verify the identity of the person making the request pursuant to the
regulations set forth in Article 5, the business shall not disclose any specific pieces of
Page 38 of 73
personal information to the requestor and shall inform the requestor that it cannot verify
their identity. If the request is denied in whole or in part, the business shall also evaluate the
consumer’s request as if it is seeking the disclosure of categories of personal information
about the consumer pursuant to subsection (b).
(b) For requests that seek the disclosure of categories of personal information about the
consumer, if a business cannot verify the identity of the person making the request pursuant
to the regulations set forth in Article 5, the business may deny the request to disclose the
categories and other information requested and shall inform the requestor that it cannot
verify their identity. If the request is denied in whole or in part, the business shall provide or
direct the consumer to its general business Information pPractices regarding the collection,
maintenance, and sale of personal information set forth in its privacy policy.
(c) In responding to a request to know, a business is not required to search for personal
information if all of the following conditions are met:
(1) The business does not maintain the personal information in a searchable or reasonably
accessible format;
(2) The business maintains the personal information solely for legal or compliance
purposes;
(3) The business does not sell the personal information and does not use it for any
commercial purpose; and
(4) The business describes to the consumer the categories of records that may contain
personal information that it did not search because it meets the conditions stated
above.
(d) A business shall not disclose in response to a request to know a consumer’s Social Security
number, driver’s license number or other government-issued identification number, financial
account number, any health insurance or medical identification number, an account
password, security questions and answers, or unique biometric data generated from
measurements or technical analysis of human characteristics. The business shall, however,
inform the consumer with sufficient particularity that it has collected the type of
information. For example, a business shall respond that it collects “unique biometric data
including a fingerprint scan” without disclosing the actual fingerprint scan data.
(e) If a business denies a consumer’s verified request to know specific pieces of personal
information, in whole or in part, because of a conflict with federal or state law, or an
exception to the CCPA, the business shall inform the requestor and explain the basis for the
denial, unless prohibited from doing so by law. If the request is denied only in part, the
business shall disclose the other information sought by the consumer.
(f) A business shall use reasonable security measures when transmitting personal information to
the consumer.
Page 39 of 73
(g) If a business maintains a password-protected account with the consumer, it may comply
with a request to know by using a secure self-service portal for consumers to access, view,
and receive a portable copy of their personal information if the portal fully discloses the
personal information that the consumer is entitled to under the CCPA and these regulations,
uses reasonable data security controls, and complies with the verification requirements set
forth in Article 5.
(h) In response to a request to know, a business shall provide all the personal information it has
collected and maintains about the consumer on or after January 1, 2022, including beyond
the 12-month period preceding the business’s receipt of the request, unless doing so proves
impossible or would involve disproportionate effort, or the consumer requests data for a
specific time period. That information shall include any personal information that the
business’s service providers or contractors Collected pursuant to their written contract with
obtained as a result of providing services to the business. If a business claims that providing
personal information beyond the 12-month period would be impossible or would involve
disproportionate effort, the business shall provide the consumer a detailed explanation that
includes enough facts to give a consumer a meaningful understanding as to why the business
cannot provide personal information beyond the 12-month period. The business shall not
simply state that it is impossible or would require disproportionate effort. Unless otherwise
specified by the business to cover a longer period of time, the 12-month period covered by a
consumer’s verifiable request to know referenced in Civil Code section 1798.130,
subdivision (a)(2), shall run from the date the business receives the request, regardless of the
time required to verify the request.
(i) A service provider or contractor shall provide assistance to the business in responding to a
verifiable consumer request to know, including by providing the business the consumer’s
personal information it has in its possession that it Collected pursuant to their written
contract with obtained as a result of providing services to the business, or by enabling the
business to access that personal information.
(j) (i) In responding to a consumer’s verified request to know categories of personal
information, categories of sources, and/or categories of third parties, a business shall
provide an individualized response to the consumer as required by the CCPA. It shall not
refer the consumer to the businesses’ general Information pPractices outlined in its privacy
policy unless its response would be the same for all consumers and the privacy policy
discloses all the information that is otherwise required to be in a response to a request to
know such categories.
(k) (j) In responding to a verified request to know categories of personal information, the
business shall provide:
(1) The categories of personal information the business has collected about the consumer
in the preceding 12 months;
(2) The categories of sources from which the personal information was collected;
Page 40 of 73
(3) The business or commercial purpose for which it collected or sold the personal
information;
(4) The categories of third parties with whom the business shares personal information;
(5) The categories of personal information that the business sold in the preceding 12
months, and for each category identified, the categories of third parties to whom it sold
that particular category of personal information; and
(6) The categories of personal information that the business disclosed for a business
pPurpose in the preceding 12 months, and for each category identified, the categories
of third parties to whom it disclosed that particular category of personal information.
(l) (k) A business shall identify the categories of personal information, categories of sources of
personal information, and categories of third parties to whom a business sold or disclosed
personal information, in a manner that provides consumers a meaningful understanding of
the categories listed.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.
§ 7025. Opt-Out Preference Signals.
(a) The purpose of an opt-out preference signal is to provide consumers with a simple and easyto-use method by which consumers interacting with businesses online can automatically
exercise their right to opt-out of sale/sharing. Through an opt-out preference signal, a
consumer can opt -out of sale and sharing of their personal information with all businesses
they interact with online without having to make individualized requests with each business.
(b) A business that sells or shares personal information shall process any opt-out preference
signal that meets the following requirements as a valid request to opt-out of sale/sharing:
(1) The signal shall be in a format commonly used and recognized by businesses. An
example would be an HTTP header field or JavaScript object.
(2) The platform, technology, or mechanism that sends the opt-out preference signal shall
make clear to the consumer, whether in its configuration or in disclosures to the public,
that the use of the signal is meant to have the effect of opting the consumer out of the
sale and sharing of their personal information. The configuration or disclosure does not
need to be tailored only to California or to refer to California.
(c) When a business that collects personal information from consumers online receives or
detects an opt-out preference signal that complies with subsection (b):
(1) The business shall treat the opt-out preference signal as a valid request to opt-out of
sale/sharing submitted pursuant to Civil Code section 1798.120 for that browser or
device and any consumer profile associated with that browser or device, including
pseudonymous profiles. , and, iIf known, the business shall also treat the opt-out
Page 41 of 73
preference signal as a valid request to opt-out of sale/sharing for the consumer. This is
not required for a business that does not sell or share personal information.
(2) The business shall not require a consumer to provide additional information beyond
what is necessary to send the signal. However, a business may provide the consumer
with an option to provide additional information if it will help facilitate the consumer’s
request to opt-out of sale/sharing. Any information provided by the consumer shall not
be used, disclosed, or retained for any purpose other than processing the request to optout of sale/sharing. For example, a business may give the consumer the option to
provide information that identifies the consumer so that the request to opt-out of
sale/sharing can apply to offline sale or sharing of personal information. However, if
the consumer does not respond, the business shall still process the opt-out preference
signal as a valid request to opt-out of sale/sharing for that browser or device and any
consumer profile the business associates with that browser or device, including
pseudonymous profiles. Any information provided by the consumer shall not be used,
disclosed, or retained for any purpose other than processing the request to opt-out of
sale/sharing.
(3) If the opt-out preference signal conflicts with a consumer’s business-specific privacy
setting that allows the business to sell or share their personal information, the business
shall process the opt-out preference signal as a valid request to opt-out of sale/sharing,
but may notify the consumer of the conflict and provide the consumer with an
opportunity to consent to the sale or sharing of their personal information. The
business shall comply with section 7004 in obtaining the consumer’s consent to the sale
or sharing of their personal information. If the consumer consents to the sale or sharing
of their personal information, the business may ignore the opt-out preference signal for
as long as the consumer is known to the business, but the business must display in a
conspicuous manner the status of the consumer’s choice in accordance with section
7026, subsection (f)(4).
(4) If the opt-out preference signal conflicts with the consumer’s participation in a
business’s financial incentive program that requires the consumer to consent to the sale
or sharing of personal information, the business shall may notify the consumer that
processing the opt-out preference signal as a valid request to opt-out of sale/sharing
would withdraw the consumer from the financial incentive program and ask the
consumer to affirm that they intend to withdraw from the financial incentive program.
If the consumer affirms that they intend to withdraw from the financial incentive
program, the business shall process the consumer’s request to opt-out of sale/sharing.
If the business asks and the consumer does not affirm their intent to withdraw, the
business may ignore the opt-out preference signal with respect to that consumer’s
participation in the financial incentive program for as long as the consumer is known to
the business, but the business must display in a conspicuous manner the status of the
consumer’s choice in accordance with section 7026, subsection (f)(4). If the business
does not ask the consumer to affirm their intent with regard to the financial incentive
program, the business shall still process the opt-out preference signal as a valid request
to opt-out of sale/sharing for that browser or device and any consumer profile the
business associates with that browser or device.
Page 42 of 73
(5) Where the consumer is known to the business, the A business shall not interpret the
absence of an opt-out preference signal after the consumer previously sent an opt-out
preference signal as consent to opt-in to the sale or sharing of personal information.
(6) The A business may should display whether or not it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website. For
example, the business may display on its website “Opt-Out Preference Signal Honored”
when a browser, device, or consumer using an opt-out preference signal visits the
website, or display through a toggle or radio button that the consumer has opted out of
the sale of their personal information.
(7) Illustrative examples follow.
(A) Caleb visits Business N’s website using a browser with an opt-out preference
signal enabled, but he is not otherwise logged into his account and the business
cannot otherwise associate Caleb’s browser with a consumer profile the business
maintains. Business N collects and shares Caleb’s personal information tied to
his browser identifier for cross-contextual advertising, but Business N does not
know Caleb’s real identity because he is not logged into his account. Upon
receiving the opt-out preference signal, Business N shall stop selling and sharing
Caleb’s information linked to Caleb’s browser identifier for cross-contextual
advertising, but it would not be able to apply the request to opt-out of the
sale/sharing to Caleb’s account information because the connection between
Caleb’s browser and Caleb’s account is not known to the business.
(B) Noelle has an account with Business O, an online retailer who manages
consumer’s privacy choices through a settings menu. Noelle’s privacy settings
default to allowing Business O to sell and share her personal information with the
business’s marketing partners. Noelle enables an opt-out preference signal on her
browser and then visits Business O’s website. Business O recognizes that Noelle
is visiting its website because she is logged into her account. Upon receiving
Noelle’s opt-out preference signal, Business O shall treat the signal as a valid
request to opt-out of sale/sharing and shall apply it to her device and/or browser
and also to her account and any offline sale or sharing of personal information.
Business O may inform Noelle that her opt-out preference signal differs from her
current privacy settings and provide her with an opportunity to consent to the sale
or sharing of her personal information, but it must process the request to opt-out
of sale/sharing unless Noelle instructs otherwise. Business O must also wait at
least 12 months before asking Noelle to opt-in to the sale or sharing of her
personal information in accordance with section 7026, subsection (k). In addition,
Business O’s notification would not allow it to fall within the exception set forth
in Civil Code section 1798.135, subdivision (b)(1), because it would not be
complying with the requirements set forth in subsection (f).
(C) Angela also has an account with Business O and has enabled an opt-out
preference signal on her browser while logged into her account. Business O
applies the opt-out preference signal as a valid request to opt-out of sale/sharing
Page 43 of 73
not only to Angela’s current browser, but also to Angela’s account because she is
known to the business while making the request. Angela later logs into her
account with Business O Noelle revisits Business O’s website at a later time using
a different device browser that does not have the opt-out preference signal
enabled. Business O knows that it is Noelle because she is logged into her
account. Business O shall not interpret the absence of the opt-out preference
signal as consent to opt-in to the sale of personal information.
(D) Ramona participates in Business P’s financial incentive program where she
receives coupons in exchange for allowing the business to pseudonymously track
and share her online browsing habits to marketing partners. Ramona enables an
opt-out preference signal on her browser and then visits Business P’s website.
Business P knows that it is Ramona through a cookie that has been placed on her
browser, but also detects the opt-out preference signal. Business P may ignore the
opt-out preference signal, but must and notify Ramona that her opt-out preference
signal conflicts with her participation in the financial incentive program and ask
whether she intends to withdraw from the financial incentive program. If Ramona
does not affirm her intent to withdraw, Business P may ignore the opt-out
preference signal and place Ramona on a whitelist so that Business P does not
have to notify Ramona of the conflict again.
(E) Ramona clears her cookies and revisits Business P’s website with the opt-out
preference signal enabled. Business P no longer knows that it is Ramona visiting
its website. Business P shall honor Ramona’s opt-out preference signal as it
pertains to her browser or device and any consumer profile the business associates
with that browser or device.
(d) The business and the platform, technology, or mechanism that sends the opt-out preference
signal shall not use, disclose, or retain any personal information collected from the consumer
in connection with the sending or processing the request to opt-out of sale/sharing for any
purpose other than sending or processing the opt-out preference signal.
(e) Civil Code section 1798.135, subdivisions (b)(1) and (3), provides a business the choice
between (1) processing opt-out preference signals and providing the “Do Not Sell or Share
My Personal Information” and “Limit the Use of My Sensitive Personal Information” links
or the aAlternative oOpt-out lLink; or (2) processing opt-out preference signals in a
frictionless manner in accordance with these regulations and not having to provide the “Do
Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal
Information” links or the aAlternative oOpt-out lLink. It does not give the business the
choice between posting the above-referenced links or honoring opt-out preference signals.
Even if the business posts the above-referenced links, the business must still process opt-out
preference signals, though it may do so in a non-frictionless manner. If a business processes
opt-out preference signals in a frictionless manner in accordance with subsections (f) and (g)
of this regulation, then it may, but is not required to, provide the above-referenced links.
Page 44 of 73
(f) Except as allowed by these regulations, processing an opt-out preference signal in a
frictionless manner as required by Civil Code section 1798.135, subdivision (b)(1), means
that the business shall not:
(1) Charge a fee or require any valuable consideration if the consumer uses an opt-out
preference signal.
(2) Change the consumer’s experience with the product or service offered by the business.
For example, the consumer who uses an opt-out preference signal shall have the same
experience with regard to how the business’s product or service functions compared to
a consumer who does not use an opt-out preference signal.
(3) Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial
content in response to the opt-out preference signal. A business’s display of whether or
not the consumer visiting their website has opted out of the sale or sharing their
personal information, as required by subsection (c)(2), shall not be in violation of this
regulation. The business may also provide a link to a privacy settings page, menu, or
similar interface that enables the consumer to consent to the business ignoring the optout preference signal with respect to the business’s sale or sharing of the consumer’s
personal information provided that it complies with subsections (f)(1) through (3).
(g) A business meeting the requirements of Civil Code section 1798.135, subdivision (b)(1) is
not required to post the “Do Not Sell or Share My Personal Information” link or the
aAlternative oOpt-out lLink if it meets all of the following additional requirements:
(1) Processes the opt-out preference signal in a frictionless manner in accordance with the
CCPA and these regulations.
(2) Includes in its privacy policy the following information:
(A) A description of the consumer’s right to opt-out of the sale or sharing of their
personal information by the business;
(B) A statement that the business processes opt-out preference signals in a frictionless
manner;
(C) Information on how consumers can implement opt-out preference signals for the
business to process in frictionless manner;
(D) Instructions for any other method by which the consumer may submit a request to
opt-out of sale/sharing.
(3) Allows the opt-out preference signal to fully effectuate the consumer’s request to optout of sale/sharing. For example, if the business sells or shares personal information
offline and needs to request from the consumer additional information that is not
provided by the opt-out preference signal in order to apply the request to opt-out of
sale/sharing to offline sales or and sharing of personal information, then the business
Page 45 of 73
has not fully effectuated the consumer’s request to opt-out of sale/sharing. Illustrative
examples follow.
(A) Business Q collects consumers’ online browsing history and shares it with third
parties for cross-contextual advertising purposes. Business Q also sells
consumers’ personal information offline to marketing partners. Business Q
cannot fall within the exception set forth in Civil Code section 1798.135,
subdivision (b)(1) because a consumer’s opt-out preference signal would only
apply to Business Q’s online sharing of personal information about the
consumer’s browser or device; the consumer’s opt-out preference signal would
not apply to Business Q’s offline selling of the consumer’s information because
Business Q could not apply it to the offline selling without additional information
provided by the consumer, i.e., the logging into an account.
(B) Business R only sells and shares personal information online for cross-contextual
advertising purposes. Business R may use the exception set forth in Civil Code
section 1798.135, subdivision (b)(1) and not post the “Do Not Sell or Share My
Personal Information” link because a consumer using an opt-out preference signal
would fully effectuate their right to opt-out of the sale or sharing of their personal
information.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135,
1798.140 and 1798.185, Civil Code.
§ 7026. Requests to Opt-Out of Sale/Sharing.
(a) A business that sells or shares personal information shall provide two or more designated
methods for submitting requests to opt-out of sale/sharing., including an interactive form
accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,”
on the business’s website or mobile application. Other acceptable methods for submitting
these requests include, but are not limited to, a toll-free phone number, a designated email
address, a form submitted in person, a form submitted through the mail, and user-enabled
global privacy controls, such as a browser plug-in or privacy setting, device setting, or other
mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their
personal information. (b) A business shall consider the methods by which it interacts with
consumers, the manner in which the business collects the sells personal information that it
sells to or shares with makes available to third parties, available technology, and ease of use
by the consumer when determining which methods consumers may use to submit requests to
opt-out of sale/sharing. At least one method offered shall reflect the manner in which the
business primarily interacts with the consumer. Illustrative examples follow.
(1) (c) If a A business that collects personal information from consumers online, the
business shall, at a minimum, allow consumers to submit requests to opt-out of
sale/sharing through an opt-out preference signal and through at least one of the
following methods—an interactive form accessible via the “Do Not Sell or Share My
Personal Information” link, the aAlternative oOpt-out lLink, or the business’s privacy
policy if the business processes an opt-out preference signal in a frictionless manner.
Page 46 of 73
treat user-enabled global privacy controls, such as a browser plug-in or privacy
setting, device setting, or other mechanism, that communicate or signal the
consumer’s choice to opt-out of the sale of their personal information as a valid
request submitted pursuant to Civil Code section 1798.120 for that browser or device,
or, if known, for the consumer. (1) Any privacy control developed in accordance
with these regulations shall clearly communicate or signal that a consumer intends to
opt-out of the sale of personal information. (2) If a global privacy control conflicts
with a consumer’s existing business-specific privacy setting or their participation in a
business’s financial incentive program, the business shall respect the global privacy
control but may notify the consumer of the conflict and give the consumer the choice
to confirm the business-specific privacy setting or participation in the financial
incentive program.
(2) A business that interacts with consumers in person and online may provide an inperson method for submitting requests to opt-out of sale/sharing in addition to the
opt-out preference signal.
(3) Other methods for submitting requests to opt-out of the sale/sharing include, but are
not limited to, a toll-free phone number, a designated email address, a form submitted
in person, and a form submitted through the mail.
(4) A notification or tool regarding cookies, such as a cookie banner or cookie controls, is
not by itself an acceptable method for submitting requests to opt-out of sale/sharing
because cookies concern the collection of personal information and not the sale or
sharing of personal information. An acceptable method for submitting requests to
opt-out of sale/sharing must address the sale and sharing of personal information.
(b) (h) A business’s methods for submitting requests to opt-out of sale/sharing shall be easy for
consumers to execute, and shall require minimal steps, and shall comply with section 7004
to allow the consumer to opt-out. A business shall not use a method is designed with the
purpose or has the substantial effect of subverting or impairing a consumer’s choice to optout. Illustrative examples follow:
(1) The business’s process for submitting a request to opt-out shall not require more steps
than that business’s process for a consumer to opt-in to the sale of personal information
after having previously opted out. The number of steps for submitting a request to optout is measured from when the consumer clicks on the “Do Not Sell My Personal
Information” link to completion of the request. The number of steps for submitting a
request to opt-in to the sale of personal information is measured from the first
indication by the consumer to the business of their interest to opt-in to completion of
the request.
(2) A business shall not use confusing language, such as double-negatives (e.g., “Don’t Not
Sell My Personal Information”), when providing consumers the choice to opt-out.
Page 47 of 73
(3) Except as permitted by these regulations, a business shall not require consumers to
click through or listen to reasons why they should not submit a request to opt-out before
confirming their request.
(4) The business’s process for submitting a request to opt-out shall not require the
consumer to provide personal information that is not necessary to implement the
request.
(5) Upon clicking the “Do Not Sell My Personal Information” link, the business shall not
require the consumer to search or scroll through the text of a privacy policy or similar
document or webpage to locate the mechanism for submitting a request to opt-out.
(c) A business shall not require a consumer submitting a request to opt-out of sale/sharing to
create an account or provide additional information beyond what is necessary to direct the
business not to sell or share the consumer’s personal information.
(d) (g) A business shall not require request to opt-out need not be a verifiable consumer request
for a request to opt-out of sale/sharing. A business may ask the consumer for information
necessary to complete the request, such as information necessary to identify the consumer
whose information shall cease to be sold or shared by the business. However, to the extent
that the business can comply with a request to opt-out of sale/sharing without additional
information, it shall do so.
(e) If a business, however, has a good-faith, reasonable, and documented belief that a request
to opt-out of sale/sharing is fraudulent, the business may deny the request. The business
shall inform the requestor that it will not comply with the request and shall provide to the
requestor an explanation why it believes the request is fraudulent.
(f) (e) A business shall comply with a request to opt-out of sale/sharing by:
(1) Ceasing to sell to and/or share with third parties the consumer’s personal information as
soon as feasibly possible, but no later than 15 business days from the date the business
receives the request. Providing personal information to sService providers or
contractors Collecting personal information pursuant to the written contract with the
business required by the CCPA and these regulations does not constitute a sale or
sharing of personal information. If a business sells a consumer’s personal information
to any third parties after the consumer submits their request but before the business
complies with that request, it shall notify those third parties that the consumer has
exercised their right to opt-out and shall direct those third parties not to sell that
consumer’s information.
(2) Notifying all third parties to whom the business has sold or shared the consumer’s
personal information, after the consumer submits the request to opt-out of sale/sharing
and before the business complies with that request, that the consumer has made a
request to opt-out of sale/sharing and directing them to comply with the consumer’s
request and forward the request to any other person to whom the third party with whom
the person has disclosed or shared has made the personal information available during
that time period.
Page 48 of 73
(3) Notifying all third parties to whom the business makes personal information available,
including businesses authorized to collect personal information or controlling the
collection of personal information on the business’s premises, that the consumer has
made a request to opt-out of sale/sharing and directing them 1) to comply with the
consumer’s request and 2) to forward the request to any other person with whom the
third party has disclosed or shared the personal information during that time period. In
accordance with section 7052, subsection (a), those third parties and other persons shall
no longer retain, use, or disclose the personal information unless they become a service
provider or contractor that complies with the CCPA and these regulations.
(g) (4) A business may provide Providing a means by which the consumer can confirm that
their request to opt-out of sale/sharing has been processed by the business. For example, the
business may display on its website “Consumer Opted Out of Sale/Sharing” or display
through a toggle or radio button that the consumer has opted out of the sale of their personal
information.
(h) (g) (d) In responding to a request to opt-out of sale/sharing, a business may present the
consumer with the choice to opt-out of the sale or sharing for certain uses of personal
information for certain uses as long as a global single option to opt-out of the sale or sharing
of all personal information is also offered more prominently presented than the other
choices. However, doing so in response to an opt-out preference signal will prevent the
business from using the exception set forth in Civil Code section 1798.135, subdivision
(b)(1).
(i) (h) A business that responds to a request to opt-out of sale/sharing by informing the
consumer of a charge for the use of any product or service shall comply with Article 7 and
shall provide the consumer with a nNotice of fFinancial iIncentive that complies with
section 7016 in its response. However, doing so in response to an opt-out preference signal
will prevent the business from using the exception set forth in Civil Code section 1798.135,
subdivision (b)(1).
(j) (i) (f) A consumer may use an authorized agent to submit a request to opt-out of sale/sharing
on the consumer’s behalf if the consumer provides the authorized agent written permission
signed by the consumer. A business may deny a request from an authorized agent if the
agent cannot does not provide to the business the consumer’s signed permission
demonstrating that they have been authorized by the consumer to act on the consumer’s
behalf. The requirement to obtain and provide written permission from the consumer does
not apply to requests made by an opt-out preference signal. User-enabled global privacy
controls, such as a browser plug-in or privacy setting, device setting, or other mechanism,
that communicate or signal the consumer’s choice to opt-out of the sale of their personal
information shall be considered a request directly from the consumer, not through an
authorized agent.
(k) (j) Except as allowed by these regulations, a business shall wait at least 12 months from the
date the consumer’s request before asking a consumer who has opted out of the sale or
sharing of their personal information to consent to the sale or sharing of their personal
information.
Page 49 of 73
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135,
1798.140 and 1798.185, Civil Code.
§ 7027. Requests to Limit Use and Disclosure of Sensitive Personal Information.
(a) The unauthorized use or disclosure of sensitive personal information creates a heightened
risk of harm for the consumer. The purpose of the request to limit is to give consumers
meaningful control over how their sensitive personal information is collected, used, and
disclosed. It gives the consumer the ability to limit the business’s use of sensitive personal
information to that which is necessary to perform the services or provide the goods
reasonably expected by an average consumer who requests those goods or services, with
some narrowly tailored exceptions, which are set forth in subsection (lm). Sensitive
personal information that is collected or processed without the purpose of inferring
characteristics about a consumer is not subject to requests to limit.
(b) A business that uses or discloses sensitive personal information for purposes other than
those set forth in subsection (lm) shall provide two or more designated methods for
submitting requests to limit. A business shall consider the methods by which it interacts
with consumers, the manner in which the business collects the sensitive personal
information that it uses for purposes other than those set forth in subsection (lm), available
technology, and ease of use by the consumer when determining which methods consumers
may use to submit requests to limit. At least one method offered shall reflect the manner in
which the business primarily interacts with the consumer. Illustrative examples follow.
(1) A business that collects sensitive personal information from consumers online shall,
at a minimum, allow consumers to submit requests to limit through an interactive
form accessible via the “Limit the Use of My Sensitive Personal Information” link or,
the aAlternative oOpt-out lLink, or the business’s privacy policy.
(2) A business that interacts with consumers in person and online may provide an inperson method for submitting requests to limit in addition to the online form.
(3) Other methods for submitting requests to limit include, but are not limited to, a tollfree phone number, a designated email address, a form submitted in person, and a
form submitted through the mail.
(4) A notification or tool regarding cookies, such as a cookie banner or cookie controls, is
not by itself an acceptable method for submitting requests to limit because cookies
concern the collection of personal information and not necessarily the use and
disclosure of sensitive personal information. An acceptable method for submitting
requests to limit must address the specific right to limit.
(c) A business’s methods for submitting requests to limit shall be easy for consumers to
execute, shall require minimal steps, and shall comply with section 7004.
(d) A business shall not require a consumer submitting a request to limit to create an account or
provide additional information beyond what is necessary to direct the business to limit the
use or disclosure of the consumer’s sensitive personal information.
Page 50 of 73
(e) A business shall not require a verifiable consumer request for a request to limit. A business
may ask the consumer for information necessary to complete the request, such as
information necessary to identify the consumer to whom the request should be applied.
However, to the extent that the business can comply with a request to limit without
additional information, it shall do so.
(f) If a business has a good-faith, reasonable, and documented belief that a request to limit is
fraudulent, the business may deny the request. The business shall inform the requestor that
it will not comply with the request and shall provide to the requestor an explanation why it
believes the request is fraudulent.
(g) A business shall comply with a request to limit by:
(1) Ceasing to use and disclose the consumer’s sensitive personal information for purposes
other than those set forth in subsection (lm) as soon as feasibly possible, but no later
than 15 business days from the date the business receives the request.
(2) Notifying all the business’s service providers or contractors that use or disclose the
consumer’s sensitive personal information for purposes other than those set forth in
subsection (lm) that the consumer has made a request to limit and instructing them to
comply with the consumer’s request to limit within the same time frame.
(3) Notifying all third parties to whom the business has disclosed or made available the
consumer’s sensitive personal for purposes other than those set forth in subsection (lm),
after the consumer submitted their request and before the business complied with that
request, that the consumer has made a request to limit and direct them 1) to comply
with the consumer’s request and 2) to forward the request to any other person with
whom the person has disclosed or shared the sensitive personal information during that
time period.
(4) Notifying all third parties to whom the business makes sensitive personal information
available for purposes other than those set forth in subsection (l), including businesses
authorized to collect sensitive personal information or controlling the collection of
sensitive personal information through the business’s premises, that the consumer has
made a request to limit and directing them 1) to comply with the consumer’s request
and 2) to forward the request to any other person with whom the third party has
disclosed or shared the sensitive personal information during that time period. In
accordance with section 7052, subsection (b), those third parties and other persons shall
no longer retain, use, or disclose the sensitive personal information for purposes other
than those set forth in subsection (l).
(h) (5) A business may provide Providing a means by which the consumer can confirm that
their request to limit has been processed by the business. For example, the business may
display through a toggle or radio button that the consumer has limited the business’s use and
sale of their sensitive personal information.
(i) (h) In responding to a request to limit, a business may present the consumer with the choice
to allow specific uses for the sensitive personal information as long as a single option to
Page 51 of 73
limit the use of the personal information is also offered more prominently presented than the
other choices.
(j) (i) A consumer may use an authorized agent to submit a request to limit on the consumer’s
behalf if the consumer provides the authorized agent written permission signed by the
consumer. A business may deny a request from an authorized agent if the agent does not
provide to the business the consumer’s signed permission demonstrating that they have been
authorized by the consumer to act on the consumer’s behalf.
(k) (j) A business that responds to a request to limit by informing the consumer of a charge for
the use of any product or service shall comply with Article 7 and shall provide the consumer
with a nNotice of fFinancial iIncentive that complies with section 7016 in its response.
(l) (k) Except as allowed by these regulations, a business shall wait at least 12 months from the
date the consumer’s request to limit is received before asking a consumer who has exercised
their right to limit to consent to the use or disclosure of their sensitive personal information
for purposes other than those set forth in subsection (lm).
(m) (l) The purposes identified in Civil Code section 1798.121, subdivision (a), for which a
business may use or disclose sensitive personal information without being required to offer
consumers a right to limit are as follows. A business that only uses or discloses sensitive
personal information for these purposes, provided that the use or disclosure is reasonably
necessary and proportionate for those purposes, is not required to post a nNotice of rRight to
lLimit or provide a method for submitting a request to limit.
(1) To perform the services or provide the goods reasonably expected by an average
consumer who requests those goods or services. For example, a consumer’s precise
geolocation may be used by a mobile application that is providing the consumer with
directions on how to get to specific location. A consumer’s precise geolocation may
not, however, be used by a gaming application where the average consumer would not
expect the application to need this piece of sensitive personal information.
(2) To prevent, detect, and investigate security incidents that compromise the availability,
authenticity, integrity, and or confidentiality of stored or transmitted personal
information, provided that the use of the consumer’s personal information is
reasonably necessary and proportionate for this purpose. For example, a business may
disclose a consumer’s log-in information to a data security company that it has hired to
investigate and remediate a data breach that involved that consumer’s account.
(3) To resist malicious, deceptive, fraudulent, or illegal actions directed at the business
and to prosecute those responsible for those actions, provided that the use of the
consumer’s personal information is reasonably necessary and proportionate for this
purpose. For example, a business may use information about a consumer’s ethnicity
and/or the contents of email and text messages to investigate claims of racial
discrimination or hate speech.
(4) To ensure the physical safety of natural persons, provided that the use of the
consumer’s personal information is reasonably necessary and proportionate for this
Page 52 of 73
purpose. For example, a business may disclose a consumer’s geolocation information
to law enforcement to investigate an alleged kidnapping.
(5) For short-term, transient use, including, but not limited to, nonpersonalized advertising
shown as part of a consumer’s current interaction with the business, provided that the
personal information is not disclosed to another third party and is not used to build a
profile about the consumer or otherwise alter the consumer’s experience outside the
current interaction with the business. For example, a business that sells religious
books can use information about its customers’ interest in its religious content beliefs
to serve contextual advertising for other kinds of religious merchandise within its store
or on its website, so long as the business does not use the sensitive personal
information to create a profile about an individual consumer or disclose personal
information that reveals consumers’ religious beliefs to third parties.
(6) To perform services on behalf of the business,. For example, a business may use
information for. such as maintaining or servicing accounts, providing customer
service, processing or fulfilling orders and transactions, verifying customer
information, processing payments, providing financing, providing analytic services,
providing storage, or providing similar services on behalf of the business.
(7) To verify or maintain the quality or safety of a product, service, or device that is
owned, manufactured, manufactured for, or controlled by the business, and to
improve, upgrade, or enhance the service or device that is owned, manufactured by,
manufactured for, or controlled by the business. For example, a car rental business
may use a consumer’s driver’s license for the purpose of testing that its internal text
recognition software accurately captures license information used in car rental
transactions.
(8) To collect or process sensitive personal information where such collection or
processing is not for the purpose of inferring characteristics about a consumer. For
example, a business that includes a search box on their website by which consumers
can search for articles related to their health condition may use the information
provided by the consumer for the purpose of providing the search feature without
inferring characteristics about the consumer.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.121, 1798.135,
1798.140 and 1798.185, Civil Code.
§ 7028. Requests to Opt-In After Opting-Out of the Sale or Sharing of Personal
Information or Limiting the Use and Disclosure of Sensitive Personal Information.
(a) Requests to opt-in to the sale or /sharing of personal information and requests to opt-in to
the use and disclosure of sensitive personal information shall use a two-step opt-in process
whereby the consumer shall first, clearly request to opt-in and then second, separately
confirm their choice to opt-in.
(b) If a consumer who has opted-out of the sale or sharing of their personal information initiates
a transaction or attempts to use a product or service that requires the sale or sharing of their
Page 53 of 73
personal information, a the business may inform the consumer that the transaction, product,
or service requires the sale of their personal information and provide instructions on how the
consumer can provide consent to opt-in to the sale of or sharing of their personal
information. The business shall comply with section 7004 when obtaining the consumer’s
consent.
(c) If a consumer who has exercised their right to limit initiates a transaction or attempts to use
a product or service that requires the use or disclosure of sensitive personal information for
purposes other than those set forth in subsection (l), the business may inform the consumer
that the transaction, product, or service requires the use or disclosure of sensitive personal
information for additional purposes and provide instructions on how the consumer may
provide consent to use or disclose their sensitive personal information for those additional
purposes. The business shall comply with section 7004 when obtaining the consumer’s
consent.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.
§ 7031 Requests to Know or Delete Household Information.
(a) Where a household does not have a password-protected account with a business, a business
shall not comply with a request to know specific pieces of personal information about the
household or a request to delete household personal information unless all of the following
conditions are satisfied:
(1) All consumers of the household jointly request to know specific pieces of information
for the household or the deletion of household personal information;
(2) The business individually verifies all the members of the household subject to the
verification requirements set forth in section 7062; and
(3) The business verifies that each member making the request is currently a member of
the household.
(b) Where a consumer has a password-protected account with a business that collects personal
information about a household, the business may process requests to know and requests to
delete relating to household information through the business’s existing business practices
and in compliance with these regulations.
(c) If a member of a household is a consumer under the age of 13, a business must obtain
verifiable parental consent before complying with a request to know specific pieces of
information for the household or the deletion of household personal information pursuant to
the parental consent provisions in section 7070.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.100, 1798.105,
1798.110, 1798.115, 1798.120, 1798.130, 1798.140 and 1798.185, Civil Code.
Page 54 of 73
ARTICLE 4. SERVICE PROVIDERS, CONTRACTORS, AND THIRD PARTIES
§ 7050. § 7051. Service Providers and Contractors.
(a) A business that provides services to a person or organization that is not a business, and that
would otherwise meet the requirements and obligations of a “service provider” or
“contractor” under the CCPA and these regulations, shall be deemed a service provider or
contractor with regard to that person or organization for purposes of the CCPA and these
regulations. For example, a cloud service provider that provides services to a non-profit
organization and meets the requirements and obligations of a service provider under the
CCPA and these regulations, i.e., has a valid service provider contract in place, etc., shall be
considered a service provider even though it is providing services to a non-business.
(b) To the extent that a business directs a second entity to collect personal information directly
from a consumer, or about a consumer, on the first business’s behalf, and the second entity
would otherwise meet the requirements and obligations of a “service provider” under the
CCPA and these regulations, the second entity shall be deemed a service provider of the first
business for purposes of the CCPA and these regulations.
(a) (b) (c) A service provider or contractor shall not retain, use, or disclose personal information
Collected pursuant to its written contract with the business obtained in the course of
providing services except:
(1) To process or maintain personal information on behalf of the business that provided
the personal information or directed authorized the service provider or contractor to
collect the personal information.
(1) (2) For the specific bBusiness pPurpose(s) and service(s) set forth in, and in
compliance with the written contract between the business and the service provider or
contractor that is for services required by the CCPA and these regulations.;
(2) (3) (2) To retain and employ another service provider or contractor as a subcontractor,
where the subcontractor meets the requirements for a service provider or contractor
under the CCPA and these regulations.;
(3) (4) (3) For internal use by the service provider or contractor to build or improve the
quality of its the services it is providing to the business, even if this Business Purpose
is not specified in the written contract required by the CCPA and these regulations,
provided that the service provider or contractor use does not use the personal
information to perform services on behalf of another person include building or
modifying household or consumer profiles to use in providing services to another
business, or correcting or augmenting data acquired from another source;. Illustrative
examples follow.
(A) An email marketing service provider can send emails on a business’s behalf using
the business’s customer email list. The service provider could analyze those
customers’ interactions with the marketing emails to improve its services and
Page 55 of 73
offer those improved services to everyone. But the service provider cannot use
the original email list to send marketing emails on behalf of another business.
(B) A shipping service provider that delivers businesses’ products to their customers
may use the addresses received from their business clients and their experience
delivering to those addresses to identify faulty or incomplete addresses, and thus,
improve their delivery services. However, the shipping service provider cannot
compile the addresses received from one business to send advertisements on
behalf of another business, or compile addresses received from businesses to sell
to data brokers.
(4) (5) (4) To prevent, detect, or investigate data security incidents or protect against
malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not
specified in the written contract required by the CCPA and these regulations.; or
(5) (6) (5) For the purposes enumerated in Civil Code section 1798.145, subdivisions
(a)(1) through (a)(74).
(b) (c) A service provider or contractor cannot contract with a business to provide crosscontextual behavioral advertising. Per Civil Code section 1798.140, subdivision (e)(6), a
service provider or contractor may contract with a business to provide advertising and
marketing services, but the service provider or contractor those services shall not combine
the personal information of consumers who have opted-out of the sale/sharing that the
service provider or contractor receives from, or on behalf of, the business with personal
information that the service provider or contractor receives from, or on behalf of, another
person or collects from its own interaction with consumers. A person who contracts with a
business to provide cross-contextual behavioral advertising is a third party and not a service
provider or contractor with respect to cross-contextual behavioral advertising services.
Illustrative examples follow.
(1) Business S, a clothing company, hires a social media company as a service provider
for the purpose of providing Business S’s advertisements on the social media
company’s platform. The social media company can serve Business S by providing
non-personalized advertising services on its platform based on aggregated or
demographic information (e.g., advertisements to women, 18-30 years old, that live in
Los Angeles). However, it cannot use a list of customer email addresses provided by
Business S to identify users on the social media company’s platform to serve
advertisements to them.
(2) Business T, a company that sells cookware, hires an advertising company as a service
provider for the purpose of advertising its services. The advertising agency can serve
Business T by providing contextual advertising services, such as placing
advertisements for Business T’s products on websites that post recipes and other
cooking tips.
(d) A service provider shall not sell data on behalf of a business when a consumer has opted-out
of the sale of their personal information with the business.
Page 56 of 73
(c) (d) (e) If a service provider or contractor receives a request to know or a request to delete
request made pursuant to the CCPA directly from a the consumer, the service provider or
contractor shall either act on behalf of the business in accordance with the business’s
instructions for responding to the request or inform the consumer that the request cannot be
acted upon because the request has been sent to a service provider or contractor.
(d) (d) (f) A service provider or contractor that is a business shall comply with the CCPA and
these regulations with regard to any personal information that it collects, maintains, or sells
outside of its role as a service provider or contractor.
(e) A person who does not have a contract that complies with section 7051, subsection (a), is
not a service provider or a contractor under the CCPA. For example, a business’s disclosure
of personal information to a person who does not have a contract that complies with section
7051, subsection (a) may be considered a sale or sharing of personal information for which
the business must provide the consumer with the right to opt-out of sale/sharing.
(f) A service provider or a contractor shall comply with the terms of the contract required by
the CCPA and these regulations.
(g) Whether an entity that provides services to a Nonbusiness must comply with a consumer’s
CCPA request depends upon whether the entity is a “business,” as defined by Civil Code
section 1798.140, subdivision (d).
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and
1798.185, Civil Code.
§ 7051. Contract Requirements for Service Providers and Contractors.
(a) The contract required by the CCPA for service providers and contractors shall:
(1) Prohibit the service provider or contractor from selling or sharing personal information
it Collects pursuant to the written contract with receives from, or on behalf of, the
business.
(2) Identify the specific bBusiness pPurpose(s) and service(s) for which the service
provider or contractor is processing personal information pursuant to the written
contract with on behalf of the business, and specify that the business is disclosing the
personal information to the service provider or contractor only for the limited and
specified bBusiness pPurpose(s) set forth within the contract. The bBusiness pPurpose
or service shall not be described in generic terms, such as referencing the entire contract
generally. The description shall be specific.
(3) Prohibit the service provider or contractor from retaining, using, or disclosing the
personal information that it Collected pursuant to the written contract with received
from, or on behalf of, the business for any purposes other than the Business Purpose(s)
those specified in the contract or as otherwise permitted by the CCPA and these
Page 57 of 73
regulations. This section shall list the specific business purpose(s) and service(s)
identified in subsection (a)(2).
(4) Prohibit the service provider or contractor from retaining, using, or disclosing the
personal information that it Collected pursuant to the written contract with received
from, or on behalf of, the business for any commercial purpose other than the
bBusiness pPurposes specified in the contract, including in the servicing of a different
business, unless expressly permitted by the CCPA or these regulations.
(5) Prohibit the service provider or contractor from retaining, using, or disclosing the
personal information that it Collected pursuant to the written contract with received
from, or on behalf of, the business outside the direct business relationship between the
service provider or contractor and the business, unless expressly permitted by the
CCPA or these regulations. For example, a service provider or contractor shall be
prohibited from combining or updating personal information that it Collected pursuant
to the written contract with received from, or on behalf of, the business with personal
information that it received from another source or Collected from its own interaction
with the consumer, unless expressly permitted by the CCPA or these regulations.
(6) Require the service provider or contractor to comply with all applicable sections of the
CCPA and these regulations, including—with respect to the personal information that it
Collected pursuant to the written contract with the business—providing the same level
of privacy protection as required by of businesses by the CCPA and these regulations. ,
fFor example, the contract may require the service provider or contractor to cooperate
ing with the business in responding to and complying with consumers’ requests made
pursuant to the CCPA, and to implementing reasonable security procedures and
practices appropriate to the nature of the personal information received from, or on
behalf of, the business to protect the personal information from unauthorized or illegal
access, destruction, use, modification, or disclosure in accordance with Civil Code
section 1798.81.5.
(7) Grant the business the right to take reasonable and appropriate steps to ensure that
service provider or contractor uses the personal information that it Collected pursuant
to the written contract with received from, or on behalf of, the business in a manner
consistent with the business’s obligations under the CCPA and these regulations.
Reasonable and appropriate steps may include ongoing manual reviews and automated
scans of the service provider’s system and regular internal or third-party assessments,
audits, or other technical and operational testing at least once every 12 months.
(8) Require the service provider or contractor to notify the business no later than five
business days after it makes a determination that it can no longer meet its obligations
under the CCPA and these regulations.
(9) Grant the business the right, upon notice, to take reasonable and appropriate steps to
stop and remediate the service provider or contractor’s unauthorized use of personal
information. For example, the business may require the service provider or contractor
Page 58 of 73
to provide documentation that verifies that they no longer retain or use the personal
information of consumers that have made a valid request to delete with the business.
(10) Require the service provider or contractor to enable the business to comply with
consumer requests made pursuant to the CCPA or require the business to inform the
service provider or contractor of any consumer request made pursuant to the CCPA that
they must comply with and provide the information necessary for the service provider
or contractor to comply with the request.
(b) A service provider or contractor that subcontracts with another person in providing services
to the business for whom it is a service provider or contractor shall have a contract with the
subcontractor that complies with the CCPA and these regulations, including subsection (a).
(c) A person who does not have a contract that complies with subsection (a) is not a “service
provider” or a “contractor” under the CCPA. For example, a business’s disclosure of
personal information to a person who does not have a contract that complies with these
requirements may be considered a sale for which the business must provide the consumer
with the right to opt-out of sale/sharing.
(d) A service provider or contractor shall comply with the terms of the contract required by the
CCPA and these regulations.
(c) (e) Whether a business conducts due diligence of its service providers and contractors
factors into whether the business has reason to believe that a service provider or contractor
is using personal information in violation of the CCPA and these regulations. For example,
depending on the circumstances, a business that never enforces the terms of the contract nor
exercises its rights to audit or test the service provider’s or contractor’s systems might not
be able to rely on the defense that it did not have reason to believe that the service provider
or contractor intends to use the personal information in violation of the CCPA and these
regulations at the time the business disclosed the personal information to the service
provider or contractor.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and
1798.185, Civil Code.
§ 7052. Third Parties.
(a) A third party shall comply with a consumer’s request to delete or request to opt-out of
sale/sharing forwarded to them from a business that provided, made available, or authorized
the collection of the consumer’s personal information. The third party shall comply with the
request in the same way a business is required to comply with the request under sections
7022, subsection (b), and 7026, subsection (f). The third party shall no longer retain, use, or
disclose the personal information unless the third party becomes a service provider or
contractor that complies with the CCPA and these regulations.
(b) A third party shall comply with a consumer’s request to limit forwarded to them from a
business that provided, made available, or authorized the collection of the consumer’s
sensitive personal information for purposes other than those set forth in section 7027,
subsection (l). The third party shall comply with the request in the same way a business is
Page 59 of 73
required to comply with the request under section 7027, subsection (g). The third party shall
no longer retain, use, or disclose the sensitive personal information for purposes other than
those set forth in section 7027, subsection (l).
(c) A third party that collects personal information from a consumer online (e.g., through a first
party’s website) and receives an opt-out preference signal shall recognize the signal as a
valid request to opt-out of sale/sharing and shall not retain, use, or disclose that personal
information unless informed by the business that the consumer has consented to the sale or
sharing of their personal information or the third party becomes a service provider or
contractor that complies with the CCPA and these regulations.
(a) A third party that does not have a contract that complies with section 7053, subsection (a),
shall not collect, use, process, retain, sell, or share the personal information that the business
made available to it.
(b) A third party shall comply with the terms of the contract required by the CCPA and these
regulations, which include treating the personal information that the business made available
to it in a manner consistent with the business’s obligations under the CCPA and these
regulations.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and
1798.185, Civil Code.
§ 7053. Contract Requirements for Third Parties.
(a) A business that sells or shares a consumer’s personal information with a third party shall
enter into an agreement with the third party that:
(1) Identifies the limited and specified purpose(s) for which the personal information is
made available to the third party sold or disclosed. The purpose shall not be described
in generic terms, such as referencing the entire contract generally. The description
shall be specific.
(2) Specifies that the business is making disclosing the personal information available to
the third party only for the limited and specified purposes set forth within the contract
and requires the third party to only use it only for those limited and specified purposes.
(3) Requires the third party to comply with all applicable sections of the CCPA and these
regulations, including—with respect to the personal information that the business
makes available to the third party—providing the same level of privacy protection as
required by of businesses by the CCPA and these regulations. , fFor example, only
collecting and using personal information for purposes an average consumer would
reasonably expect or other disclosed purposes compatible with the context in which it
was collected, the contract may require the third party to complying with a consumer’s
request to opt-out of sale/sharing forwarded to it by a first party business, providing
the required disclosures identified in section 7010, and to implementing reasonable
security procedures and practices appropriate to the nature of the personal information
Page 60 of 73
received from the business to protect the personal information from unauthorized or
illegal access, destruction, use, modification, or disclosure in accordance with Civil
Code section 1798.81.5.
(4) Grants the business the right—with respect to the personal information that the
business makes available to the third party—to take reasonable and appropriate steps
to ensure that the third party uses the personal information that it received from, or on
behalf of the business, it in a manner consistent with the business’s obligations under
the CCPA and these regulations. For example, the business may require the third
party to attest that it treats the personal information the business made available to it in
the same manner that the business is obligated to treat it under the CCPA and these
regulations to their compliance with subsection (a)(3).
(5) Grants the business the right, upon notice, to take reasonable and appropriate steps to
stop and remediate unauthorized use of personal information made available to the
third party. For example, the business may require the third party to provide
documentation that verifies that they it no longer retains or uses the personal
information of consumers who have had their requests to opt-out of sale/sharing
forwarded to them it by the first party business.
(6) Requires the third party to notify the business no later than five business days after it
makes a determination that it can no longer meet its obligations under the CCPA and
these regulations.
(b) A business that authorizes a third party to collect personal information from a consumer
through its website either on behalf of the business or for the third party’s own purposes,
shall contractually require the third party to check for and comply with a consumer’s opt-out
preference signal unless informed by the business that the consumer has consented to the
sale or sharing of their personal information.
(c) A third party that does not have a contract that complies with subsection (a) shall not collect,
use, process, retain, sell, or share the personal information received from the business.
(d) A third party shall comply with the terms of the contract required by the CCPA and these
regulations.
(b) (e)Whether a business conducts due diligence of the third party factors into whether the
business has reason to believe that the third party is using personal information in violation
of the CCPA and these regulations. For example, depending on the circumstances, a
business that never enforces the terms of the contract might not be able to rely on the
defense that it did not have reason to believe that the third party intends to use the personal
information in violation of the CCPA and these regulations at the time of the business
disclosed the personal information to the third party.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and
1798.185, Civil Code.
Page 61 of 73
ARTICLE 5. VERIFICATION OF REQUESTS
§ 7060. General Rules Regarding Verification.
(a) A business shall establish, document, and comply with a reasonable method for verifying
that the person making a request to know or a request to delete, request to correct, or request
to know is the consumer about whom the business has collected information.
(b) A business shall not require a consumer to verify their identity to make a request to opt-out
of sale/sharing or to make a request to limit. A business may ask the consumer for
information necessary to complete the request; however, it shall not be burdensome on the
consumer. For example, a business may ask the consumer for their name, but it shall not
require the consumer to take a picture of themselves with their driver’s license.
(c) (b) In determining the method by which the business will verify the consumer’s identity, the
business shall:
(1) Whenever feasible, match the identifying information provided by the consumer to the
personal information of the consumer already maintained by the business, or use a
third-party identity verification service that complies with this section.
(2) Avoid collecting the types of personal information identified in Civil Code section
1798.81.5, subdivision (d), unless necessary for the purpose of verifying the consumer.
(3) Consider the following factors:
(A) The type, sensitivity, and value of the personal information collected and
maintained about the consumer. Sensitive or valuable personal information shall
warrant a more stringent verification process. The types of personal information
identified in Civil Code section 1798.81.5, subdivision (d), shall be considered
presumptively sensitive;
(B) The risk of harm to the consumer posed by any unauthorized access or deletion,
correction, or access. A greater risk of harm to the consumer by unauthorized
access or deletion, correction, or access shall warrant a more stringent
verification process.;
(C) The likelihood that fraudulent or malicious actors would seek the personal
information. The higher the likelihood, the more stringent the verification
process shall be.;
(D) Whether the personal information to be provided by the consumer to verify their
identity is sufficiently robust to protect against fraudulent requests or being
spoofed or fabricated.;
(E) The manner in which the business interacts with the consumer.; and
(F) Available technology for verification.
Page 62 of 73
(d) (c) A business shall generally avoid requesting additional information from the consumer
for purposes of verification. If, however, the business cannot verify the identity of the
consumer from the information already maintained by the business, the business may
request additional information from the consumer, which shall only be used for the purposes
of verifying the identity of the consumer seeking to exercise their rights under the CCPA,
security, or fraud-prevention. The business shall delete any new personal information
collected for the purposes of verification as soon as practical after processing the
consumer’s request, except as required to comply with section 7101.
(e) (d) A business shall not require the consumer or the consumer’s authorized agent to pay a
fee for the verification of their request to know or request to delete, request to correct, or
request to know. For example, a business may not require a consumer to provide a
notarized affidavit to verify their identity unless the business compensates the consumer for
the cost of notarization.
(f) (e) A business shall implement reasonable security measures to detect fraudulent identityverification activity and prevent the unauthorized access to or deletion, correction, or access
of a consumer’s personal information.
(g) (f) If a business maintains consumer information that is deidentified, a business is not
obligated to provide or delete this information in response to a consumer request or to reidentify individual data to verify a consumer request.
(h) For requests to correct, the business shall make an effort to verify the consumer based on
personal information that is not the subject of the request to correct. For example, if the
consumer is contending that the business has the wrong address for the consumer, the
business shall not use address as a means of verifying the consumer’s identity.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and
1798.185, Civil Code.
§ 7061. Verification for Password-Protected Accounts.
(a) If a business maintains a password-protected account with the consumer, the business may
verify the consumer’s identity through the business’s existing authentication practices for
the consumer’s account, provided that the business follows the requirements in section 7060.
The business shall also require a consumer to re-authenticate themselvesf before disclosing
or deleting, correcting, or disclosing the consumer’s data.
(b) If a business suspects fraudulent or malicious activity on or from the password-protected
account, the business shall not comply with a consumer’s request to know or request to
delete, request to correct, or request to know until further verification procedures determine
that the consumer request is authentic and the consumer making the request is the person
about whom the business has collected information. The business may use the procedures
set forth in section 7062 to further verify the identity of the consumer.
Page 63 of 73
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.
§ 7062. Verification for Non-Accountholders.
(a) If a consumer does not have or cannot access a password-protected account with a business,
the business shall comply with this section, in addition to section 7060.
(b) A business’s compliance with a request to know categories of personal information requires
that the business verify the identity of the consumer making the request to a reasonable
degree of certainty. A reasonable degree of certainty may include matching at least two data
points provided by the consumer with data points maintained by the business that it has
determined to be reliable for the purpose of verifying the consumer.
(c) A business’s compliance with a request to know specific pieces of personal information
requires that the business verify the identity of the consumer making the request to a
reasonably high degree of certainty. A reasonably high degree of certainty may include
matching at least three pieces of personal information provided by the consumer with
personal information maintained by the business that it has determined to be reliable for the
purpose of verifying the consumer together with a signed declaration under penalty of
perjury that the requestor is the consumer whose personal information is the subject of the
request. If a business uses this method for verification, the business shall maintain all signed
declarations as part of its record-keeping obligations.
(d) A business’s compliance with a request to delete or a request to correct may require that the
business verify the identity of the consumer to a reasonable or reasonably high degree of
certainty depending on the sensitivity of the personal information and the risk of harm to the
consumer posed by unauthorized deletion or correction. For example, the deletion of family
photographs or the correction of contact information may require a reasonably high degree
of certainty, while the deletion of browsing history or correction of marital status the
spelling of a name may require only a reasonable degree of certainty. A business shall act in
good faith when determining the appropriate standard to apply when verifying the consumer
in accordance with these regulations.
(e) Illustrative examples follow:
(1) Example 1: If a business maintains personal information in a manner associated with
a named actual person, the business may verify the consumer by requiring the
consumer to provide evidence that matches the personal information maintained by the
business. For example, if a retailer maintains a record of purchases made by a
consumer, the business may require the consumer to identify items that they recently
purchased from the store or the dollar amount of their most recent purchase to verify
their identity to a reasonable degree of certainty.
(2) Example 2: If a business maintains personal information in a manner that is not
associated with a named actual person, the business may verify the consumer by
requiring the consumer to demonstrate that they are the sole consumer associated with
the personal information. For example, a business may have a mobile application that
Page 64 of 73
collects personal information about the consumer but does not require an account. The
business may determine whether, based on the facts and considering the factors set
forth in section 7060, subsection (b)(3), it may reasonably verify a consumer by asking
them to provide information that only the person who used the mobile application may
know or by requiring the consumer to respond to a notification sent to their device.
(f) A business shall deny a request to know specific pieces of personal information if it cannot
verify the identity of the requestor pursuant to these regulations.
(g) If there is no reasonable method by which a business can verify the identity of the consumer
to the degree of certainty required by this section, the business shall state so in response to
any request and explain why it has no reasonable method by which it can verify the identity
of the requestor. If the business has no reasonable method by which it can verify any
consumer, the business shall explain why it has no reasonable verification method in its
privacy policy. The business shall evaluate and document whether a reasonable method can
be established at least once every 12 months, in connection with the requirement to update
the privacy policy set forth in Civil Code section 1798.130, subdivision (a)(5).
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.
§ 7063. Authorized Agents.
(a) When a consumer uses an authorized agent to submit a request to know or a request to
delete, request to correct, or a request to know, a business may require the authorized agent
to provide proof that the consumer gave the agent signed permission to submit the request.
The business may also require the consumer to do either of the following:
(1) Verify their own identity directly with the business.
(2) Directly confirm with the business that they provided the authorized agent permission
to submit the request.
(b) Subsection (a) does not apply when a consumer has provided the authorized agent with
power of attorney pursuant to Probate Code sections 4121 to 4130. A business shall not
require a power of attorney in order for a consumer to use an authorized agent to act on their
behalf.
(c) An authorized agent shall implement and maintain reasonable security procedures and
practices to protect the consumer’s information.
(d) An authorized agent shall not use a consumer’s personal information, or any information
collected from or about the consumer, for any purposes other than to fulfill the consumer’s
requests, verification, or fraud prevention.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.
Page 65 of 73
ARTICLE 6. SPECIAL RULES REGARDING CONSUMERS UNDER 16 YEARS OF
AGE
§ 7070. Consumers Less Than Under 13 Years of Age.
(a) Process for Opting-In to Sale or Sharing of Personal Information
(1) A business that has actual knowledge that it sells or shares the personal information of
a consumer less than under the age of 13 shall establish, document, and comply with a
reasonable method for determining that the person affirmatively authorizing
consenting to the sale or sharing of the personal information about the child is the
parent or guardian of that child. This affirmative authorization consent to the sale or
sharing of personal information is in addition to any verifiable parental consent
required under COPPA.
(2) Methods that are reasonably calculated to ensure that the person providing consent is
the child’s parent or guardian include, but are not limited to:
(A) Providing a consent form to be signed by the parent or guardian under penalty of
perjury and returned to the business by postal mail, facsimile, or electronic scan;
(B) Requiring a parent or guardian, in connection with a monetary transaction, to use
a credit card, debit card, or other online payment system that provides
notification of each discrete transaction to the primary account holder;
(C) Having a parent or guardian call a toll-free telephone number staffed by trained
personnel;
(D) Having a parent or guardian connect to trained personnel via video-conference;
(E) Having a parent or guardian communicate in person with trained personnel; and
(F) Verifying a parent or guardian’s identity by checking a form of governmentissued identification against databases of such information, as long as the parent
or guardian’s identification is deleted by the business from its records promptly
after such verification is complete.
(b) When a business receives an affirmative authorization consent to the sale or sharing of
personal information pursuant to subsection (a), the business shall inform the parent or
guardian of the right to opt-out of sale/sharing and of the process for doing so on behalf of
their child pursuant to section 7026, subsections (a)-(f).
(c) A business shall establish, document, and comply with a reasonable method, in accordance
with the methods set forth in subsection (a)(2), for determining that a person submitting a
request to know or a request to delete, request to correct, or request to know the personal
information of a child under the age of 13 is the parent or guardian of that child.
Page 66 of 73
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.
§ 7071. Consumers at Least 13 Years of Age and Less Than 16 to 15 Years of Age.
(a) A business that has actual knowledge that it sells or shares the personal information of
consumers at least 13 years of age and less than 16 years of age shall establish, document,
and comply with a reasonable process for allowing such consumers to opt-in to the sale or
sharing of their personal information, pursuant to section 7028.
(b) When a business receives a request to opt-in to the sale or sharing of personal information
from a consumer at least 13 years of age and less than 16 years of age, the business shall
inform the consumer of their ongoing right to opt-out of sale/sharing at any point in the
future a later date and of the process for doing so pursuant to section 7026.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.
§ 7072. Notices to Consumers Less Than Under 16 Years of Age.
(a) A business subject to sections 7070 and/or 7071 shall include a description of the processes
set forth in those sections in its privacy policy.
(b) A business that exclusively targets offers of goods or services directly to consumers under
16 years of age and does not sell or share the personal information without the affirmative
authorization consent of consumers at least 13 years of age and less than 16 years of age, or
the affirmative authorization consent of their parent or guardian for consumers under 13
years of age, is not required to provide the nNotice of rRight to oOpt-out of sSale/sSharing.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.
ARTICLE 7. NON-DISCRIMINATION
§ 7080. Discriminatory Practices.
(a) A financial incentive or a price or service difference is discriminatory, and therefore
prohibited by Civil Code section 1798.125, if the business treats a consumer differently
because the consumer exercised a right conferred by the CCPA or these regulations.
(b) A business may offer a financial incentive or price or service difference that is nondiscriminatory. A price or service difference is non-discriminatory if it is reasonably related
to the value of the consumer’s data. If a business is unable to calculate a good-faith estimate
of the value of the consumer’s data or cannot show that the financial incentive or price or
service difference is reasonably related to the value of the consumer’s data, that business
shall not offer the financial incentive or price or service difference.
Page 67 of 73
(c) A business’s denial of a consumer’s request to know, request to delete, request to correct,
request to know, or request to opt-out of sale/sharing for reasons permitted by the CCPA or
these regulations shall not be considered discriminatory.
(d) Illustrative examples follow:
(1) Example 1: A music streaming business offers a free service as well as a premium
service that costs $5 per month. If only the consumers who pay for the music
streaming service are allowed to opt-out of the sale or sharing of their personal
information, then the practice is discriminatory, unless the $5-per-month payment is
reasonably related to the value of the consumer’s data to the business.
(2) Example 2: A clothing business offers a loyalty program whereby customers receive a
$5-off coupon by email after spending $100 with the business. A consumer submits a
request to delete all personal information the business has collected about them but
also informs the business that they want to continue to participate in the loyalty
program. The business may deny their request to delete with regard to their email
address and the amount the consumer has spent with the business because that
information is necessary for the business to provide the loyalty program requested by
the consumer and is reasonably anticipated within the context of the business’s
ongoing relationship with them pursuant to Civil Code section 1798.105, subdivision
(d)(1).
(3) Example 3: A grocery store offers a loyalty program whereby consumers receive
coupons and special discounts when they provide their phone numbers. A consumer
submits a request to opt-out of the sale/sharing of their personal information. The
retailer complies with their request but no longer allows the consumer to participate in
the loyalty program. This practice is discriminatory unless the grocery store can
demonstrate that the value of the coupons and special discounts are reasonably related
to the value of the consumer’s data to the business.
(4) Example 4: An online bookseller collects information about consumers, including
their email addresses. It offers coupons to consumers through browser pop-up
windows while the consumer uses the bookseller’s website. A consumer submits a
request to delete all personal information that the bookseller has collected about them,
including their email address and their browsing and purchasing history. The
bookseller complies with the request but stops providing the periodic coupons to the
consumer. The bookseller’s failure to provide coupons is discriminatory unless the
value of the coupons is reasonably related to the value provided to the business by the
consumer’s data. The bookseller may not deny the consumer’s request to delete with
regard to the email address because the email address is not necessary to provide the
coupons or reasonably aligned with the expectations of the consumer based on the
consumer’s relationship with the business.
(e) A business shall notify consumers of any financial incentive or price or service difference
subject to Civil Code section 1798.125 that it offers in accordance with section 7016.
Page 68 of 73
(f) A business’s charging of a reasonable fee pursuant to Civil Code section 1798.145,
subdivision (i)(h)(3), shall not be considered a financial incentive subject to these
regulations.
(g) A price or service difference that is the direct result of compliance with a state or federal law
shall not be considered discriminatory.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130
and 1798.185, Civil Code.
§ 7081. Calculating the Value of Consumer Data
(a) A business offering a financial incentive or price or service difference subject to Civil Code
section 1798.125 shall use and document a reasonable and good faith method for calculating
the value of the consumer’s data. The business shall consider one or more of the following:
(1) The marginal value to the business of the sale, collection, or deletion of a consumer’s
data.
(2) The average value to the business of the sale, collection, or deletion of a consumer’s
data.
(3) The aggregate value to the business of the sale, collection, or deletion of consumers’
data divided by the total number of consumers.
(4) Revenue generated by the business from sale, collection, or retention of consumers’
personal information.
(5) Expenses related to the sale, collection, or retention of consumers’ personal
information.
(6) Expenses related to the offer, provision, or imposition of any financial incentive or
price or service difference.
(7) Profit generated by the business from sale, collection, or retention of consumers’
personal information.
(8) Any other practical and reasonably reliable method of calculation used in good faith.
(b) For the purpose of calculating the value of consumer data, a business may consider the
value to the business of the data of all natural persons in the United States and not just
consumers.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130
and 1798.185, Civil Code.
Page 69 of 73
ARTICLE 8. TRAINING, AND RECORD-KEEPING
§ 7100. Training.
(a) All individuals responsible for handling consumer inquiries about the business’s privacy
Information pPractices or the business’s compliance with the CCPA shall be informed of all
of the requirements in the CCPA and these regulations and how to direct consumers to
exercise their rights under the CCPA and these regulations.
(b) A business that knows or reasonably should know that it, alone or in combination, buys,
receives for the business’s commercial purposes, sells, or shares for commercial purposes
the personal information of 10,000,000 or more consumers in a calendar year shall establish,
document, and comply with a training policy to ensure that all individuals responsible for
handling consumer requests made under the CCPA or the business’s compliance with the
CCPA are informed of all the requirements in these regulations and the CCPA.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135 and
1798.185, Civil Code.
§ 7101. Record-Keeping.
(a) A business shall maintain records of consumer requests made pursuant to the CCPA and
how it responded to the requests for at least 24 months. The business shall implement and
maintain reasonable security procedures and practices in maintaining these records.
(b) The records may be maintained in a ticket or log format provided that the ticket or log
includes the date of request, nature of request, manner in which the request was made, the
date of the business’s response, the nature of the response, and the basis for the denial of the
request if the request is denied in whole or in part.
(c) A business’s maintenance of the information required by this section, where that information
is not used for any other purpose, does not taken alone violate the CCPA or these
regulations.
(d) Information maintained for record-keeping purposes shall not be used for any other purpose
except as reasonably necessary for the business to review and modify its processes for
compliance with the CCPA and these regulations. Information maintained for recordkeeping purposes shall not be shared with any third party except as necessary to comply
with a legal obligation.
(e) Other than as required by subsection (b), a business is not required to retain personal
information solely for the purpose of fulfilling a consumer request made under the CCPA.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135 and 1798.185, Civil
Code.
Page 70 of 73
§ 7102. Requirements for Businesses Collecting Large Amounts of Personal Information.
(a) A business that knows or reasonably should know that it, alone or in combination, buys,
receives for the business’s commercial purposes, sells, or shares, or otherwise makes
available for commercial purposes the personal information of 10,000,000 or more
consumers in a calendar year shall:
(1) Compile the following metrics for the previous calendar year:
(A) The number of requests to know that the business received, complied with in
whole or in part, and denied; (B) The number of requests to delete that the
business received, complied with in whole or in part, and denied;
(B) The number of requests to correct that the business received, complied with in
whole or in part, and denied;
(C) The number of requests to know that the business received, complied with in
whole or in part, and denied;
(D) (C) The number of requests to opt-out of sale/sharing that the business received,
complied with in whole or in part, and denied; and
(E) The number of requests to limit that the business received, complied with in
whole or in part, and denied; and
(F) (D) The median or mean number of days within which the business
substantively responded to requests to know, requests to delete, requests to
correct, requests to know, requests to opt-out of sale/sharing, and requests to
opt-out limit.
(2) Disclose, by July 1 of every calendar year, the information compiled in subsection
(a)(1) within their privacy policy or posted on their website and accessible from a link
included in their privacy policy. (A) In its disclosure pursuant to subsection (ag)(2), a
business may choose to disclose the number of requests that it denied in whole or in
part because the request was not verifiable, was not made by a consumer, called for
information exempt from disclosure, or was denied on other grounds.
(b) A business may choose to compile and disclose the information required by subsection
(a)(1) for requests received from all individuals, rather than requests received from
consumers. The business shall state whether it has done so in its disclosure and shall, upon
request, compile and provide to the Attorney General the information required by subsection
(a)(1) for requests received from consumers.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,
1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135 and 1798.185, Civil
Code.
Page 71 of 73
ARTICLE 9. INVESTIGATIONS AND ENFORCEMENT
§ 7300. Sworn Complaints Filed with the Agency.
(a) Requirements for filing a sworn complaint. Sworn complaints may be filed with the
Enforcement Division via the electronic complaint system available on the Agency’s
website at https://cppa.ca.gov/ or submitted in person or by mail to the headquarters office
of the Agency.
A complaint must:
(1) Identify the business, service provider, contractor, or person who allegedly violated
the CCPA;
(2) State the facts that support each alleged violation and include any documents or other
evidence supporting this conclusion;
(3) Authorize the alleged violator and Agency to communicate regarding the complaint,
including disclosing the complaint and any information relating to the complaint;
(4) Include the name and current contact information of the complainant; and
(5) Be signed and submitted under penalty of perjury.
(b) The Enforcement Division will notify the complainant in writing of the action, if any, the
Agency has taken or plans to take on the complaint, together with the reasons for that action
or nonaction. Duplicate complaints submitted by the same complainant may be rejected
without notice.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.45, Civil
Code.
§ 7301. Agency Initiated Investigations.
(a) The Agency may initiate investigations from All matters that do not result from a sworn
complaint, including Agency-initiated investigations, referrals from government agencies or
private organizations, and sworn, nonsworn, or anonymous complaints, or , may be opened
on the Agency’s own initiative.
(b) As part of the Agency’s decision to pursue investigations of possible or alleged violations of
the CCPA, the Agency may consider all facts it determines to be relevant, including the
amount of time between the effective date of the statutory or regulatory requirement(s) and
the possible or alleged violation(s) of those requirements, and good faith efforts to comply
with those requirements.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.45, Civil
Code.
Page 72 of 73
§ 7302. Probable Cause Proceedings.
(a) Probable Cause. Under Civil Code section 1798.199.50, probable cause exists when the
evidence supports a reasonable belief that the CCPA has been violated.
(b) Probable Cause Notice. The Enforcement Division will provide the alleged violator with
notice of the probable cause proceeding as required by Civil Code section 1798.199.50.
(c) Probable Cause Proceeding.
(1) The proceeding shall be closed to the public unless the alleged violator files, at least 10
business days before the proceeding, a written request for a public proceeding. If the
proceeding is not open to the public, then the proceeding may be conducted in whole or
in part by telephone or videoconference.
(2) The Agency staff shall conduct the proceeding informally. Only the alleged violator(s),
their legal counsel, and Enforcement Division staff shall have the right to participate at
the proceeding. The Agency staff shall determine whether there is probable cause
based on the probable cause notice and any information or arguments presented at the
probable cause proceeding by the parties.
(3) If the alleged violator(s) fails to participate or appear at the probable cause proceeding,
the alleged violator(s) waives the right to further probable cause proceedings under
Civil Code section 1798.199.50, and the Agency staff shall determine whether there is
probable cause based on the notice and any information or argument provided by the
Enforcement Division.
(d) Probable Cause Determination. The Agency staff shall issue a written decision with their its
probable cause determination and serve it on the alleged violator electronically or by mail.
The Agency’s probable cause determination is final and not subject to appeal.
(e) Notices of probable cause and probable cause determinations shall not be open to the public
nor admissible in evidence in any action or special proceeding other than one enforcing the
CCPA.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.50, Civil
Code.
§ 7303. Stipulated Orders.
(a) At any time before or during an administrative hearing and in lieu of such a hearing, the
Head of Enforcement and the person who is the subject of the investigation may stipulate to
the entry of an final order. If a stipulation has been agreed upon and the scheduled date of
the hearing is set to occur before the next Board meeting, the Enforcement Division will
apply for a continuance of the hearing.
(b) The final order must be approved by the Board, which may consider the matter in closed
session.
Page 73 of 73
(c) The stipulated final order shall be public and have the force of an order of the Board.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.199.35 and
1798.199.55, Civil Code.
§ 7304. Agency Audits.
(a) Scope. The Agency may audit a business, service provider, contractor, or person to ensure
compliance with any provision of the CCPA.
(b) Criteria for Selection. The Agency may conduct an audit to investigate possible violations of
the CCPA. Alternatively, the Agency may conduct an audit if the subject’s collection or
processing of personal information presents significant risk to consumer privacy or security,
or if the subject has a history of noncompliance with the CCPA or any other privacy
protection law.
(c) Audits may be announced or unannounced as determined by the Agency.
(d) Failure to Cooperate. A subject’s failure to cooperate during the Agency’s audit may result
in the Agency issuing a subpoena, seeking a warrant, or otherwise exercising its powers to
ensure compliance with the CCPA.
(e) Protection of Personal Information. Consumer personal information disclosed to the Agency
during an audit shall be maintained in compliance with the Information Practices Act of
1977, Civil Code section 1798, et seq.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.185, 1798.199.40
and 1798.199.65, Civil Code; Section 11180, Government Code.