1798.100. - (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to1798.105. - (a) A consumer shall have the right to request that a business delete any personal information about the consumer which1798.110. - (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose1798.115. - (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that1798.120. - (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the1798.125. - (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under1798.130. - (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible1798.135. - (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to1798.140. - For purposes of this title:1798.145. - (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:1798.150. - (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision1798.155. - Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with1798.160. - (a) A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in1798.175. - This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal1798.180. - This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws1798.185. - (a) On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further1798.190. - If a series of steps or transactions were component parts of a single transaction intended from the beginning to be1798.192. - Any provision of a contract or agreement of any kind that purports to waive or limit in any way a1798.194. - This title shall be liberally construed to effectuate its purposes.1798.196. - This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is1798.198. - (a) Subject to limitation provided in subdivision (b), this title shall be operative January 1, 2020.
(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
(d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
(1) Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(c) A consumer may authorize another person solely to opt out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.
(y) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’ determination that a request for information received by a consumer is a verifiable request, including treating a request submitted through a password protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’ authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.