2. Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
4. Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it, or correct it, and to opt-out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information.
4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
(d) A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor, that: (1) specifies that the personal information is sold or disclosed by the business only for limited and specified purposes; (2) obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title; (3) grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under this title; (4) requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title; (5) grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
(e) A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
(c) Notwithstanding subdivision (a), a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, In the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, In the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age.
(a) A consumer shall hove the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer's sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.
(b) A business that has received direction from a consumer not to use or disclose the consumer's sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer's sensitive personal information for any other purpose after its receipt of the consumer's direction, unless the consumer subsequently provides consent for the use or disclosure of the consumer's sensitive personal information for additional purposes.
(c) A service provider or contractor that assists a business In performing the purposes authorized by subdivision (a) may not use the sensitive personal information, after it has received instructions from the business and to the extent It has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business In response to instructions from the business and only with respect to its relationship with that business.
(3) (A) A business that receives a verifiable consumer request pursuant to sections 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent pursuant to sections 1798.110 or 1798.115 to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business's response to a verifiable consumer request, including but not limited to by providing to the business the consumer's personal information in the service provider or contractor's possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information, or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) through (f) of Section 1798.100, taking into account the nature of the processing.
(a) A business that sells or shares consumers' personal information or uses or discloses consumers' sensitive personal information for purposes other than those authorized by subdivision (a) of Section 1798.121 shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business's internet homepage(s), titled "Do Not Sell or Share My Personal Information," to an internet webpage that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information.
(2) Provide a clear and conspicuous link on the business's internet homepage(s), titled "Limit the Use of My Sensitive Personal Information" that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer's sensitive personal information to those uses authorized by subdivision (a) of Section l798.121,
(2) A business that allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a webpage that enables the consumer to consent to the business ignoring the apt-out preference signal with respect to that business's sale or sharing of the consumer's personal information or the use of the consumer's sensitive personal information for additional purposes provided that: (A) the consent webpage also allows the consumer or a person authorized by the consumer to revoke such consent as easily as it is affirmatively provided; (B) the link to the webpage does not degrade the consumer's experience on the webpage the consumer intends to visit and has a similar look, feel, and size relative to other links on the same webpage; and (C) the consent webpage complies with technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185.
(4) For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information for additional purposes, or as authorized by regulations.
(5) For consumers under 16 years of age who do not consent to the sale or sharing of their personal information, refrain from selling or sharing the personal information of the consumer under 16 years of age, and wait for at least 12 months before requesting the consumer's consent again, or as authorized by regulations or until the consumer attains 16 years of age.
(e) A consumer may authorize another person to opt-out of the sale or sharing of the consumer's personal information, and to limit the use of the consumer's sensitive personal information, on the consumer's behalf, including through an opt-out preference signal, as defined In paragraph (1) of subdivision (b) of this Section, indicating the consumer's intent to opt-out, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf, pursuant to regulations adopted by the Attorney General, regardless of whether the business has elected to comply with subdivision (a) or (b) of this Section. For purposes of clarity, a business that elects to comply with subdivision (a) of this Section may respond to the consumer's opt-out consistent with Section 1798.125.
(f) If a business communicates a consumer's opt-out request to any person authorized by the business to collect personal information, the person shall thereafter only use such consumer's personal information for a business purpose specified by the business, or as otherwise permitted by this title, and shall be prohibited from: (1) selling or sharing the personal information; or (2) retaining, using, or disclosing such consumer's personal information: (A) for any purpose other than for the specific purpose of performing the services offered to the business, (B) outside of the direct business relationship between the person and the business, or (C) for a commercial purpose other than providing the services to the business.
(ak) "Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and.1798.115, to delete personal information pursuant to Section 1798,105, or to correct inaccurate personal information pursuant to Section 1798,106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer's behalf.
(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Cade and the information is not collected, maintained, used, communicated, disclosed or sold except as authorized by the Fair Credit Reporting Act.
(a) (1) Any consumer whose non encrypted and non redacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
