Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California - Data Protection Overview
workspace-icon
Back

California - Data Protection Overview

April 2024

1. Governing Texts

This Guidance Note provides an overview of the California Consumer Privacy Act of 2018 ('CCPA') as amended by the California Privacy Rights Act of 2020 ('CPRA') (consolidated version available here) (collectively 'the CCPA as amended') under Part 4 of Division 3 of the California Civil Code ('Cal. Civ. Code'), and the revised California Consumer Privacy Act Regulations ('the revised CCPA Regulations').

Although the CCPA as amended became operative on  January 1, 2023, many of its provisions were applicable to personal information collected from January 1, 2022.

1.1. Key acts, regulations, directives, bills

  • CCPA (as amended by CPRA)
  • the revised CCPA Regulations

1.2. Guidelines

The AG has issued the following guidance:

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CCPA as amended protects natural persons or consumers and obliges businesses to undertake certain requirements with regard to the processing of personal information. A business is a for-profit entity that determines the purpose and means of the processing of consumers' personal information, doing business in California. Additionally, under the CCPA as amended, a business must meet one of the following thresholds (§1798.140(d)(1)(A) of the CCPA as amended):

  • has annual gross revenues in excess of $25 million in the preceding calendar year, as adjusted pursuant to §1798.185(a)(5) of the CCPA as amended;
  • alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares the personal information of 100,000 or more consumers, or households; and
  • derives 50% or more of its annual revenues from selling or sharing consumers' personal information. 

Businesses that control or are controlled by covered businesses or share common branding with covered businesses and with whom the business shares consumers' personal Information is also subject to the CCPA as amended (§1798.140(c)(2) of the CCPA as amended).

2.2. Territorial scope

The obligations imposed on businesses under the CCPA as amended do not restrict a business's ability to collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California (§1798.145(a)(7) of the CCPA as amended). Commercial conduct is said to be taking place wholly outside of California if the business had collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold (§1798.145(a)(7) of the CCPA as amended). Businesses are not prohibited from storing, for example on a device, personal information about a consumer when the consumer is located in California and then collecting that personal information when the consumer and stored personal information is outside of California (§1798.145(a)(7) of the CCPA as amended).

2.3. Material scope

The CCPA as amended generally covers the processing of consumer personal information, with processing defined as any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means (§1798.140(y) of the CCPA as amended). 

Furthermore, the CCPA as amended applies to the collection and use of personal information. Notably, a business does not sell or share personal information when (§§1798.140(ad) and 1798.140(ah)  of the CCPA as amended):

  • a consumer uses or directs the business to:
    • intentionally disclose personal information; and 
    • intentionally interact with one or more third parties;
  • the business uses or shares an identifier for a consumer who has opted out of the sale or sharing of their personal information or limited the use of the consumer's sensitive personal Information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer's personal information or limited the use of their sensitive personal information; and
  • the transfer is made in relation to a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with CCPA. 

The CCPA as amended provides exemptions to legislation including:

In addition, the CCPA as amended clarifies that the obligations imposed on businesses do not restrict a business's ability to (§1798.145(a) of the CCPA as amended):

  • comply with federal, state, or local laws;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. 
    • law enforcement agencies, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumer's personal information and upon receipt of such direction a business shall not delete the personal information for 90 days. 
  • cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; 
  • cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury, provided that: 
    • the request is approved by a high-ranking agency officer for emergency access to a consumer's personal information; 
    • the request is based on the agency's good faith determination that it has a lawful basis to access the information on a non-emergency basis; and 
    • the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted; 
  • exercise or defend legal claims; or 
  • collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information.

Lastly, the CCPA as amended is not limited to information collected electronically or over the Internet but applies to the collection and sale of all personal information collected by a business from consumers (§1798.175 of the CCPA as amended).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The CCPA as amended is enforced by the CPPA (§1798.155 of the CCPA as amended).

3.2. Main powers, duties and responsibilities

The CPPA is established in the state government and is vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA. The CCPA as amended stipulates that the CPPA is responsible for initiating investigations and bringing administrative enforcement actions where a business has been held to be in violation of a provision of the CCPA as amended (§1798.155(b) of the CCPA as amended). Moreover, the CPPA has the power to solicit broad public participation and adopt regulations to further the purposes of the CCPA as amended (§1798.185(a) and (d) of the CCPA as amended). 

4. Key Definitions

Data controller: There is no definition for 'data controller' in the CCPA as amended; however, the definition for 'business' under the CCPA as amended bears some similarity. A 'business' is defined as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in California, and that satisfies one or more of the following thresholds (§1798.140(d)(1) of the CCPA as amended):

  • has annual gross revenues in excess of $25 million in the preceding calendar year;
  • alone or in combination, annually buys, sells, or shares 100,000 or more consumers or households; and
  • derives 50% or more of its annual revenues from selling, or sharing consumers' personal information.

In addition, a business is any entity that controls or is controlled by a business, and that shares common branding with the business. 'Control' or 'controlled' means ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. 'Common branding' means a shared name, service mark, or trademark (§1798.140(d)(2) of the CCPA as amended).

Data processor: There is no definition of 'data processor' under the CCPA as amended. 

'Service provider' means a person that processes personal information on behalf of a business, and receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract, provided that certain things are prohibited within the contract (§1798.140(ag) of the CCPA as amended) (please see the section on controller and processor contracts below). 

'Contractor' means a person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract with the business, provided certain things are prohibited within the contract (§1798.140(j) of the CCPA as amended) (please the see section on controller and processor contracts below). 

Personal data: 'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household (§1798.140(v)(1) of the CCPA):

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
  • any personal information under §1798.80(e) of the CCPA as amended;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; 
  • biometric information; 
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory, or similar information;
  • professional or employment-related information;
  • education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act of 1974 ('FERPA'); and
  • inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information explicitly does not include information that is deidentified or aggregated, as well as 'publicly available' information or lawfully obtained, truthful information that is a matter of public concern (§1798.140(2) of the CCPA as amended). 

'Publicly available' is defined as information that is lawfully made available from federal, state, or local government records or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience (§1798.140(2) of the CCPA as amended). Publicly available information does not mean biometric information collected by a business about a consumer without the consumer's knowledge (§1798.140(2) of the CCPA as amended).

Sensitive data: Sensitive data means (§1798.140(ae) under Section 14 of the CCPA as amended):

  • personal information that reveals:
    • a consumer's social security, driver's license, state identification card, or passport number;
    • a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
    • a consumer's precise geolocation;
    • a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; and
    • the contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication;
  • a consumer's genetic data;
  • the processing of biometric information for the purpose of uniquely identifying a consumer;
  • personal information collected and analyzed concerning a consumer's health; and
  • personal information collected and analyzed concerning a consumer's sex life or sexual orientation.

Sensitive personal information that is publicly available will not be considered sensitive personal information or personal information.

Health data: There is no definition of 'health data' under the CCPA as amended. 

Biometric data: 'Biometric information' means an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid ('DNA'), that is used, or intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information (§1798.140(c) of the CCPA as amended).

Pseudonymization: The processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer (§1798.140(aa) of the CCPA as amended).

Data subject: There is no definition of 'data subject' under the CCPA as amended. 'Consumer' means a natural person who is a California resident, as defined in §17014 of Title 18 of the California Code of Regulations, as that Section read on 1 September 2017, however, identified, including by any unique identifier (§1798.140(i) of the CCPA as amended).

Sale: 'Sell,' 'selling,' 'sale,' or 'sold,' means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration (§1798.140(ad)(1) of the CCPA as amended).

Sharing: 'Share,' 'shared,' or 'sharing' means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged (§1798.140(ah)(1) of the CCPA as amended).

The following will not be considered 'sale' or 'sharing' personal information (§1798.140 (ad) and (ah) of the CCPA as amended):

  • a consumer uses or directs the business to:
    • intentionally disclose personal information;
    • intentionally interacts with one or more third party
  • the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal Information for the purposes of alerting third parties persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information; or
  • transfer made in relation to merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with CCPA. 

Third-party: means a person who is not any of the following:

  • the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business;
  • a service provider to the business; or 
  • a contractor.

5. Legal Bases

5.1. Consent

Not applicable.

However, a business that has received direction from a consumer not to sell or share their personal information or, in the case of a minor consumer's personal information has not received consent to sell or share the minor consumer's personal information, will be prohibited from selling or sharing the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides consent for the sale or sharing of their personal information (§1798.120(d) of the CCPA as amended).

In relation to sensitive personal information, where a business receives a request from a consumer not to use or disclose their sensitive personal information, except where exceptions apply, is prohibited from using or disclosing the consumer's sensitive personal information for any other purpose after receipt of the request. The business can only use or disclose the consumer's sensitive personal information if they subsequently provide consent for the use or disclosure of their sensitive personal information for additional purposes (§1798.121(b) of the CCPA as amended).

The revised CCPA Regulations provide more specific principles for designing and implementing requirements associated with obtaining consumer consent. These principles include (§7004(a) of the revised CCPA Regulations):

  • the method is easy to understand;
  • consumers having symmetry in choice;
  • avoid language or interactive elements that are confusing;
  • avoid choice architecture that impairs or interferes with the consumer's ability to make a choice; and
  • Must be easy to execute.

The revised CCPA Regulations further highlight that a method that does not comply with the above will be considered a dark pattern, and any agreement obtained through the use of dark patterns will not constitute valid consent (§7004(b) of the revised CCPA Regulations).

5.2. Contract with the data subject

The CCPA as amended does not expressly list positive grounds for the general processing of personal information based on the contract with the data subject. 

5.3. Legal obligations

The CCPA as amended clarifies that its obligations do not restrict a business's ability to (§1798.145(a)(1) to (4) of the CCPA as amended):

  • comply with federal, state, or local laws or comply with a court order or subpoena to provide information;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; 
  • law enforcement agencies, including police and sheriff's departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumer's personal information and upon receipt of such direction a business shall not delete the personal information for 90 days, in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer's personal information;
  • cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law;
  • cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury, provided that: 
    • the request is approved by a high-ranking agency officer for emergency access to a consumer's personal information; 
    • the request is based on the agency's good faith determination that It has a lawful basis to access the information on a non-emergency basis; and 
    •  the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted; or 
  • exercise or defend legal claims.

5.4. Interests of the data subject

The CCPA as amended does not expressly list positive grounds for the general processing of personal information in the interest of the data subject. 

5.5. Public interest

The CCPA as amended does not expressly list positive grounds for the processing of personal information in the public interest.

5.6. Legitimate interests of the data controller

The CCPA as amended does not expressly list positive grounds for the processing of personal information for the legitimate interest of the data controller.

5.7. Legal bases in other instances

The CCPA as amended does not explicitly refer to other legal bases for the processing of personal data. 

However, the CCPA as amended lists examples of the following as purposes for which businesses can process personal information, which include (§1798.140(e)(1) to (8) of the CCPA as amended):

  • auditing related to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards; 
  • helping to ensure security and Integrity to the extent the use of the consumer's personal Information Is reasonably necessary and proportionate for these purposes;
  • debugging to identify and repair errors that impair existing intended functionality;
  • short-term, transient use, including but not limited to non-personalized advertising shown as part of a consumer's current interaction with the business provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
  • performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business;
  • providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor will not combine the personal information of opted-out consumers that the service provider or contractor receives from or on behalf of the business with personal information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its own Interaction with consumers;
  • undertaking internal research for technological development and demonstration; or
  • undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

Furthermore, 'business purpose' is defined under the CCPA as amended as the use of personal information for the business' operational purposes, or other notified purposes, or for the service provider or contractor's operational purposes, as defined by regulations, provided that the use of personal information is reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected (§1798.140(e) of the CCPA as amended).

6. Principles

The CCPA as amended stipulates that businesses should (Section 3(B) of the CCPA as amended):

  • specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • only collect consumers' personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers' personal information for reasons incompatible with those purposes; and
  • collect consumers' personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared; and
  • take reasonable precautions to protect consumers' personal information from a security breach.

The revised CCPA Regulations provide clarification on factors for determining whether processing is consistent with the reasonable expectations of the consumer whose personal information is collected or processed, including (§7002 (b) of the revised CCPA Regulations):

  • the relationship between the consumer and the business;
  • the type, nature, and amount of personal information that the business seeks to collect or process;
  • the source of the personal information and the business' method for collecting or processing it;
  • the specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the notice at collection and in the marketing materials to the consumer(s) about the business' good or service; and
  • the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumer(s).

In addition, the revised CCPA Regulations provide that whether another disclosed purpose is compatible with the purpose for which the personal information was collected will be based on factors including (§7002(c) of the revised CCPA Regulations):

  • the consumer's reasonable expectations concerning the purpose for which the personal information will be collected or processed in line with the factors above;
  • the other disclosed purpose for which the business seeks to further collect or process the consumer's personal information; and
  • the link between points one and two.

7. Controller and Processor Obligations

The CCPA as amended requires that businesses not penalize consumers for exercising these rights and take reasonable precautions to protect consumers' personal information from a security breach (Section 3(A)(5)(6) of the CCPA as amended). In addition, a business that collects a consumer's personal information must implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure (§1798.100(3)(e) of the CCPA as amended).

Furthermore, businesses may offer consumers financial incentives for the sale or sharing of their personal information, or retention of personal information including payments to consumers as compensation. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer's data (§1798.125(a)(3)(b)(1) and (2) of the CCPA as amended).

7.1. Data processing notification

There is no data processing notification requirement under the CCPA as amended. 

7.2. Data transfers

The CCPA as amended does not contain provisions explicitly relating to cross-border data transfers and/or data localization. 

However, transferring data to third parties is included in the definition of sale and sharing (please see the section on definitions above).

On this point, the CCPA as amended establishes exemptions for the definition of 'sale' and 'sharing' of personal information, highlighting that a business does not sell or share personal information when transferring personal information to a third party as a part of a merger, acquisition, bankruptcy, or other transactions in which the third party assumes control of all or part of the business, provided that the information is used or shared consistently with the CCPA as amended. Furthermore, the CCPA as amended clarifies that personal Information is not considered to have been disclosed by a business when a consumer instructs a business to transfer their personal information from one business to another in the context of switching services (§1798.130(B)(ii) of the CCPA as amended). 

7.3. Data processing records

A business may maintain a confidential record of its deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted the deletion request from being sold, for compliance with laws, or for other purposes solely to the extent permissible under the CCPA as amended (§1798.105(c)(2) of the CCPA as amended).

In addition, a business is required to maintain, for at least 24 months, records of consumer requests made pursuant to the CCPA as amended and how the business responded to the requests (§7101(a) of the revised CCPA Regulations). Information maintained for this record-keeping purpose is not permitted to be used for any other purpose (§7101(d) of the revised CCPA Regulations). In addition, a business is not required to retain personal information solely for the purpose of fulfilling a consumer request under the CCPA as amended (§7101(e) of the revised CCPA Regulations).

In addition, a business that knows or reasonably should know that it, alone or in combination, buys, receives for the business's commercial purposes sells, or shares for commercial purposes, the personal information of 10 million or more consumers in a calendar year must, upon request from the AG, communicate the following metrics for the previous calendar year (§7201(a) (1) of the revised CCPA Regulations):

  • the number of requests to delete that the business received, complied with in whole or in part, and denied;
  • the number of requests to correct that the business received, complied with in whole or in part, and denied;
  • the number of requests to know that the business received, complied with in whole or in part, and denied;
  • the number of requests to opt-out of sale/sharing that the business received, complied with in whole or in part, and denied;
  • the number of requests to limit that the business received, complied with in whole or in part, and denied; and
  • the median or mean number of days within which the business substantively responded to, requests to delete, requests to correct, requests to know, requests to opt-out of sale/sharing, and requests to limit.

7.4. Data protection impact assessment

There is no mandatory requirement to undertake a Privacy Impact Assessment ('PIA') under the CCPA. 

However, the CCPA as amended refers to risk assessments, and states that the CPPA has the authority to issue regulations requiring businesses whose processing of consumers' personal information presents a significant risk to consumers' privacy or security, to submit on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to the privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public (§1798.185(a)(15)(B) of the CCPA).

7.5. Data protection officer appointment

There is no requirement to appoint a data protection officer in the CCPA as amended. 

7.6. Data breach notification

The requirement to provide notification following a data breach in California is governed by Cal. Civ. Code §1798.82.

In addition, the CCPA as amended reinforces the breach notification obligations and stipulates that a business should also be held directly accountable to consumers for data security breaches and notify consumers when their most sensitive information has been compromised (Section 2(K) of the CCPA as amended). 

In relation to a private right of action for personal Information security breaches please see the section on penalties below. 

7.7. Data retention

The CCPA as amended does not establish data retention obligations for businesses that collect personal information. 

However, a business' collection, use, retention, and sharing of a consumer's personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is Incompatible with those purposes (§1798.100(c) of the CCPA as amended).

Importantly, as part of a business' obligation to respond to consumer requests for access or in the exercise of a consumer's right to know, a business is obliged to provide the disclosure of the required information which covers the 12 months preceding the business's receipt of the verifiable consumer request. However, a consumer may request that the business disclose the required information beyond the 12-month period and the business will be required to provide such information unless doing so proves impossible or would involve a disproportionate effort (§1798.130(b)(8) of the CCPA as amended).

7.8. Children's data

A business is prohibited from selling or sharing the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, and in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer's personal information (§1798.120(c) of the CCPA as amended). Upon receiving this direction expressly stating a request to not sell or share the personal information, the business is prohibited from selling or sharing the consumer's personal information unless the consumer or their guardian subsequently provides express consent for the sale or sharing of the consumer's personal information (§1798.120(d) of the CCPA).

Furthermore, where consumers under 16 years of age do not consent to the sale or sharing of their personal information, businesses must refrain from selling or sharing their personal information and wait for at least 12 months before requesting the consumer's consent again, or as authorized by regulations, or wait until the consumer attains 16 years of age (§1798.135(c)(5) of the CCPA). 

7.9. Special categories of personal data

According to §1798.135(a) of the CCPA as amended, a business that discloses consumers' sensitive personal information for purposes other than those authorized by §1798.135(a) must in a form that is reasonably accessible to consumers provide a clear and conspicuous link on the business's internet homepage(s) entitled 'Limit the Use of My Sensitive Personal Information' that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer's sensitive personal Information.

To this end, at the business' discretion, they may utilize a single, clearly-labeled link on the business' internet homepage(s), in lieu of complying with the above, if such link easily allows a consumer to limit the use or disclosure of the consumer's sensitive personal information. Nonetheless, a business will not be required to comply with §1798.135(a) of the CCPA as amended if it allows consumers to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism (§1798.135(b)(1) of the CCPA as amended).

Furthermore, a business that allows consumers to limit the use of their sensitive personal information pursuant to §1798.135(b)(1) of the CCPA as amended may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business' sale or sharing of the consumer's sensitive personal information for additional purposes provided that:

  • the consent web page also allows the consumer, or a person authorized by the consumer to revoke the consent as easily as it is affirmatively provided;
  • the link to the web page does not degrade the consumer's experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same web page; and 
  • the consent web page complies with technical specifications set forth in the regulation. 

Further to the above, the CCPA as amended also establishes certain requirements when processing such information, such as providing consumers with certain information when handling sensitive personal information and not collecting additional categories for additional purposes (§1798.100(a)(2) and (3) of the CCPA as amended), as well as the express right to limit the use and disclosure of sensitive personal information (§1798.121 of the CCPA as amended), among other requirements (for further information please see the sections on the right to be informed and other rights below).

7.10. Controller and processor contracts

Service providers

A Business' relationship with a service provider must be governed by a written contract. In addition, the contract must prohibit (§1798.140(ag)(1) of the CCPA as amended):

  • selling or sharing personal information;
  • retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by the CCPA as amended;
  • retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business;
  • combining the personal information that the service provider receives from or on behalf of the business, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal Information to perform any business purpose as defined in CCPA as amended unless exceptions apply.

In addition, the contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months (§1798.140(ag)(1) of the CCPA as amended). Furthermore, if a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for such business purpose, it shall notify the business of such engagement, and the engagement must be pursuant to a written contract binding the other person to observe all the requirements set forth (§1798.140(ag)(1) of the CCPA as amended) (§1798.140(ag)(2) of the CCPA as amended).

Contractors

Contracts between businesses and contractors must prohibit (§1798.140(j)(1) of the CCPA as amended):

  • selling or sharing the personal information;
  • retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title;
  • retaining, using, or disclosing the Information outside of the direct business relationship between the contractor and the business; and
  • combining the personal information that the contractor receives pursuant to a written contract with the business with personal Information which It receives from or on behalf of another person or persons, or collects from Its own interaction with the consumer, provided that the contractor may combine personal Information to perform any business purpose as defined In regulations adopted pursuant to §1798.85(10)(a) of the CCPA as amended, except as provided for in §1798.140(e)(6) and in regulations adopted by the CPPA.

In addition; however, such contracts must include:

  • a certification made by the contractor that the contractor understands the restrictions in §1798.140(j)(1)(A) and comply with them; and
  • permits, subject to agreement with the contractor, the business to monitor the contractor's compliance with the contract through measures Including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.

According to (§1798.140(j)(2), if a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it must notify the business of that engagement, and the engagement must be pursuant to a written contract binding the other person to observe all the requirements set forth in (§1798.140(j)(1) of the CCPA as amended).

Under the revised CCPA Regulations, service providers or contractors can only retain, use, or disclose personal information collected pursuant to its written contract with the business in certain circumstances including (§7050(a) of the revised CCPA Regulations):

  • for the specific business purpose(s) set forth in the written contract between the business and the service provider or contractor that is required by the CCPA and the revised CCPA Regulations;
  • to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a service provider or contractor under the CCPA and the revised CCPA Regulations;
  • for internal use by the service provider or contractor to build or improve the quality of the services it is providing to the business, even if this business purpose is not specified in the written contract, provided that they do not use the personal information to perform services on behalf of another person; and
  • to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this business purpose is not specified in the written contract.

Importantly, a business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose, must enter into an agreement with such third party, service provider, or contractor that (§1798.100(d) of the CCPA as amended):

  • specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;
  • obligates the third party, service provider, or contractor to comply with applicable obligations under the CCPA as amended and obligate those persons to provide the same level of privacy protection as is required by the CCPA as amended;
  • grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under the CCPA as amended;
  • requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under the CCPA as amended; and
  • grants the business the right, upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

In line with the above revised CCPA Regulations provide more detailed contract requirements for contractors and service providers, noting that such contracts must, among other things:

  • prohibit the sale or sharing of personal information received from, or on behalf of, the business;
  • identify the specific business purpose(s) for which the service provider or contractor is processing personal information, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified business purpose(s) within the contract;
  • prohibit service providers or contractors from retaining, using, or disclosing personal information, including:
    • for purposes other than the business purpose(s) specified in the contract;
    • for commercial purposes other than the business purpose(s) specified in the contract; and
    • for purposes outside the direct business relationship between the parties;
  • require compliance with all applicable sections of the CCPA and revised CCPA Regulations;
  • grant businesses the right to take reasonable and appropriate steps to ensure the use of personal information is in a manner consistent with the business's obligations under the CCPA and these regulations;
  • require notification after the service provider or contractor makes a determination that it can no longer meet its obligations under the CCPA and revised CCPA Regulations;
  • grant businesses the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information; and
  • require service providers or contractors to enable the business to comply with consumer requests made pursuant to the CCPA or inform service providers or contractors of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary to comply with the request.

In relation to sensitive data, a service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to Instructions from the business and only with respect to Its relationship with that business (§1798.121(a)(c) of the CCPA as amended).

Third parties

The revised CCPA Regulations outline specific requirements applicable to third parties including that, a third party that does not have a contract that complies with the below must not collect, use, process, retain, sell, or share the personal information that the business made available to it. Specifically, the agreement for businesses and third parties must:

  • identify the limited and specified purpose(s) for which the personal information is made available to the third party;
  • specify that personal information is made available only for the limited and specified purpose(s) set forth within and may only be used for that limited and specified purpose(s);
  • require compliance with all applicable sections of the CCPA and revised CCPA Regulations and provide the same level of privacy protection as required of business;
  • grant the business the right to take reasonable and appropriate steps to ensure personal information use is in a manner consistent with the business's obligations under the CCPA and revised CCPA Regulations;
  • grant business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information; and
  • require notification after the third party makes a determination that it can no longer meet its obligations under the CCPA and revised CCPA Regulations.

8. Data Subject Rights

The CCPA as amended provides the following consumer rights (Section 3 of the CCPA as amended):

  • consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses' use of their personal information and that of their children;
  • consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed;
  • consumers should have access to their personal information and should be able to correct, delete, and take it with them from one business to another;
  • consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools;
  • consumers should be able to exercise these rights without being penalized for doing so;
  • consumers should be able to hold businesses accountable for failing to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches; and
  • consumers should benefit from businesses' use of their personal information.

In relation to employees and independent contractors, CCPA as amended states the privacy interests of employees and independent contractors should also be protected, considering the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act of 1935 ('the Labour Relations Act'). It is the purpose and intent of the Labor Relations Act to extend the exemptions in the CCPA for employee and business-to-business communications until 1 January 2023 (Section 3(A)(8) of the CCPA as amended).

Moreover, consumers or their authorized agents should be provided with easily accessible means to allow consumers and their children to obtain their personal information, to delete or correct it, or to opt-out of sale and sharing across business platforms, services, businesses, and devices, and to limit the use of their sensitive personal information (Section 3(B)(4) of the CCPA as amended)

Timeframes

A business must disclose and deliver the required information to a consumer free of charge, correct inaccurate personal Information, or delete a consumer's personal information, based on the consumer's request, within 45 days of receiving a verifiable consumer request from the consumer. The business must also promptly take steps to determine whether the request is a verifiable consumer request, and this must not extend the business's duty to disclose and deliver the Information, or correct inaccurate or delete personal information, within 45 days of receipt of the consumer's request. The time period to provide the required information, or to correct inaccurate or delete personal information, may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.

However, the revised CCPA Regulations provide that no later than 10 business days after receiving a request to delete, correct, or know a business must confirm receipt of the request and provide information about how the business will process the request. The information provided must describe in general the business's verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request. The confirmation may be given in the same manner in which the request was received (§7021(a) of the revised CCPA Regulations).

Moreover, the disclosure will cover the 12-month period preceding the business's receipt of the verifiable consumer request. However, a consumer may request that the business disclose the required information beyond the 12-month period and the business is required to provide such Information unless doing so proves impossible or would involve a disproportionate effort (§1798.130(2)(b) of the CCPA as amended)

Format

The disclosure of the required information must be made in writing and delivered through the consumer's account with the business if the consumer maintains an account with the business, or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business. In addition, the revised CCPA Regulations clarify that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to delete, correct, and know (§7020(a) of the revised CCPA Regulations).

Furthermore, a business that does not fit the description above of being exclusively online must provide two or more designated methods for submitting requests to delete, correct, and know. One of those methods must be a toll-free telephone number. If the business maintains an internet website, one of the methods for submitting these requests must be through its website, such as through a web form. Other Acceptable methods for submitting these requests include a designated email address, a form submitted in person, and a form submitted through the mail (§7020(b) of the revised CCPA Regulations).

Where a consumer submits a request in a manner that is not one of the designated methods of submission or is deficient in some manner unrelated to the verification process, the business shall either (§7020(e) of the revised CCPA Regulations):

  • treat the request as if it had been submitted in accordance with the business's designated manner; or
  • provide the consumer with information on how to submit the request or remedy any deficiencies with the request (if applicable).

The revised CCPA Regulations provide more specific principles for designing and implementing requirements associated with the submission of CCPA requests. These principles include (§7004(a) of the revised CCPA Regulations):

  • the method is easy to understand;
  • consumers having symmetry in choice;
  • avoid language or interactive elements that are confusing;
  • avoid choice architecture that impairs or interferes with the consumer's ability to make a choice; and
  • Must be easy to execute.

Verification

Separately, in relation to verification, any personal information collected from the consumer in connection with the business's verification of the consumer's request must solely be used for the purposes of verification, and must not further disclose the personal information, retain it longer than necessary for purposes of verification, or use It for unrelated purposes (§1798.130(7) of the CCPA as amended).

Furthermore, §7060 of the revised CCPA Regulations outline general rules regarding verification including factors to consider in determining the method for verifying the consumer's identity.

8.1. Right to be informed

The CCPA as amended provides that a business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to (§1798.100(a) of the CCPA as amended and §7012(e) of the revised CCPA Regulation):

  • the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared;
  • if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared;
  • the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period;
  • if the business sells or shares personal information, the link to the Notice of Right to Opt-out of sale/sharing or in the case of offline notices, where the webpage can be found online; and
  • a link to the business's privacy policy, or in the case of offline notices, where the privacy policy can be found online.

The revised CCPA Regulations clarify that where a business does not give notice at collection at or before the point of collection of their personal information, the business must not collect the consumer's personal information (§7012(d) of the revised CCPA Regulations).

Moreover, a business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under §1798.100(a) of the CCPA as amended by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if such business, acting as a third party, controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business must, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether such personal information is sold, in a clear and conspicuous manner at such location (§1798.100(b) of the CCPA as amended).

Importantly, however, the CCPA as amended clarifies that nothing above will require a business to disclose trade secrets, as specified pursuant to §1798.185(3)(a) of the CCPA as amended (§1798.100(b) of the CCPA as amended).

Moreover, a business that collects personal information about a consumer must disclose, pursuant to §1798.130(a)(5)(B) of the CCPA as amended, the following (§1798.110(c) of the CCPA):

  • the categories of personal information it has collected about consumers;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting or selling personal information;
  • the categories of third parties with whom the business shares personal information; and
  • that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

Notably, the CCPA as amended provides that businesses must, in a form that is reasonably accessible to consumers, make available to consumers two or more designated methods for submitting requests for information required to be disclosed including, at a minimum, a toll-free telephone number. However, businesses that operate exclusively online and have a direct relationship with consumers from whom it collects personal information must only be required to provide an email address for submitting requests for information required to be disclosed. Further to the above, where a business maintains an internet website, they must make the internet website available to consumers to submit requests for information required to be disclosed pursuant to §§1798.110 and 1798.115 of the CCPA as amended or requests for deletion or correction pursuant to §§798.105 and 1798.106, respectively (§1798.130(1)(a)(b) of the CCPA as amended).

Notice of Rights to Opt-out of Sale/Sharing and Limit the Use of sensitive personal information

The revised CCPA Regulations stipulate that a business must inform consumers of their right to direct a business to stop selling or sharing their personal information and limit the use and disclosure of their sensitive personal information. In addition, the revised CCPA Regulations dictate that consumers must be provided with 'do not sell or share my personal information' and 'limit the use of my sensitive personal information' links (§§7013(a) and 7014(a) of the revised CCPA Regulations). Alternatively, a business may provide the alternative opt-out link but must still post notices of the right to opt-out of sale and sharing and right to limit (§§7013(d) and 7014(d) of the revised CCPA Regulations). The opt-out preference signals processed in a frictionless manner can be used as an alternative to the 'do not sell or share my personal information' link as well (§7013(d) of the revised CCPA Regulations).

Importantly, a business does not need to provide a notice of the right to opt-out of sale and sharing or provide the applicable link where (§7013(g) of the revised CCPA Regulations):

  • it does not sell or share personal information; and
  • it states in its privacy policy that it does not sell or share personal information.

Correspondingly, a business does not need to provide a notice of right to limit or provide the applicable link where:

  • it only uses and discloses sensitive personal information for the purposes specified in (§7027(m) of the revised CCPA Regulations) and states so in its privacy policy; or
  • it only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer, and states so in its privacy policy.

§ 7015 (alternative Opt-out Link) and §7025 (opt-out preference signals) of the revised CCPA Regulations outline further requirements regarding the use of such mechanisms.

Privacy policy

The revised CCPA Regulations outline more specific intelligibility and format requirements including that disclosures and communications to consumers shall be easy to read and understandable to consumers (§7003(a) of the revised CCPA regulations). With regard to the privacy policy, the revised CCPA Regulations require the privacy policy to be posted online and accessible through a conspicuous link that complies with §7003 (c) and (d) of the revised CCPA Regulations, using the word 'privacy' on the business's website homepage(s) or on the download or landing page of a mobile application (§7011 of the revised CCPA Regulations).

Moreover, where the business has a California-specific description of consumers' privacy rights on its website, then the privacy policy must be included in that description. A business that does not operate a website must make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application's settings menu (§7011 of the revised CCPA Regulations).

More specifically, the revised CCPA Regulations require that privacy policies include:

  • a comprehensive description of online and offline practices regarding the collection, use, sale, sharing, and retention of personal information, including:
    • identifying the categories of personal information collected in the preceding 12 months;
    • identifying the categories of sources from which personal information is collected;
    • identifying, in a meaningful way, the specific business or commercial purpose for collecting personal information from consumers;
    • identifying the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months, as well as each category of personal information, the categories of third parties to whom the information was sold or shared, and disclosing if no such sale or sharing has occurred;
    • identifying, in a meaningful way, the specific business or commercial purpose for selling or sharing consumers' personal information;
    • a statement on whether the business has actual knowledge that it sells or shares personal information of consumers under 16 years of age;
    • identifying the categories of personal information, if any, that the business disclosed for a business purpose to third parties in the preceding 12 months, as well as each category of personal information and the categories of third parties to whom the information was disclosed;
    • identifying the specific business or commercial purpose for disclosing the consumer's personal information; and
    • a statement on whether the business discloses sensitive personal information;
  • an explanation of consumers' rights under the CCPA; and
  • an explanation of how consumer rights can be exercised and the process that can be expected, including:
    • an explanation of the methods by which the consumer can exercise their CCPA as amended rights;
    • instructions for submitting a request under the CCPA as amended;
    • a general description of the process the business uses to verify a consumer request to know, request to delete, and request to correct; and
    • instructions on how an authorized agent can make a request under the CCPA as amended on the consumer's behalf.

Furthermore, a business is required to disclose and update annually the following information in the form of its online privacy policy, and if the business does not maintain those policies, on its internet website (§1798.130(a)(5) of the CCPA as amended):

  • a description of a consumer's rights pursuant to §§1798.100, 1798.105, 1798.106,1798.110, 1798.115, and 1798.125 of the CCPA as amended, and two or more designated methods for submitting requests;
  • for purposes of §1798.110(c) of the CCPA as amended:
    • a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in §1798.110(c) of the CCPA as amended that most closely describe the personal information collected;
    • the categories of sources from which consumers' personal information is collected;
    • the business or commercial purpose for collecting or selling or sharing consumers' personal information; and
    • the categories of third parties to whom the business discloses consumers' personal information.
  • for purposes of §1798.115(c)(1) and (2) of the CCPA as amended, two separate lists:
    • a list of the categories of personal information it has sold or shared about consumers in the preceding 12 months by reference to the enumerated category or categories in of §1798.110(c) of the CCPA as amended that most closely describe the personal information sold, or if the business has not sold or shared consumers' personal information in the preceding 12 months, the business prominently must disclose that fact in its privacy policy; and
    • a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in §1798.110(c) of the CCPA as amended that most closely describes the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business must disclose that fact.

In relation to sensitive personal information, a business that uses or discloses a consumer's sensitive personal information for purposes other than those specified §1798.121(a) of the CCPA as amended must notify the consumers that the personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that the consumer has the right to limit the use or disclosure of their sensitive personal information (§1798.121(a) of the CCPA as amended).

8.2. Right to access

A consumer has the right to request that a business that collects their personal information disclose the following upon a verifiable request (§1798.110(a) of the CCPA as amended):

  • the categories of personal information it has collected about that consumer;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting, selling, or sharing personal information;
  • the categories of third parties to whom the business discloses personal information; and
  • the specific pieces of personal information it has collected about that consumer;
  • the categories of personal information that the business sold and for each category identified, the categories of third parties to whom it sold that particular category of personal information; and
  • the categories of personal information that the business disclosed for a business purpose, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.

The revised CCPA Regulations clarify that this should cover all personal information, through an individualized response, that the business has collected and maintains about the consumer during the 12-month period preceding the business's receipt of the request. Importantly, when transmitting personal information to the consumer the business must use reasonable security measures.

However, a consumer may request that the business provide personal information that it collected beyond the 12-month period, as long as it was collected on or after January 1, 2022, and it does not prove impossible or involve a disproportionate effort. With the assistance of the service provider or contractor, such information should include any personal information that the business's service providers or contractors collected pursuant to their written contract with the business. Regarding the request being impossible or involving disproportionate effort, the business must provide the consumer with a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period.

Where a business cannot verify the identity of the person making the request for disclosure of categories of personal information, it may deny the request and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the must provide or direct the consumer to its general business information practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy (§7024(a) of the revised CCPA Regulations).

Further, in responding to a request to know, a business is not required to search for personal information if all of the following conditions are met (§7023(c) of the revised CCPA Regulations):

  • the business does not maintain the personal information in a searchable or reasonably accessible format;
  • the business maintains the personal information solely for legal or compliance purposes;
  • the business does not sell the personal information and does not use it for any commercial purpose; and
  • the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

Importantly, businesses should not disclose in response to a request to know a consumer's Social Security number, driver's license number, or another government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions, and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The business can, however, inform the consumer with sufficient particularity that it has collected the type of information (§7024(d) of the revised CCPA Regulations).

Obligations when selling and sharing personal information

In addition, a consumer has the right to request that a business that sells or shares the consumer's personal information, or that discloses it for a business purpose, disclose to the consumer (§1798.115(a) of the CCPA as amended):

  • the categories of personal information that the business collected about the consumer;
  • the categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared; and
  • the categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom It was disclosed for a business purpose.

Moreover, a business that sells or shares consumers' personal information, or that discloses consumer's personal information must, after a verifiable consumer request, disclose the following information (§1798.115(c) of the CCPA as amended):

  • the category or categories of consumers' personal information it has sold or shared, or if the business has not sold or shared consumers' personal information, it must disclose that fact; and
  • the category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed consumers' personal information for a business purpose, it must disclose that fact.

In line with the above, a business that receives a verifiable consumer request based on the above must disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. However, the service provider or contractor will not be required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor (§1798.130(3)(A) of the CCPA as amended). Nevertheless, a service provider or contractor must provide assistance to a business with which it has a contractual relationship with respect to the business's response to a verifiable consumer request, including but not limited to providing the business the consumer's personal information in the service provider or contractor's possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information, or by enabling the business to do the same.

8.3. Right to rectification

A consumer has the right to request that a business that maintains inaccurate personal information about the consumer correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information (§1798.106(a) of the CCPA as amended). In addition, a business must disclose to the consumer their right to request the correction of inaccurate personal information (§1798.106(b) of the CCPA as amended).

A business that receives a verifiable consumer request to correct inaccurate personal information must use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer (§1798.106(c) of the CCPA as amended). A business that cannot verify the identity of the requestor in line with the revised CCPA Regulations may deny the request to correct but must inform the requestor that their identity cannot be verified (§7023(a) of the revised CCPA Regulations).

The revised CCPA Regulations clarify how businesses should determine the accuracy of personal information, noting that the totality of the circumstances relating to the contested personal information should be considered including (§7023(b)(1) of the revised CCPA Regulations):

  • the nature of the personal information
  • how the business obtained the contested information; and
  • documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source.

Importantly, where the business is not the source of the personal information and has no documentation in support of the accuracy of the information, the consumer's assertion of inaccuracy may be sufficient to establish that the personal information is inaccurate (§7023(b)(2) of the revised CCPA Regulations).

Furthermore, businesses that comply with a consumer's request to correct must correct the personal information at issue on their existing systems. Alternatively, a business may delete contested personal information rather than correcting the information if the deletion of the personal information does not negatively impact the consumer, or the consumer consents to the deletion. In addition, the business must also instruct all service providers and contractors that maintain personal information to make the necessary corrections in their respective systems. A service provider or contractor may delay compliance with the consumer's request to correct with respect to data stored on the archived or backup system until the archived or backup system relating to that data is restored to an active system or is next accessed or used (§7023(c) of the revised CCPA Regulations).

Finally, the revised CCPA Regulations also establish requirements associated with the collection of documentation to rebut its own documentation that the personal information is accurate, and the denial of correction requests.

8.4. Right to erasure

A consumer has the right to request, free of charge, that a business delete any personal information about the consumer that the business has collected from the consumer (§1798.105(a) of the CCPA as amended). In addition, a business that collects personal information about the consumer must disclose to the consumer their right to request the deletion of their personal information (§1798.105(b)(1) of the CCPA as amended).

In response, the business must delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records (§1798.105(c)(1) of the CCPA as amended). However, the business may maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of the consumer who has submitted the request from being sold, for compliance with laws, or for other purposes solely to the extent permissible under the CCPA as amended (§1798.105(b)(2) of the CCPA as amended).

In relation to service providers and contractors, they must cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, delete, or enable the business to delete, and notify any of its own service providers or contractors to delete, personal Information about the consumer collected, used, processed, or retained by the service provider or the contractor. In addition, the service provider or contractor must notify any service providers, contractors, or third parties who may have accessed such personal information to delete it unless the information was accessed at the direction of the business, or this will take an impossible or involves disproportionate effort. However, a service provider or contractor will not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer's personal information in its role as a service provider or contractor to the business (§1798.105(b)(3) of the CCPA as amended).

The revised CCPA Regulations establish additional requirements for notification of a deletion request to service providers or contractors, and third parties to whom the business has sold or shared unless this proves impossible or involves disproportionate effort. Furthermore, the revised CCPA Regulations provide specific requirements for deletion by such parties, including permanently and completely erasing the personal information from their existing systems within certain circumstances, and notification to any of its own service providers or contractors of the need to delete from their records (§7022 (of the revised CCPA Regulations).

Further to the above, a business or service provider or contractor, acting pursuant to its contract with the business, another service provider, or another contractor, is exempt from this obligation if it is reasonably necessary to maintain the consumer's personal information in order to (§1798.105(d) of the CCPA as amended):

  • complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  • help to ensure security and integrity to the extent the use of the consumer's personal information Is reasonably necessary and proportionate for those purposes;
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act;
  • engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research if the consumer has provided informed consent;
  • to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context In which the consumer provided the Information; or
  • comply with a legal obligation.

8.5. Right to object/opt-out

A third party is prohibited from selling personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to opt out pursuant to §1798.120 of the CCPA (§1798.115(d) of the CCPA as amended). The revised CCPA Regulations provide specific information on the notice of the right to opt out of the sale and sharing of personal information please see the section on the right to be informed above (§7013 of the revised CCPA Regulations).

A consumer has the right, at any time, to direct a business that sells or shares personal information about the consumer to a third party or to not sell or share the consumer's personal information which is also known as the opt-out right (§1798.120(a) of the CCPA as amended). A consumer may also use an authorized agent to submit a request to opt out of sale/sharing on their behalf if the consumer provides the authorized agent written permission signed by the consumer (§7026 (j) of the revised CCPA Regulations). In addition, a business selling consumer personal information to third parties is required to provide notice to consumers that this information may be sold or shared and that consumers have the right to opt out of the sale or sharing of their personal information (§1798.120(b) of the CCPA as amended). Moreover, a business that has received direction from a consumer not to sell or share the consumer's personal information or, in the case of a minor consumer's personal information has not received consent to sell or share the minor consumer's personal information, will be prohibited from selling or sharing the consumer's personal information after the receipt of the direction, unless the consumer subsequently provides consent, for the sale or sharing of the consumer's personal information (§1798.120(d) of the CCPA as amended).

According to §1798.135(a) of the CCPA as amended, a business that sells or shares consumers' personal information or uses for purposes other than those authorized by §1798.135(a) of the CCPA as amended must in a form that is reasonably accessible to consumers provide a clear and conspicuous link on the business's internet homepage(s) entitled 'Do Not Sell or Share My Personal Information that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or shoring of the consumer's personal information

To this end, at the business' discretion, they may utilize a single, clearly labeled link on the business' internet homepage(s), in lieu of complying with the above, if such link easily allows a consumer to opt-out of the sale or sharing of the consumer's personal Information. Nonetheless, a business will not be required to comply with §1798.135(a) of the CCPA as amended if it allows consumers to opt out of the sale or sharing of their personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism (§1798.135(b)(1) of the CCPA as amended).

Furthermore, a business that allows consumers to opt out of the sale or sharing of their personal information pursuant to §1798.135(b)(1) of the CCPA as amended may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business' sale or sharing of the consumer's personal information for additional purposes provided that:

  • the consent web page also allows the consumer, or a person authorized by the consumer to revoke the consent as easily as it is affirmatively provided;
  • the link to the web page does not degrade the consumer's experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same web page;
  • the consent web page complies with technical specifications set forth in the regulation.

The revised CCPA Regulations provide additional information regarding the method for submitting requests to opt-out of request, including that the business's methods for submitting requests to opt-out of sale/sharing must be easy for consumers to execute, require minimal steps, and comply with §7004 of the revised CCPA Regulations (§7026 (b) of the revised CCPA Regulations). In addition, a business must comply with a request to opt out of sale/sharing by (§7026 (f) of the revised CCPA Regulations):

  • ceasing to sell to and/or share with third parties the consumer's personal information as soon as feasibly possible, but no later than 15 business days from the date the business receives the request; and
  • notifying all third parties to whom the business has sold or shared the consumer's personal information, that the consumer has made a request to opt out of sale/sharing and directing them to comply with the consumer's request and forward the request to any other person to whom the third party has made the personal information available during that time.

Importantly, except where permitted by the revised CCPA Regulations, a business must wait at least 12 months from the date of the consumer's request before asking a consumer that opted out of the sale or sharing of their personal information to consent to the sale or sharing of their personal information.

8.6. Right to data portability

A business must provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer's request without hindrance. 'Specific pieces of information do not include data generated to help ensure security and integrity or as prescribed by regulation (§1798.130(3)(B)(iii) of the CCPA as amended) 

8.7. Right not to be subject to automated decision-making

The CCPA as amended does not explicitly refer to a right not to be subject to automated decision-making. 

However, the CCPA as amended stipulates that the AG may adopt regulations in areas that include the governing of access and opt-out rights with respect to business' use of automated decision-making technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consume (§1798.185(a)(16) of the CCPA as amended).

8.8. Other rights

Right to not be discriminated against

A consumer has the right to not be discriminated against because of the exercise of any of the consumer's rights, including but not limited to (§1798.125(a)(1) of the CCPA as amended):

  • denying goods or services to the consumer;
  • charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • providing a different level or quality of goods or services to the consumer; or
  • suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services; and 
  • retaliating against an employee, applicant for employment, or independent contractor, as defined for exercising their rights under the CCPA as amended. 

Nevertheless, a business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if the price or difference is reasonably related to the value provided to the business by the consumer's data (§1798.125(3)(B)(a) of the CCPA as amended). However, a business is prohibited from using the provisions permitting financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature (§1798.125(b)(4) of the CCPA as amended).

Right to limit the use and disclosure of sensitive personal information

A consumer has the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to what is necessary to perform the services or to provide the goods reasonably expected by an average consumer who requests those goods or services. A consumer may also use an authorized agent to submit a request to limit on the consumer's behalf if the consumer provides the authorized agent written permission signed by the consumer (§7027(j) of the revised CCPA Regulations). The revised CCPA Regulations provide specific information on the notice of the right to limit the use of sensitive personal information please see the section on the right to be informed above (§7014 of the revised CCPA Regulations).

Where a business uses or discloses a consumer's sensitive personal information for purposes other than those specified to the consumer, the business must provide a notice of the following (§1798.121(a) of the CCPA as amended):

  • that this information may be used or disclosed to a service provider or contractor, for additional specified purposes; and
  • that the consumer has the right to limit the use or disclosure of their sensitive personal information.

In addition, a business that has received direction from a consumer not to use or disclose the consumer's sensitive personal information, except as authorized §1798.121(a) of the CCPA as amended is prohibited from using or disclosing the consumer's sensitive personal information for any other purpose after its receipt of the consumer's direction unless the consumer subsequently provides consent for the use or disclosure of the consumer's sensitive personal information for additional purposes (§1798.121(b) of the CCPA as amended).

Importantly, service providers and/or contractors that assist a business in performing the purposes authorized by §1798.121(a) of the CCPA as amended may not use the sensitive personal information, after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal Information for any other purpose following (§1798.121(c) of the CCPA as amended). Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer, is not subject to the above and will be treated as personal information (§1798.121(d) of the CCPA as amended).

In relation to consumers who exercise their right to opt out of the sale or sharing of their personal information, a business must refrain from selling or sharing the consumer's personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of their personal information for additional purposes, or as authorized by regulations.

The revised CCPA Regulations provide additional information regarding the method for submitting requests to opt-out of request, including that businesses that use or discloses sensitive personal information for purposes other than those set forth in §7027 (m) of the revised CCPA Regulations) must provide two or more designated methods for submitting requests to limit, and highlights that the method must be easy for consumers to execute, require minimal steps, and comply with §7004 of the revised CCPA Regulations (§7027(c) of the revised CCPA Regulations).

In addition, a business must comply with a request to limit use by (§7026 (f) of the revised CCPA Regulations):

  • ceasing to use and disclose the consumer's sensitive personal information for purposes other than those set forth in §7027 (m) of the revised CCPA Regulations as soon as feasibly possible, but no later than 15 business days from the date the business receives the request;
  • notifying the business's applicable service providers or contractors that the consumer has made a request to limit and instructing them to comply with the consumer's request within the same time frame; and
  • notifying applicable third parties that the consumer has made a request to limit and direct them to comply with the consumer's request and to forward the request to any other person with whom the third party has disclosed or shared the sensitive personal information during that time period.

Importantly, the revised CCPA Regulations clarify the purposes for which sensitive personal information can be used or disclosed without the requirement to offer consumers a right to limit, which include:

  • to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services;
  • to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
  • to resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
  • to ensure the physical safety of natural persons;
  • for short-term, transient use, including, non-personalized advertising shown as part of a consumer's current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
  • to perform services on behalf of the business;
  • to verify or maintain the quality or safety of a product, service, or device that is owned by, manufactured by, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the business; and
  • to collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer.

9. Penalties

The CCPA as amended establishes administrative fines and enforcement actions for non-compliance with its provisions, which will be brought by the CPPA. Specifically, any business, service provider, contractor or other person that violates the CCPA as amended will be liable for an administrative fine of not more than $2,500 for each, or $7,500 for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge Is under 16 years of age. 

The proceeds of any settlement resulting from an action brought by the CPPA will be deposited in the Consumer Privacy Fund with the intent to fully offset any costs incurred by the state courts and the AG, and CPPA in bringing the action (§1798.155(b) of the CCPA as amended).

Private right of action

The CCPA as amended provides for a civil remedy in relation to data security breaches where a consumer's non-encrypted and non-redacted personal information or email address in combination with a password or security question and answer that would permit access to the account, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of security obligations. Damages under the CCPA as amended include: 

  • recovering damages ranging from $100 to $750 per consumer per incident or actual damages whichever is greater;
  • injunctive or declaratory relief; and 
  • any other relief the court deems proper.

In assessing the amount of damages, the court will consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to:

  • the nature and seriousness of the misconduct;
  • the number of violations;
  • the persistence of the misconduct;
  • the length of time over which the misconduct occurred;
  • the willfulness of the defendant's misconduct; and
  • the defendant's assets, liabilities, and net worth.

A consumer must provide a business 30 days' written notice identifying the specific provisions of this CCPA as amended the consumer alleges have been or are being violated, before initiating this action. If within 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. However, the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure with respect to that breach. Importantly, no notice is required where an individual is initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations. If a business continues to violate the CCPA as amended in breach of the express written statement provided to the consumer, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

9.1 Enforcement decisions

On August 24, 2022, the AG announced its first settlement under the CCPA. In particular, the $1.2 million settlement was with Sephora, Inc., in relation to allegations that the company violated the CCPA and Unfair Competition Law (Business and Professions Code §17200 et seq.). The AG explained that Sephora failed to disclose to consumers the sale of their personal information and did not provide consumers with an easy-to-find 'Do Not Sell My Personal Information' link, on its webpage or in its app. Based on this the AG determined that Sephora failed to process user requests to opt out of sale via the user-enabled global privacy controls, which were not cured within the 30-day period allowed at the time by the CCPA. 

In addition, to the settlement amount the AG ordered Sephora to comply with injunctive terms, which included:

  • clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • providing mechanisms for consumers to opt out of the sale of personal information, including via the global privacy control;
  • conforming its service provider agreements to the CCPA requirements; and
  • providing annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor global privacy control. 
Privacy Law ConceptsPrivacy Law Reform

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback