Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: Revised CCPA Regulations - understanding CCPA as amended

The California Privacy Protection Agency ('CPPA') released its highly anticipated revised California Consumer Privacy Act of 2018, as amended ('CCPA') Regulations1 ('the revised CCPA Regulations') on 4 April 2023. In particular, the revised CCPA Regulations update the existing CCPA Regulations to harmonise them with the amendments adopted pursuant to the CCPA, as amended by the California Privacy Rights Act of 2020 ('CPRA')2 ('the CCPA as amended'). Furthermore, the CPPA confirmed that the revised CCPA Regulations aim to operationalise new rights and concepts introduced by the CCPA as amended and reorganise and consolidate requirements to make the CCPA Regulations easier to follow and understand. OneTrust DataGuidance outlines the key amendments introduced in the revised CCPA Regulations.

LeoPatrizi / Signature collection / istockphoto.com

Definitions (§7001)

The revised CCPA Regulations amend and introduce definitions including 'disproportionate effort', 'Alternative Opt-Out Link', 'information practices', and 'non-business'. The final statement of reason3 clarifies that disproportionate effort also applies to service providers, contractors, as well as third parties, in addition to businesses, and provides more detail regarding the factors to be considered in evaluating whether responding to a consumer request would require disproportionate effort, including the reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances, such as the size of the business, service provider, contractor, or third party, the nature of the request, and the technical limitations impacting their ability to respond.

Furthermore, 'non-business' is defined as a person or entity that does not meet the definition of a 'business' as defined in §§1798.140(d) of the California Civil Code, highlighting that non-profits and government entities are non-businesses because 'business' is defined, among other things, to include only entities 'organised or operated for the profit or financial benefit of its shareholders or other owners.'

Notably, the revised CCPA Regulations removed some definitions including 'affirmative authorisation' and 'household'.

Restrictions on the collection and use of personal information (§7002)

The revised CCPA Regulations introduce requirements associated with the collection and use of personal information, including obligations focused on purpose limitation as well as further processing. In addition, the revised CCPA Regulations establish that the purpose(s) for which personal information is collected or processed must be consistent with the reasonable expectations of the consumer whose personal information is collected or processed, which will be based on factors including:

  • the relationship between the consumer and the business;
  • the type, nature, and amount of personal information that the business seeks to collect or process;
  • the source of the personal information and the business' method for collecting or processing it;
  • the specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the notice at collection and in the marketing materials to the consumer(s) about the business' good or service; and
  • the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumer(s).

In regard to further processing, the revised CCPA Regulations provide that, whether another disclosed purpose is compatible with the purpose for which the personal information was collected will be based on factors including:

  • the consumer's reasonable expectations concerning the purpose for which the personal information will be collected or processed in line with the factors above;
  • the other disclosed purpose for which the business seeks to further collect or process the consumer's personal information; and
  • the link between point one and two.

Notably, the revised CCPA Regulations establish that a business' collection, use, retention, and/or sharing of a consumer's personal information must also be reasonably necessary and proportionate, which will be based on the minimum personal information that is necessary to achieve the identified purpose, the possible negative impacts on consumers by the business' collection or processing of the personal information, as well as the existence of additional safeguards to specifically address the possible negative impacts on consumers considered by the business as outlined above. Importantly, the revised CCPA Regulations clarify that businesses must obtain the consumer's consent in accordance with §7004 of the revised CCPA Regulations before collecting or processing personal information for any purpose that does not meet the requirements set forth in §7002(a) of the revised CCPA Regulations. Furthermore, the revised CCPA Regulations restrict the collection of categories of personal information not disclosed in the notice at collection, highlighting that where a business intends to collect additional categories of personal information not disclosed in the notice at collection or intends to use the personal information for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, the business must provide a new notice at collection.

Submitting CCPA requests and obtaining consumer consent (§7004)

The revised CCPA Regulations detail specific principles for designing and implementing requirements associated with the submission of CCPA requests and obtaining consumer consent. These principles include:

  • The method being easy to understand. The methods must use language that is easy for consumers to read and understand and, when applicable, comply with the requirements for disclosures to consumers set forth in §7003 outlined below.
  • Consumers having symmetry in choice. The path for a consumer to exercise a more privacy-protective option must not be longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer's ability to make a choice.
  • Avoid language or interactive elements that are confusing. The methods should not use double negatives. Additionally, toggles or buttons must clearly indicate the consumer's choice.
  • Avoid choice architecture that impairs or interferes with the consumer's ability to make a choice. Businesses should not design their methods in a manner that would impair the consumer's ability to exercise their choice because consent must be freely given, specific, informed, and unambiguous.
  • Must be easy to execute. Businesses must not add unnecessary burden or friction to the submission process, noting that methods should be tested to ensure that they are functional and do not undermine the consumer's choice to submit the request.

Importantly, the revised CCPA Regulations stipulate that where the method does not comply with the above it may be considered a dark pattern. To this end, any agreement obtained through the use of dark patterns will not constitute consumer consent. In regard to user interfaces, a dark pattern is where the interface has the effect of substantially subverting or impairing user autonomy, decision making, or choice of the consumer. Crucially, a business' intent in designing the interface is not determinative in whether the user interface is a dark pattern, but a factor to be considered.

Disclosure to consumers (§7010)

Privacy policy (§7011)

The revised CCPA Regulations introduce new information that must be included within privacy policies which must comply with §7003(a) and (b) of the revised CCPA Regulations. More specifically, the revised CCPA Regulations requires that privacy policies include:

  • a comprehensive description of online and offline practices regarding the collection, use, sale, sharing, and retention of personal information, including:
    • identifying the categories of personal information collected in the preceding 12 months;
    • identifying the categories of sources from which personal information is collected;
    • identifying, in a meaningful way, the specific business or commercial purpose for collecting personal information from consumers;
    • identifying the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months, as well as each category of personal information, the categories of third parties to whom the information was sold or shared, and disclosing if no such sale or sharing has occurred;
    • identifying, in a meaningful way, the specific business or commercial purpose for selling or sharing consumers' personal information;
    • a statement on whether the business has actual knowledge that it sells or shares personal information of consumers under 16 years of age;
    • identifying the categories of personal information, if any, that the business disclosed for a business purpose to third parties in the preceding 12 months, as well as each category of personal information and the categories of third parties to whom the information was disclosed;
    • identifying the specific business or commercial purpose for disclosing the consumer's personal information; and
    • a statement on whether the business discloses sensitive personal information;
  • an explanation of consumers' rights under the CCPA; and
  • an explanation of how consumer rights can be exercised and the process that can be expected, including:
    • an explanation of the methods by which the consumer can exercise their CCPA as amended rights;
    • instructions for submitting a request under the CCPA as amended;
    • a general description of the process the business uses to verify a consumer request to know, request to delete, and request to correct; and
    • instructions on how an authorised agent can make a request under the CCPA as amended on the consumer's behalf.

Furthermore, the revised CCPA Regulations maintains the requirements that the privacy policy includes the date on which the privacy policy was last updated, and businesses that are subject to the data reporting requirements in §7102 provide such information or a link to the same.

Notice at collection (§7012)

The revised CCPA Regulations amend the information that must be provided to consumers when personal information is being collected, highlighting that notice at collection must comply with §7003(a) and (b) of the revised CCPA Regulations. More specifically, the revised CCPA Regulations establish requirements for businesses to provide the length of time the business intends to retain each category of personal information identified in §7012(e)(1) of the revised CCPA Regulations, or if that is not possible, the criteria used to determine the period of time it will be retained. Importantly, the revised CCPA Regulations removed exceptions associated with the collection of employment-related information.

Format and intelligibility (§7003)

In regard to intelligibility, the revised CCPA Regulations state that disclosures and communications to consumers must be easy to read and understandable to consumers. In line with the original CCPA Regulations, the disclosure requirements under Article 2 of the revised CCPA Regulations disclosure must be: in a format that makes the disclosure readable; available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California; and reasonably accessible to consumers with disabilities. Specifically for online notices, the revised CCPA Regulations states that businesses must follow generally recognised industry standards; and in other contexts, provide information on how a consumer with a disability may access the policy in an alternative format.

In relation to conspicuous link, the same must appear in a similar manner as other posted links used by the business on its homepage(s). Correspondingly, for mobile applications, a conspicuous link must be included in the business' privacy policy, which must be accessible through the mobile application's platform page or download page. This may also be accessible through a link within the application, such as through the application's settings menu.

Consumer rights

The revised CCPA Regulations contain several additions regarding consumer rights, including new obligations for service providers, contractors, and third parties, as well as new requirements associated with the CCPA as amended.

On the right to know, the revised CCPA Regulations state that businesses must provide all the personal information it has collected and maintains about the consumer - including personal information that the business' service providers or contractors collected pursuant to their written contract with the business - during the 12-month period preceding the business' receipt of the consumer's request. However, a consumer may request that the business provide personal information that the business collected beyond the 12-month period, as long as it was collected on or after 1 January 2022. The business must provide this information unless doing so proves impossible or would involve disproportionate effort. In line with the above, service providers or contractors must provide assistance to the business in responding to a verifiable consumer request to know, including by providing the business the consumer's personal information it has in its possession, or by enabling the business to access that personal information.

In regard to deletion requests, the revised CCPA Regulations require business' to notify service providers or contractors, and notification to third parties to whom a business has sold or shared the personal information for deletion request unless this proves impossible or involves disproportionate effort. Furthermore, the revised CCPA Regulations detail specific requirements for deletion by such parties, including permanently and completely erasing the personal information from their existing systems within certain circumstances, and notification to any of its own service providers or contractors of the need to delete from their records, in the same manner, the consumer's personal information that they collected pursuant to their written contract with the service provider or contractor.

Correction (§7023)

As the right to correction is new under the CCPA as amended, the revised CCPA Regulations provide extensive information regarding such requests. In particular, the revised CCPA Regulations clarify how businesses should determine the accuracy of the personal information, noting that the totality of the circumstances relating to the contested personal information should be considered. This includes the nature of the personal information, how the business obtained the contested information, and documentation relating to the accuracy of the information, whether provided by the consumer, the business, or another source. In addition, a business must accept, review, and consider any documentation that the consumer provides in connection with their right to correct, whether provided voluntarily or as required by the business, and may require the consumer to provide documentation if necessary to rebut its own documentation that the personal information is accurate. To this end, a business may deny a consumer's request to correct if it determines that the contested personal information is more likely than not accurate based on the totality of the circumstances.

Importantly, businesses that comply with a consumer's request to correct must correct the personal information at issue on its existing systems. In addition, the business must also instruct all service providers and contractors that maintain the personal information to make the necessary corrections in their respective systems. A service provider or contractor may delay compliance with the consumer's request to correct with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used.

Alternatively, a business can delete the contested personal information instead of correcting the information if the deletion of the personal information does not negatively impact the consumer, or the consumer consents to the deletion. The revised CCPA Regulations outline specific rules when denying a correction requests, such as specific information that must be provided to the consumer as well as instances in which a business can deny requirements, including where the business has denied the consumer's request to correct the same alleged inaccuracy within the past six months of receiving the request, where it has in good-faith, reasonable, and documented belief that a request to correct is fraudulent or abusive, or where the business is not the source of the inaccurate information. However, in the latter case, the business may provide the consumer with the name of the source from which the business received the alleged inaccurate information.

Opt-out of sale and sharing and limit use of sensitive personal information

Notice of the rights (§§7013, 7014, 7015)

The revised CCPA Regulations expand the right to opt out to the sharing of personal information, and introduce a new requirement associated with 'Do Not Sell or Share My Personal Information' links. Regarding sensitive personal information, the revised CCPA Regulations establishes that a business that uses or discloses consumers' sensitive personal information for purposes other than those specified in §7027(m) of the revised CCPA Regulation must provide a Notice of the Right to Limit or the Alternative Opt-out Link in accordance with the CCPA as amended and §§7014 and 7015 of the revised CCPA Regulations.

Both the rights to opt out of sale and sharing and limit the use of sensitive personal information provide that such rights must follow §7003(a) and (b) of the revised CCPA Regulations. In addition, the revised CCPA Regulations state that the 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information' links must be conspicuous and comply with §7003(c) and (d) and be located at either the header or footer of the business' internet homepage(s). As an alternative to the above, businesses may provide an alternative opt-out link in accordance with §7015 of the revised CCPA Regulations or process opt-out preference signals in accordance with §7025(f) and (g) of the revised CCPA Regulations. Importantly, businesses must still post notices of 'right to opt-out of sale and sharing' and 'right to limit' in accordance with the revised CCPA Regulations.

The Alternative Opt-out Link must be titled, 'Your Privacy Choices', or, 'Your California Privacy Choices', and must include the opt-out icon provide in the revised CCPA Regulations adjacent to the title. In line with the 'opt out' and 'limitation' links, alternative links must also be conspicuous and comply with §7003(c) and (d) of the revised CCPA Regulations and be located at either the header or footer of the business' internet homepage(s). The icon must also be approximately the same size as other icons used by the business in the header or footer of its webpage. Furthermore, the alternative opt-out link must direct the consumer to a webpage and must include an interactive form or mechanism by which the consumer can submit their request online which must be easy to execute, require minimal steps, and comply with §7004.

Specific to the right to limit the use of sensitive personal information, the revised CCPA Regulations detail requirements associated with the notice of the right to limit where sensitive personal information is used outside of the purpose provided in §7027(m) of the revised CCPA regulations, and details specific information that must be included in notice of right to limit. Notably, businesses are not required to provide a 'notice of the right to limit' or the 'limit the use of my sensitive personal information' link where they:

  • only use and disclose sensitive personal information that they collected about the consumer for the purposes specified in §7027(m) of the revised CCPA Regulations and state so in their privacy policy; or
  • only collect or processes sensitive personal information without the purpose of inferring characteristics about a consumer, and state so in their privacy policy.

Moreover, businesses must not use or disclose the sensitive personal information they collected when they do not have a 'notice of right to limit' posted for purposes other than those specified in §7027(m) of the revised CCPA regulations, unless they obtain the consent of the consumer.

Opt-out preference signals (§7025)

The opt-out preference signal is meant to provide a simple and easy method to exercise the right to opt-out of sale/sharing. To this end, the revised CCPA Regulations clarify that an opt-out preference signal that meets the following requirements should be treated as a valid request to opt-out of sale/sharing:

  • the signal is in a format commonly used and recognised by businesses; and
  • the platform, technology, or mechanism that sends the opt-out preference signal makes clear to the consumer that the use of the signal is meant to have the effect of opting the consumer out of the sale and sharing of their personal information.

Correspondingly, the revised CCPA Regulations outline specific instances in which the opt-out preference signal in line with the above should be treated as valid, including where the opt-out preference signal conflicts a consumer's business-specific privacy setting as well as participation in a business' financial incentive program, and notes that businesses must not require a consumer to provide additional information beyond what is necessary to send the signal. Moreover, in relation to consumers known to the business, the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal must not be interpreted as consent to opt-in to the sale or sharing of personal information.

Furthermore, the revised CCPA Regulations provide two options, namely:

  • processing opt-out preference signals and providing the 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information' links or the Alternative Opt-out Link; and/or
  • processing opt-out preference signals in a frictionless manner in accordance with these regulations and not having to provide the 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information' links or the Alternative Opt-out Link.

In regard to option two, the revised CCPA Regulations provide specific requirements associated with confirming whether the request has been honored and processing an opt-out preference signal in a frictionless manner; and more generally highlights instances when businesses will not have to provide a 'Do Not Sell or Share My Personal Information' link or the Alternative Opt-out Link.

Right to opt out of sale and sharing (§7026)

The revised CCPA regulations provide clarification on matters in regard to the right opt-out of sale and sharing. Specifically, businesses are now prohibited from requiring consumers to submit a request to opt-out of sale/sharing to create an account or provide additional information beyond what is necessary to direct the business to not sell or share the consumer's personal information. Equally, a business must not require a verifiable consumer request for a request to opt-out of sale/sharing; however, the business can ask the consumer for the necessary information to complete the request. Nevertheless, to the extent that a business can comply with a request to opt-out of sale/sharing without additional information, it should do so.

Furthermore, the revised CCPA Regulations introduce additional requirements for compliance with such requests, including notification to third parties to whom the business has sold or shared the consumer's personal information, noting that service providers or contractors collecting personal information pursuant to a written contract do not constitute a sale or sharing of personal information.

Importantly, businesses must wait at least 12 months from the date of the consumer's request before asking a consumer to consent to the sale or sharing of their personal information.

Right to limit the use of sensitive personal information (§7027)

The revised CCPA Regulations introduce requirements associated with right to limit the use of sensitive personal information based on the CCPA as amended. More specifically, businesses that use or disclose sensitive personal information for purposes other than those in §7027(m) of the revised CCPA Regulations must provide two or more designated methods for submitting requests to limit which must be easy for consumers to execute, require minimal steps, and comply with §7004 of the revised CCPA Regulations. Businesses must take into consideration the following when determining the applicable method:

  • the methods through which they interact with consumers;
  • the manner in which they collect the sensitive personal information that they use for purposes other than in §7027(m) of the revised CCPA Regulations;
  • available technology; and
  • the ease of use by the consumer.

At least one method offered must reflect the way the business primarily interacts with the consumer.

Importantly, the revised CCPA Regulations clarify the purposes in which sensitive personal information can be used or disclosed without the requirement to offer consumers a right to limit, which include:

  • to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services;
  • to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
  • to resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
  • to ensure the physical safety of natural persons;
  • for short-term, transient use, including, non-personalised advertising shown as part of a consumer's current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
  • to perform services on behalf of the business;
  • to verify or maintain the quality or safety of a product, service, or device that is owned by, manufactured by, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the business; and
  • to collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer.

In line with the right to opt out, the right to limit stipulates that a verifiable consumer request to limit the use or disclosure of their sensitive personal information is not required, although businesses can ask the consumer for the necessary information to complete the request. Nevertheless, to the extent that a business can comply with a request to limit the use or disclosure of their sensitive personal information without additional information, it should do so. In addition, where a business has good faith and reasonable and documented belief that a request to limit is fraudulent, the business may deny the request, however, they must inform the requestor that it will not comply with the request and provide an explanation as to why it believes the request is fraudulent.

More generally, the revised CCPA Regulations outline how businesses should comply with a request and clarify the rules surrounding the use of authorised agents, noting that such agents can be used provided they have written permission signed by the consumer. Finally, in line with opt out requests, business must wait at least 12 months from the date the consumer's request to limit is received before asking a consumer for the use or disclosure of their sensitive personal information for purposes other than those set forth in §7027(m) of the revised CCPA Regulations.

Service providers, contractors, and third parties

Service providers and contractors (§7050)

The revised CCPA Regulations clarify requirements associated with outsourcing to service providers while establishing new requirements when using contractors and third parties. In particular, the revised CCPA Regulations establish restriction on the use, retention, and disclosure of personal information collected by service providers or contractors pursuant to a written contract. Interestingly, it removes the requirements that personal information can be used to process or maintain personal information, adding that personal information can be used internally by the service provider or contractor to build or improve the quality of the services it is providing to the business, even if this business purpose is not specified in the written contract required by the CCPA and revised CCPA Regulations, provided that the service provider or contractor does not use the personal information to perform services on behalf of another person. The revised CCPA Regulations further clarify uses related to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity.

Importantly, the revised CCPA Regulations explain that a person who does not have a contract that complies with §7051(a) is not a service provider or a contractor under the CCPA, highlighting that a business' disclosure of personal information to a person who does not have a contract that complies with §7051(a) may be considered a sale or sharing of personal information for which the business must provide the consumer with the right to opt-out of sale and sharing.

Contracts service providers and contractors (§7051)

The CCPA as amended now requires that a business relationship with contractors in addition to services providers be governed by a contract in line with the CCPA as amended. To this end, the revised CCPA Regulations detail contract requirements for contractors and service providers, noting that such contracts must, among other things:

  • prohibit the sale or sharing of personal information received from, or on behalf of, the business;
  • identify the specific business purpose(s) for which the service provider or contractor is processing personal information, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified business purpose(s) within the contract;
  • prohibit service providers or contractors from retaining, using, or disclosing the personal information, including:
    • for purposes other than the business' purpose(s) specified in the contract;
    • for commercial purposes other than the business purpose(s) specified in the contract; and
    • for purposes outside the direct business relationship between the parties;
  • require compliance with all applicable sections of the CCPA and revised CCPA Regulations;
  • grant businesses the right to take reasonable and appropriate steps to ensure the use of personal information is in a manner consistent with the business' obligations under the CCPA and these regulations;
  • require notification after the service provider or contractor makes a determination that it can no longer meet its obligations under the CCPA and revised CCPA Regulations;
  • grant businesses the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information; and
  • require service providers or contractors to enable the business to comply with consumer requests made pursuant to the CCPA or inform service providers or contractors of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary to comply with the request.

In relation to subcontractors, service providers or contractors must have a contract with the subcontractor that complies with the CCPA and revised CCPA Regulations, including the above.

Third parties (§§7052 and 7053)

Third parties that do not have a contract in line with §7053(a) are not permitted to collect, use, process, retain, sell, or share the personal information that the business made available to it. Specifically, the agreement for businesses and third parties must:

  • identify the limited and specified purpose(s) for which the personal information is made available to the third party;
  • specify that personal information is made available only for the limited and specified purpose(s) set forth within and may only be used for that limited and specified purpose(s);
  • require compliance with all applicable sections of the CCPA and revised CCPA Regulations and providing the same level of privacy protection as required of business;
  • grant the business the right to take reasonable and appropriate steps to ensure personal information use is in a manner consistent with the business' obligations under the CCPA and revised CCPA Regulations;
  • grant business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information; and
  • require notification after the third party makes a determination that it can no longer meet its obligations under the CCPA and revised CCPA Regulations.

Businesses collecting large amounts of personal information (§7102)

The revised CCPA Regulations introduce additional metrics from the previous calendar year that must be provided, namely the number of requests to correct received, the inclusion of sharing to the number of opt out requests received, the number of requests to limit received, and adds requests for correction, to opt-out of sale/sharing, and to limit to the determination of the median or mean number of days within which the business substantively responded to the aforementioned requests.

Conclusion

The revised CCPA Regulations were approved by the California Office of Administrative Law on 30 March 2023, and entered into effect immediately.

Keshawna Campbell Manager - Privacy Research
[email protected]


1. See: https://www.dataguidance.com/legal-research/revised-ccpa-regulations
2. See: https://www.dataguidance.com/legal-research/california-privacy-rights-act-2020
3. See: https://www.dataguidance.com/legal-research/revised-ccpa-regulations-final-statement