1798,100

  • The consumer has the right to request the company that collects the consumer’s personal information to disclose to this consumer the specific categories and information that the company has collected.
    The company that collects consumer personal information, at the latest at the point of collection, must inform consumers of the categories of personal information to be collected and the purposes for which the categories of personal information will be used. Businesses may not collect additional categories of personal information or use the collected personal information for additional purposes without notifying the customer in accordance with this section.
  • The company must provide the consumer with the information specified in paragraph (a) only after receiving a verifiable request from the consumer.
  • Businesses that receive a verifiable request from the consumer to access personal information must immediately take steps to disclose the personal information required in this section and provide it to the consumer free of charge.
  • Information can be transmitted by mail or electronically, and if submitted electronically, the information should be portable and, to the extent technically feasible, in a user-friendly format that allows the consumer to transfer it. information to another entity without obstacles.
  • A company may provide personal information to the consumer at any time, but is not required to provide personal information to the consumer more than twice in a 12 month period.
  • This section does not obligate the company to keep the personal information collected for a single transaction, if this information has not been sold or saved by the company, nor to redefine or link information that is not saved for ‘in a way that can be considered information personal.

1798.105

  • The consumer has the right to ask the company to delete any personal consumer information that the company has collected from the consumer.
  • A company that collects personal information about consumers must disclose, in accordance with article 1798.130, the right of consumers to request the deletion of consumer personal information.
  • A company that receives a verifiable consumer request from the consumer to remove personal information in accordance with paragraph (a) of this section must remove consumer personal information from its records and order any service provider to remove consumer personal information of your records.
  • The business or service provider is not required to comply with the consumer’s request to delete consumer personal information if the business or service provider is required to retain the consumer’s personal information in order to :
    • Complete the transaction for which personal information has been collected, comply with the terms of the written warranty, remove the product that has been manufactured in accordance with federal law, provide a good or service that the consumer requests, or reasonably wait within of the framework of a company that pursues the relationship with the consumer or executes a contract between the company and the consumer.
    • Detection of security incidents, protection against harmful, deceptive, fraudulent or illegal activities; Or prosecute those responsible for this activity.
    • Bug fixes to identify and fix bugs that weaken existing scheduled features.
    • Exercise freedom of expression and guarantee that another consumer has the right to exercise their right to freedom of expression, or the exercise of another right enshrined in law.
    • Compliance with the California Electronic Communications Privacy Act in accordance with Chapter 3.6 (commencing with Section 1546) of Section 12 of Part 2 of the Penal Code.
    • Participating in general scientific, historical or statistical research or being reviewed by their counterparts for the public good that respects all ethical and other privacy laws, when the removal of information by companies makes it impossible or constitutes a serious obstacle to carry out such research, if the consumer gives his informed consent.
    • Allow only internal uses that are reasonably aligned with consumer expectations based on the consumer’s relationship with the business.
    • Comply with a legal obligation.
    • Otherwise, use personal information internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

1,798,110

  • The consumer has the right to ask the company that collects personal information about the consumer to disclose the following to the consumer:
    • Categories of personal information that you have collected about this consumer.
    • Categories of sources from which personal information is collected.
    • Commercial or commercial purpose to collect or sell personal information.
    • Categories of third parties with which the company shares personal information.
    • The specific parts of the personal information you have collected about this consumer.
  •  The company that collects personal information about the consumer must disclose to the consumer, in accordance with paragraph (3) of paragraph (a) of section 1798.130, the information specified in paragraph (a) upon receipt of a verifiable request from the consumer. of a consumer.
  • A business that collects personal information about consumers must disclose, in accordance with subparagraph b) of subsection (5) of subdivision a) of section 1798.130:
    • Categories of personal information that you have collected about this consumer.
    • Categories of sources from which personal information is collected.
    • Commercial or commercial purpose to collect or sell personal information.
    • Categories of third parties with which the company shares personal information.
    • The specific parts of the personal information that the company has collected about this consumer.
  •  This service does not require that the company:
    • Retention of personal consumer information collected for a single transaction if consumer information is not kept in the ordinary course of business.
    • Redefine or link any information not kept in the ordinary course of business in a way that is considered personal information.

1798,115

  • The consumer has the right to ask a company that sells or discloses their personal information for commercial purposes to disclose to the consumer:
    • Categories of personal information that the company has collected about the consumer.
    • Categories of personal information sold by the consumer’s business and the categories of third parties to whom personal information was sold, according to the category or categories of personal information for each category of third parties to whom personal information was sold.
    • Categories of personal information that the company discloses to the consumer for commercial purposes.
  • A company that sells personal information about a consumer, or that discloses personal information about a consumer for commercial purposes, must disclose, pursuant to subsection (4) of subsection (a) of section 1798.130, the information specified in subsection ( a) from the consumer when you receive a verified consumer order.
  • A company that sells personal information to a consumer, or that discloses personal information to a consumer for commercial purposes, must disclose, pursuant to subsection (c) of subsection (5) of subsection (a) of the section. 1798,130:
    • The category or categories of personal information that consumers have sold, or if the company does not sell the consumer’s personal information, must disclose this fact.
    • The category or categories of consumer personal information that it disclosed for commercial purposes, or if the company does not disclose personal information to the consumer for commercial purposes, must disclose this fact.
  •  A third party must not sell personal information about a consumer that has been sold to a third party by a company unless the consumer has received an explicit notice and has an opportunity to exercise the right of withdrawal in accordance with section 1798.120.

1798,120

  • The consumer has the right, at any time, to run a company that sells consumer personal information to third parties so that they do not sell personal information to the consumer. This right may be called the right to be suspended.
  • The company that sells personal information to consumers to third parties must notify consumers, according to sub-division (a) of Section 1798.135, that this information may be sold and that consumers have the “right to withdraw” from the sale of your products. personal information.
  • Despite sub-division (A), the company will not sell personal information to consumers if the company has actual knowledge that the consumer is under 16 years old, unless the consumer, in the case of consumers between 13 and 16 years of age, parents or Consumer guardian, in the case of consumers under the age of 13, has certainly allowed the sale of personal information to the consumer. A company that intentionally ignores the consumer’s age must have actual knowledge of the consumer’s age. This right may be called the “voluntary subscription right”.
  • The company that has received instructions from the consumer not to sell personal information to the consumer, or in the event that the personal information of the small consumer has not received approval to sell the personal information to the small consumer, will be banned, according to Paragraph (4) of subsection (A) of Section 1798.135, to sell the personal information to the consumer after Receive the consumer’s address, unless the consumer provides explicit permission to sell the consumer’s personal information.

1798,125

  • No business can discriminate against the consumer because the consumer exercised any of the consumer’s rights under this title, including, among others:
    • Depriving the consumer of goods or services.
    • Impose various prices or prices of goods or services, including through the use of discounts or other benefits, or the imposition of sanctions.
    • Provide a different level or quality of goods or services to the consumer.
  •  A suggestion that the consumer receive a different price or price for the goods or services, or a different level or quality of the goods or services.
  • There is nothing in this subdivision that prevents companies from imposing a different price or price on the consumer, or providing a different level or quality of goods or services to the consumer, if this difference is reasonably linked to the value provided to the consumer from the data. of the consumer.
  • Businesses can offer financial incentives, including payments to consumers as compensation, to collect personal information, sell personal information, or delete personal information. The company may also offer the consumer a different price, price, level, or quality for goods or services if that price or difference is directly related to the value provided to the business through consumer data.
  • Businesses offering financial incentives in accordance with this subsection must notify consumers of financial incentives in accordance with section 1798.130.
  • Companies cannot include the consumer in the financial incentive program unless the consumer has given their prior approval to operate in accordance with section 1798.130, which clearly describes the material terms of the financial incentive program, which the consumer can cancel in any moment.
  • Businesses cannot use unfair, unreasonable, coercive or profitable financial incentive practices.

1798,130

  • To comply with Sections 1798.100, 1798.105, 1798.110, 1798.115 and 1798.125, the company, so that consumers can reasonably access:
    • Allow consumers to have two or more dedicated methods for submitting requests for information required for disclosure under Sections 1798.110 and 1798.115, including, at a minimum, a toll-free number. Any business that operates exclusively online and has a direct relationship with the consumer from whom it collects personal information will only need to provide an email address to submit requests for information to be disclosed under Sections 1798.110 and 1798.115.
    • If the company maintains a website on the Internet, make it available to consumers to submit requests for information necessary to be disclosed under sections 1798.110 and 1798.115.
  •  Disclose the required information and deliver it to the consumer free of charge within 45 days of receiving a verifiable consumer order. The company must take immediate action to determine if the order is a verifiable consumer order, but this does not extend the company’s obligation to disclose and deliver the information within 45 days of receipt of the consumer request. The time period for submitting the required information may be extended once for an additional 45 days when reasonably necessary, provided that the customer receives the notice of extension within the first 45 days. The disclosure must cover the twelve months preceding the receipt of a verifiable consumer request from the company, and must be written and delivered through the consumer’s account with the company, if the consumer has an account at work. , or by mail or electronically at the consumer’s choice if not The consumer maintains an account at work, in an easy-to-use format that allows him to transfer this information from one entity to another without hindrance. The company may reasonably require consumer authentication in light of the nature of the personal information required, but does not require the customer to create an account with the company to submit a verifiable consumer request. If the consumer has an account with the company, the company may require him to submit the request through this account.
  • For purposes of subdivision (b) of Section 1798.110:
    • To meet the consumer, link the information provided by the consumer to the verifiable consumer request with any personal information previously collected by the company about the consumer.
    • Specify by category or categories the personal information collected about the consumer in the previous twelve months by referring to the category or categories mentioned in subsection (c) that accurately describe the personal information collected.
  •  For the purposes of subdivision (b) of Section 1798.115:
    • Identification of the consumer and correlation of the information provided by the consumer in a verifiable consumer request for any personal information previously collected by the company about the consumer.
    • Specify by category or categories the consumer’s personal information sold by the company in the previous 12 months by referring to the category mentioned in subsection (c) that closely describes the personal information and provided the categories of third parties with which the consumer deals . Personal information was sold within 12 months The foregoing referring to the category or categories mentioned in subsection (c) that closely describes the personal information that has been sold. The company must disclose the information in a separate list from a list created for the purposes of subparagraph (c).
    • Specify by category or categories the consumer personal information that the company disclosed for commercial purposes in the last twelve months by referring to the category or categories mentioned in subsection (C) that closely describes personal information, and provided the third party categories for which the consumer’s personal information was disclosed. For business purposes in the previous 12 months, refer to the category or categories mentioned in subsection (c) that describe highly personal information that has been disclosed. The company must disclose the information in a separate list from a list created for the purposes of subparagraph (b).
  • Please disclose the following information in the online privacy policy or policies if the company has a privacy policy or policies online and in any specific description of California for consumer privacy rights, or if the company does not maintain these policies on your website, and update that information once At least one every 12 months:
    • A description of consumer rights according to Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125 and one or more ways to submit applications.
    • For purposes of sub-division (c) of section 1798.110, a list of categories of personal information you have collected about consumers in the past twelve months is by reference to the category or categories listed in subsection (c) that describe more than collecting close personal information.
    • For the purposes of paragraphs (1) and (2) of subsection (c) of section 1798.115, two separate lists:
      • List of categories of personal information that you have sold about consumers in the past twelve months by referring to the category or categories listed in subsection (c) that closely describe the personal information that has been sold, or if the business has not sold the personal data to consumers. Information In the past twelve months, the company must reveal this fact.
      • List of categories of personal information that consumers have disclosed for commercial purposes in the past twelve months in reference to the category listed in subsection (c) that more closely describes personal information that has been disclosed, or if the company does not do so, personal information is disclosed to consumers For a commercial purpose in the previous 12 months, the company must disclose this fact.
    •  Ensure that all persons responsible for handling consumer inquiries about the company’s privacy practices or company compliance with this address are informed of all the requirements listed in Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
    • Use any personal information collected from the consumer in connection with company verification for consumer demand only for verification purpose.
  •  The company is not obligated to provide the information required in Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
  • The categories of personal information that must be disclosed under Sections 1798.110 and 1798.115 must follow the definition of personal information in Section 1798.140.

1798.135

  1. A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
    1. Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
    2. Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
      1. Its online privacy policy or policies if the business has an online privacy policy or policies.
      2. Any California-specific description of consumers’ privacy rights.
    3. Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.
    4. For consumers who exercise their right to opt-out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.
    5. For a consumer who has opted-out of the sale of the consumer’s personal information, respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
    6. Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.
  2. Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
  3. A consumer may authorize another person solely to opt-out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.

1798.140

For purposes of this title:

  1. “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de­identified.
  2. “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
  3. “Business” means:
    1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
      1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
      2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
      3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
    2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
  4. “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
    1. Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
    2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
    3. Debugging to identify and repair errors that impair existing intended functionality.
    4. Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
    5. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
    6. Undertaking internal research for technological development and demonstration.
    7. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
  5. “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
  6. “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
  7. “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
  8. “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
    1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
    2. Has implemented business processes that specifically prohibit reidentification of the information.
    3. Has implemented business processes to prevent inadvertent release of deidentified information.
    4. Makes no attempt to reidentify the information.
  9. “Designated methods for submitting requests” means a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
  10. “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
  11. “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
  12. “Homepage” means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.135, including, but not limited to, before downloading the application.
  13. “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
  14. “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
    1. “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
      1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
      2. Any categories of personal information described in subdivision (e) of Section 1798.80.
      3. Characteristics of protected classifications under California or federal law.
      4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
      5. Biometric information.
      6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
      7. Geolocation data.
      8. Audio, electronic, visual, thermal, olfactory, or similar information.
      9. Professional or employment-related information.
      10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
      11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
    2. “Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
    3. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.
  15. “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
  16. “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
  17. “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
  18. “Research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:
    1. Compatible with the business purpose for which the personal information was collected.
    2. Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
    3. Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
    4. Subject to business processes that specifically prohibit reidentification of the information.
    5. Made subject to business processes to prevent inadvertent release of deidentified information.
    6. Protected from any reidentification attempts.
    7. Used solely for research purposes that are compatible with the context in which the personal information was collected.
    8. Not be used for any commercial purpose.
    9. Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
    1. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
    2. For purposes of this title, a business does not sell personal information when:
      1. A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
      2. The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
      3. The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
        1. The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
        2. The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
      4. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
  19. “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.
  20. “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
  21. “Third party” means a person who is not any of the following:
    1. The business that collects personal information from consumers under this title.
      1. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
        1. Prohibits the person receiving the personal information from:
          1. Selling the personal information.
          2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
          3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
        2. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
      2. A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.
  22. “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
  23. “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.100, 1798.105, 1798.110, and 1798.115 if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

1798.145

  1. The obligations imposed on businesses by this title shall not restrict a business’s ability to:
    1. Comply with federal, state, or local laws.
    2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
    3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
    4. Exercise or defend legal claims.
    5. Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
    6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
  2. The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
    1. This title shall not apply to any of the following:
      1. Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
      2. A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
      3. Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
    2. For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
    1. This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.
    2. Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.
    3. This subdivision shall not apply to Section 1798.150.
  3. This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
  4. This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
    1. Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
    2. For purposes of this subdivision:
      1. “Vehicle information” means the vehicle information number, make, model, year, and odometer reading.
      2.  “Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.
    1. This title shall not apply to any of the following:
      1. Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
      2. Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.
      3. Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.
    2. For purposes of this subdivision:
      1. “Contractor” means a natural person who provides any service to a business pursuant to a written contract.
      2. “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
      3. “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.
      4. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
      5. “Owner” means a natural person who meets one of the following:
        1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
        2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
        3. Has the power to exercise a controlling influence over the management of a company.
    3. This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.
    4. This subdivision shall become inoperative on January 1, 2021.
  5. Notwithstanding a business’ obligations to respond to and honor consumer rights requests pursuant to this title:
    1. A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
    2. If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
    3. If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.
  6. A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
  7. This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
  8. The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.
  9. The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
    1. The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.
    2. For purposes of this subdivision:
      1. “Contractor” means a natural person who provides any service to a business pursuant to a written contract.
      2. “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
      3. “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
      4. “Owner” means a natural person who meets one of the following:
        1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
        2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
        3. Has the power to exercise a controlling influence over the management of a company.
    3. This subdivision shall become inoperative on January 1, 2021.

1798.150

  1. Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
    1. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
    2. Injunctive or declaratory relief.
    3. Any other relief the court deems proper.
  2. In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

1798.155

  1. Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.
  2. A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
  3. Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.

1798.160

  1. A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties under this title.
  2. Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this title. These funds shall not be subject to appropriation or transfer by the Legislature for any other purpose, unless the Director of Finance determines that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this title, in which case the Legislature may appropriate excess funds for other purposes.

1798.175

This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

1798.180

This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

1798.185

  1. On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
    1. Updating as needed additional categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (o) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
    2. Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130.
    3. Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.
    4. Establishing rules and procedures for the following:
      1. To facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to Section 1798.120.
      2. To govern business compliance with a consumer’s opt-out request.
      3. For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.
    5. Adjusting the monetary threshold in subparagraph (A) of paragraph (1) of subdivision (c) of Section 1798.140 in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
    6. Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of this title and as needed thereafter.
    7. Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.
  2. The Attorney General may adopt additional regulations as follows:
    1. To establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.
    2. As necessary to further the purposes of this title.
  3. The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

1798.190

If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

1798.192

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt-out of a business’s sale of the consumer’s personal information, or authorizing a business to sell the consumer’s personal information after previously opting out.

1798.194

This title shall be liberally construed to effectuate its purposes.

1798.196

This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

1798.198

  1. Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020.
  2. This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

1798.199

Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.