The California Privacy Rights Act
California’s history with privacy laws dates back to 1972 when the California legislature first adopted certain provisions to protect the privacy of Californians. In the ensuing years, laws such as the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light law were passed for various aspects of privacy protection.
However, one key component of the individual’s right to privacy had been lacking in these laws. That is, consumers had no legal right to know what personal information a business has collected about them, how the business uses this information and to direct a business not to sell or share that information with any third parties.
In 2018, more than 629,000 Californians signed petitions to put the California Consumer Privacy Act of 2018 on the ballot for a statewide vote. After the measure was qualified for the ballot, the California State Legislature enacted the California Consumer Privacy Act of 2018 (CCPA) into law.
The CCPA provided consumers with the right to:
- learn what information a business has collected about them.
- require businesses delete their personal information if requested to.
- stop businesses from selling their personal information, including using it to target them with ads that follow them as they browse the internet from one website to another.
- hold businesses accountable if they do not take reasonable steps to safeguard their personal information.
Before the CCPA went into effect, the Legislature was presented with many bills backed by special interests in 2019 that sought to amend the law and weaken its provisions.
In the 2020 election, California voters passed Proposition 24 into law by a margin of 56% thus creating the California Privacy Rights Act (CPRA). Because the CPRA was passed by voter initiative, it cannot be repealed or amended by the state legislature.
The Intentions of the CPRA
The collection of personal data by business’s about their customers and prospects has gone on for a long time. Businesses have long sought to understand both their current and prospective customers for the purposes of sales and marketing.
Especially in the era of the internet, where user data can be collected on a massive scale, the consumer can be thought of as entering into a contract in where they pay for access to a service not with money but with their personal information and attention.
The terms and the value of this exchange of personal information and attention are often difficult for the user to understand and to place a value on. The terms of service and privacy policies on many websites are often long and complex documents that most users often never take the time to read or understand. For a simple visit to a website, most people don’t have the time or desire to read a long and complex legal document.
The difficulty of understanding just exactly what the consumer is exchanging for the use of a given service makes it hard for users to understand what their information is worth to a given business. Some businesses are simply using customer data to better provide their goods and services while other businesses may be selling or sharing that data to other entities for profit.
In much the same way that food and beverage companies are required to list ingredients and nutritional information on packaging, California feels that transparency with consumers regarding how their data is collected and used allows them to make better choices.
Relying on businesses to regulate themselves in the sensitive matter of consumer data collection and use has proven to be ineffective. The incentives to safely and securely store the data and to allow the consumer a say as to how their data is used has proven to be rampant with too much potential for abuse and violations of consumer privacy.
With the passing of the CPRA, the citizens of California have very clearly expressed their desire to have stricter laws in place regarding how their personal data is used including how it is used for advertising, and to control, correct, or delete it, Including by allowing consumers to limit businesses’ use of their sensitive personal information to help guard against identity theft, to opt-out of the sale and sharing of their personal information, and to request that businesses correct inaccurate information about them.
Digital Advertising Focus
The CPRA recognizes that California has long been the world leader in creating many of the new technologies that have reshaped the world. From the semiconductor’s emergence in Silicon Valley in the 1950s to the internet’s rise in the late 1990s and throughout the 21st century, California has been at the forefront of the creation of both new technologies as well as the business and commercial application of them.
On the internet, advertising has proven to be one of the most powerful and profitable business models and has created vast fortunes for companies that have been able to successfully employ this model on a large scale. Much of the internet is free because it is supported by advertising business models. Without ads, users would have to pay fees directly for services such as search engines, social media sites and almost every site that relies on advertising-supported business models. Requiring users to pay to use every website would have almost certainly hindered the rise of the internet to the level of use that it exists at today.
But the advertising supported business model is not without its controversies. As website tracking and analytics systems have become more sophisticated over time, it has become easier for companies to identify and track users for the purposes of offering advertisers greater sophistication in ad targeting.
With the evolution in tracking and analytics, users of these websites and services have gradually and largely without their knowledge, handed over increasing amounts of their personal data to companies that profit from advertising and data without really knowing exactly what they are providing in exchange for the use of these websites.
At its core, one of the CPRA’s main intended effects is to give consumers a say in whether their data can be handed over to advertisers and data brokers who may sell or share their data with other entities for the purposes of marketing.
CPRA’s Purpose and Intent
The CPRA’s overall purpose is to further protect consumers’ rights, including the constitutional right of privacy of the people of California. The law is divided into several principles that outline the rights of California residents and the responsibilities of companies doing business in California.
A. Consumer Rights
1. Consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.
2. Consumers should be able to control the use of their personal information, Including limiting the use of their sensitive personal information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
3. Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
5. Consumers should be able to exercise these rights without being penalized for doing so.
6. Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
7. Consumers should benefit from businesses’ use of their personal information.
8. The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.
B. The Responsibilities of Businesses
1. Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice.
2. Businesses should only collect consumers’ personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.
3. Businesses should collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
4. Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it, or correct it, and to opt-out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information.
5. Businesses should not penalize consumers for exercising these rights.
6. Businesses should take reasonable precautions to protect consumers’ personal information from a security breach.
7. Businesses should be held accountable when they violate consumers’ privacy rights, and the penalties should be higher when the violation affects children.
C. Implementation of the Law
1. The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy, while giving attention to the impact on business and innovation. Consumer privacy and the development of beneficial new products and services are not necessarily incompatible goals. Strong consumer privacy rights create incentives to innovate and develop new products that are privacy protective.
2. Businesses and consumers should be provided with clear guidance about their responsibilities and rights.
3. The law should place the consumer in a position to knowingly and freely negotiate with a business over the business’ use of the consumer’s personal information.
4. The law should adjust to technological changes, help consumers exercise their rights, and assist businesses with compliance, with the continuing goal of strengthening consumer privacy.
5. The law should enable pro-consumer new products and services and promote efficiency of implementation for business, provided that the amendments do not compromise or weaken consumer privacy.
6. The law should be amended, If necessary, to improve its operation, provided that the amendments do not compromise or weaken consumer privacy, while giving attention to the impact on business and innovation.
7. Businesses should be held accountable for violating the law through vigorous administrative and civil enforcement.
8. To the extent it advances consumer privacy and business compliance, the law should be compatible with privacy laws in other jurisdictions.
The Main Sections of the California Privacy Rights Act
The rest of this post contains the exact text of much of the CPRA law as it is written. The law contains many specific provisions and subsections and providing a summary of them would be redundant.
While the sections contain much of the text of the law, I am not a lawyer and this is not legal advice. To ensure full compliance with the CPRA, it is advised to consult with a licensed attorney who specializes in privacy law.
1798.100. General Duties of Businesses that Collect Personal Information
Under section 1798.100 of the CPRA, a business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:
1. The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.
2. If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.
3. The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
- a. By providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.*
- b. A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision.
- c. A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
- d. A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:
- i. Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
- ii. Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.
- iii. Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.
- iv. Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.
- v. Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
- e. A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
1798.105. Consumers’ Right to Delete Personal Information
a. A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
b. A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.
c. (1) A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records, notify any service providers or contractors to delete the consumer’s personal information from their records, and notify all third parties to whom the business has sold or shared the personal information to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.
1798.106. Consumers’ Right to Correct Inaccurate Personal Information
a. A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information
a. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- 1. The categories of personal information it has collected about that consumer.
- 2. The categories of sources from which the personal information is collected.
- 3. The business or commercial purpose for collecting, selling, or sharing personal information.
- 4. The categories of third parties to whom the business discloses personal information.
- 5. The specific pieces of personal information it has collected about that consumer.
1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom
a. A consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- 1. The categories of personal information that the business collected about the consumer.
- 2. The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared.
- 3. The categories of personal information that the business disclosed about the consumer for a business 24 purpose and the categories of persons to whom it was disclosed for a business purpose.
1798.120. Consumers’ Right to Opt-Out of Sale or Sharing of Personal Information
Section 1798.120 of the Civil Code is amended to read:
1798.120. Consumers’ Right to Opt Out of Sale or Sharing of Personal Information (a) A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing. (b) A business that sells consumers’ personal information to, or shares it with, third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold or shared and that consumers have the “right to opt-out” of the sale or sharing of their personal information. (c) Notwithstanding subdivision (a), a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. (d) A business that has received direction from a consumer not to sell or share the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell or share the minor consumer’s personal information, shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from selling or sharing the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides consent, for the sale or sharing of the consumer’s personal information.
1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
1798.121. Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.
(b) A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes.
(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.
(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.
1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights
Section 1798.125 of the Civil Code is amended to read:
1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights
(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
(A) Denying goods or services to the consumer.
(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(C) Providing a different level or quality of goods or services to the consumer.
(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
(E) Retaliating against an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145, for exercising their rights under this title.
(2) Nothing in this subdivision prohibits a business, pursuant to subdivision (b), from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.
(3) This subdivision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this title.
(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer’s data.
(2) A business that offers any financial incentives pursuant to this subdivision, shall notify consumers of the financial incentives pursuant to Section 1798.130.
(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. If a consumer refuses to provide opt-in consent, then the business shall wait for at least 12 months before next requesting that the consumer provide opt-in consent, or as prescribed by regulations adopted pursuant to Section 1798.185.
(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
1798.130. Notice, Disclosure, Correction, and Deletion Requirements
(a) In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:
(1) (A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.
(B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.
(2) (A) Disclose and deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer’s personal information, based on the consumer’s request, within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information, to correct inaccurate personal information, or to delete personal information within 45 days of receipt of the consumer’s request. The time period to provide the required information, to correct inaccurate personal information, or to delete personal information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45- day period. The disclosure of the required information shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request provided that if the consumer, has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request.
(B) The disclosure of the required information shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request provided that, upon the adoption of a regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request required information beyond the 12-month period, and a business’s obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to keep personal information for any length of time.
(3) (A) A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’ response to a verifiable consumer request, including, but not limited to, by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100, taking into account the nature of the processing.
(B) For purposes of subdivision (b) of Section 1798.110:
(i) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(ii) Identify by category or categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected; the categories of sources from which the consumer’s personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer’s personal information; and the categories of third parties to whom the business discloses the consumer’s personal information.
(iii) Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. Personal information is not considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer’s personal information from one business to another in the context of switching services.
(4) For purposes of subdivision (b) of Section 1798.115:
(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information of the consumer that the business sold or shared during the applicable period of time by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold or shared during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold or shared. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).
(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of persons to whom the consumer’s personal information was disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).
(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:
(1) A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided in subparagraph (A) of paragraph of subdivision (a).
(B) For purposes of subdivision (c) of Section 1798.110:
(i) A list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.
(ii) The categories of sources from which consumers’ personal information is collected.
(iii) The business or commercial purpose for collecting, selling, or sharing consumers’ personal information.
(iv) The categories of third parties to whom the business discloses consumers’ personal information.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:
(i) A list of the categories of personal information it has sold or shared about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold or shared, or if the business has not sold or shared consumers’ personal information in the preceding 12 months, the business shall prominently disclose that fact in its privacy policy.
(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.
(6) Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
(7) Use any personal information collected from the consumer in connection with the business’ verification of the consumer’s request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.
(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
(c) The categories of personal information required to be disclosed pursuant to Sections 1798.100, 1798.110, and 1798.115 shall follow the definitions of personal information and sensitive personal information in Section 1798.140 by describing the categories of personal information using the specific terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section 1798.140 and by describing the categories of sensitive personal information using the specific terms set forth in paragraphs (1) to (9), inclusive, of subdivision (ae) of Section 1798.140.
1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information
(a) A business that sells or shares consumers’ personal information or uses or discloses consumers’ sensitive personal information for purposes other than those authorized by subdivision (a) of Section 1798.121 shall, in a form that is reasonably accessible to consumers:
1. Provide a clear and conspicuous link on the business’s internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer’s personal information.
2. Provide a clear and conspicuous link on the business’ internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information to those uses authorized by subdivision (a) of Section 1798.121.
3. At the business’ discretion, utilize a single, clearly labeled link on the business’ internet homepages, in lieu of complying with paragraphs (1) and (2), if that link easily allows a consumer to opt out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.
(b) (1) A business shall not be required to comply with subdivision (a) if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185, to the business indicating the consumer’s intent to opt out of the business’ sale or sharing of the consumer’s personal information or to limit the use or disclosure of the consumer’s sensitive personal information, or both.
(2) A business that allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business’ sale or sharing of the consumer’s personal information or the use of the consumer’s sensitive personal information for additional purposes provided that:
(A) The consent web page also allows the consumer or a person authorized by the consumer to revoke the consent as easily as it is affirmatively provided
Conclusion
While the text of the CPRA extends beyond what has been included here, the rest of law’s text contains some definitions, exceptions, information security breaches, and some information about enforcement and remediation. The main parts of the law that pertain to the requirements of the CPRA have been included here.
As you may have noticed, the text of the CPRA is quite dense and difficult to read. In my opinion, it is also redundant in many parts. In contrast to the European Union’s GDPR law, which is actually a far more strict law with regard to data privacy, the CPRA is significantly harder to understand. Perhaps this is not an accident? In my opinion, it could be made much simpler to understand by the average person (who the law is supposed to protect the privacy of) not accustomed to reading complex legalese.
To date, the CPRA is the strictest U.S. privacy law to be enacted. As of this writing, no U.S. Federal law has been passed but several other state laws either have already been passed or will be passed in the near future. Watch this space.