FULL TEXT: Draft Rules for the California Consumer Privacy Act (CCPA)

TITLE 11. LAW

DIVISION 1. ATTORNEY GENERAL

CHAPTER 20. CALIFORNIA CONSUMER PRIVACY ACT REGULATIONS PROPOSED TEXT OF REGULATIONS

Article 1. General Provisions

§ 999.300. Title and Scope

(a) This Chapter shall be known as the California Consumer Privacy Act Regulations. It may be cited as such and will be referred to in this Chapter as “these regulations.” These regulations govern compliance with the California Consumer Privacy Act and do not limit any other rights that consumers may have.

(b) A violation of these regulations shall constitute a violation of the CCPA, and be subject to the remedies provided for therein.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100-1798.199, Civil Code.

§ 999.301. Definitions

In addition to the definitions set forth in Civil Code section 1798.140, for purposes of these regulations:

(a) “Affirmative authorization” means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information. Within the context of a parent or guardian acting on behalf of a child under 13, it means that the parent or guardian has provided consent to the sale of the child’s personal information in accordance with the methods set forth in section 999.330. For consumers 13 years and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.

(b) “Attorney General” means the California Attorney General or any officer or employee of the California Department of Justice acting under the authority of the California Attorney General.

(c) “Authorized agent” means a natural person or a business entity registered with the Secretary of State that a consumer has authorized to act on their behalf subject to the requirements set forth in section 999.326.

(d) “Categories of sources” means types of entities from which a business collects personal information about consumers, including but not limited to the consumer directly, government entities from which public records are obtained, and consumer data resellers.

(e) “Categories of third parties” means types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.

(f) “CCPA” means the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq.

(g) “Financial incentive” means a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information.

(h) “Household” means a person or group of people occupying a single dwelling.

(i) “Notice at collection” means the notice given by a business to a consumer at or before the time a business collects personal information from the consumer as required by Civil Code section 1798.100(b) and specified in these regulations.

(j) “Notice of right to opt-out” means the notice given by a business informing consumers of their right to opt-out of the sale of their personal information as required by Civil Code sections 1798.120 and 1798.135 and specified in these regulations.

(k) “Notice of financial incentive” means the notice given by a business explaining each financial incentive or price or service difference subject to Civil Code section 1798.125(b) as required by that section and specified in these regulations.

(l) “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer, including denial of goods or services to the consumer.

(m) “Privacy policy” means the policy referred to in Civil Code section 1798.130(a)(5), and means the statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their own personal information.

(n) “Request to know” means a consumer request that a business disclose personal information that it has about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:

  • (1) Specific pieces of personal information that a business has about the consumer;

  • (2) Categories of personal information it has collected about the consumer;

  • (3) Categories of sources from which the personal information is collected;

  • (4) Categories of personal information that the business sold or disclosed for a business purpose about the consumer;

  • (5) Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and

  • (6) The business or commercial purpose for collecting or selling personal information.

(o) “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil Code section 1798.105.

(p) “Request to opt-out” means a consumer request that a business not sell the consumer’s personal information to third parties, pursuant to Civil Code section 1798.120(a).

(q) “Request to opt-in” means the affirmative authorization that the business may sell personal information about the consumer required by Civil Code section 1798.120(c) by a parent or guardian of a consumer less than 13 years of age, or by a consumer who had previously opted out of the sale of their personal information.

(r) “Third-party identity verification service” means a security process offered by an independent third party who verifies the identity of the consumer making a request to the business. Third-party verification services are subject to the requirements set forth in Article 4 regarding requests to know and requests to delete.

(s) “Typical consumer” means a natural person residing in the United States.

(t) “URL” stands for Uniform Resource Locator and refers to the web address of a specific website.

(u) “Verify” means to determine that the consumer making a request to know or request to delete is the consumer about whom the business has collected information.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100-1798.199, Civil Code.

Article 2. Notices to Consumers

§ 999.305. Notice at Collection of Personal Information

(a) Purpose and General Principles

  • (1) The purpose of the notice at collection is to inform consumers at or before the time of collection of a consumer’s personal information of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used.

  • (2) The notice at collection shall be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer. The notice shall:

    • a. Use plain, straightforward language and avoid technical or legal jargon.

    • b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.

    • c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.

    • d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.

    • e. Be visible or accessible where consumers will see it before any personal information is collected. For example, when a business collects consumers’ personal information online, it may conspicuously post a link to the notice on the business’s website homepage or the mobile application’s download page, or on all webpages where personal information is collected. When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.

  • (3) A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.

  • (4) A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.

  • (5) If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.

(b) A business shall include the following in its notice at collection:

  • (1) A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

  • (2) For each category of personal information, the business or commercial purpose(s) for which it will be used.

  • (3) If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” required by section 999.315 (a), or in the case of offline notices, the web address for the webpage to which it links.

  • (4) A link to the business’s privacy policy, or in the case of offline notices, the web address of the business’s privacy policy.

(c) If a business collects personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the section of the business’s privacy policy that contains the information required in subsection (b).

(d) A business that does not collect information directly from consumers does not need to provide a notice at collection to the consumer, but before it can sell a consumer’s personal information, it shall do either of the following:

  • (1) Contact the consumer directly to provide notice that the business sells personal information about the consumer and provide the consumer with a notice of right to opt-out in accordance with section 999.306; or

  • (2) Contact the source of the personal information to:

    • a. Confirm that the source provided a notice at collection to the consumer in accordance with subsections (a) and (b); and

    • b. Obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.

Note: Authority: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.115, and 1798.185, Civil Code.

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information

(a) Purpose and General Principles

  • (1) The purpose of the notice of right to opt-out of sale of personal information is to inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling their personal information, and to refrain from doing so in the future.

  • (2) The notice of right to opt-out shall be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer. The notice shall:

    • a. Use plain, straightforward language and avoid technical or legal jargon.

    • b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.

    • c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.

    • d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.

(b) A business that sells the personal information of a consumer shall provide a notice of right to opt-out to the consumer as follows:

  • (1) A business shall post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or the download or landing page of a mobile application. The notice shall include the information specified in subsection (c) or link to the section of the business’s privacy policy that contains the same information.

  • (2) A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to a website where the notice can be found.

  • (3) A business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to direct a business that sells their personal information to stop selling their personal information. That method shall comply with the requirements set forth in subsection (a)(2).

(c) A business shall include the following in its notice of right to opt-out:

  • (1) A description of the consumer’s right to opt-out of the sale of their personal information by the business;

  • (2) The webform by which the consumer can submit their request to opt-out online, as required by Section 999.315(a), or if the business does not operate a website, the offline method by which the consumer can submit their request to opt-out;

  • (3) Instructions for any other method by which the consumer may submit their request to opt-out;

  • (4) Any proof required when a consumer uses an authorized agent to exercise their right to opt-out, or in the case of a printed form containing the notice, a webpage, online location, or URL where consumers can find information about authorized agents; and

  • (5) A link or the URL to the business’s privacy policy, or in the case of a printed form containing the notice, the URL of the webpage where consumers can access the privacy policy.

(d) A business is exempt from providing a notice of right to opt-out if:

  • (1) It does not, and will not, sell personal information collected during the time period during which the notice of right to opt-out is not posted; and

  • (2) It states in its privacy policy that that it does not and will not sell personal information. A consumer whose personal information is collected while a notice of right to opt-out notice is not posted shall be deemed to have validly submitted a request to opt-out.

(e) Opt-Out Button or Logo

  • (1) The following opt-out button or logo may be used in addition to posting the notice of right to opt-out, but not in lieu of any posting of the notice. [BUTTON OR LOGO TO BE ADDED IN A MODIFIED VERSION OF THE REGULATIONS AND MADE AVAILABLE FOR PUBLIC COMMENT.]

  • (2) This opt-out button or logo shall link to a webpage or online location containing the information specified in section 999.306(c), or to the section of the business’s privacy policy that contains the same information.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

§ 999.307. Notice of Financial Incentive

(a) Purpose and General Principles

  • (1) The purpose of the notice of financial incentive is to explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.

  • (2) The notice of financial incentive shall be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer. The notice shall:

    • a. Use plain, straightforward language and avoid technical or legal jargon.

    • b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.

    • c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format. e. Be available online or other physical location where consumers will see it before opting into the financial incentive or price or service difference.

  • (3) If the business offers the financial incentive or price of service difference online, the notice may be given by providing a link to the section of a business’s privacy policy that contains the information required in subsection (b).

(b) A business shall include the following in its notice of financial incentive:

  • (1) A succinct summary of the financial incentive or price or service difference offered;

  • (2) A description of the material terms of the financial incentive or price of service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference;

  • (3) How the consumer can opt-in to the financial incentive or price or service difference;

  • (4) Notification of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and

  • (5) An explanation of why the financial incentive or price or service difference is permitted under the CCPA, including:

    • a. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and

    • b. A description of the method the business used to calculate the value of the consumer’s data.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125 and 1798.130, Civil Code.

§ 999.308. Privacy Policy

(a) Purpose and General Principles

  • (1) The purpose of the privacy policy is to provide the consumer with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. The privacy policy shall not contain specific pieces of personal information about individual consumers and need not be personalized for each consumer.

  • (2) The privacy policy shall be designed and presented in a way that is easy to read and understandable to an average consumer. The notice shall:

    • a. Use plain, straightforward language and avoid technical or legal jargon.

    • b. Use a format that makes the policy readable, including on smaller screens, if applicable.

    • c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.

    • d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the policy in an alternative format.

    • e. Be available in an additional format that allows a consumer to print it out as a separate document.

  • (3) The privacy policy shall be posted online through a conspicuous link using the word “privacy,” on the business’s website homepage or on the download or landing page of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers.

(b) The privacy policy shall include the following information:

  • (1) Right to Know About Personal Information Collected, Disclosed, or Sold

    • a. Explain that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.

    • b. Provide instructions for submitting a verifiable consumer request to know and provide links to an online request form or portal for making the request, if offered by the business.

    • c. Describe the process the business will use to verify the consumer request, including any information the consumer must provide.

    • d. Collection of Personal Information

      • 1. List the categories of consumers’ personal information the business has collected about consumers in the preceding 12 months. The notice shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

      • 2. For each category of personal information collected, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information. The notice shall be written in a manner that provides consumers a meaningful understanding of the categories listed.

    • e. Disclosure or Sale of Personal Information

      • 1. State whether or not the business has disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months.

      • 2. List the categories of personal information, if any, that it disclosed or sold to third parties for a business or commercial purpose in the preceding 12 months.

      • 3. State whether or not the business sells the personal information of minors under 16 years of age without affirmative authorization.

  • (2) Right to Request Deletion of Personal Information

    • a. Explain that the consumer has a right to request the deletion of their personal information collected or maintained by the business.

    • b. Provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request, if offered by the business.

    • c. Describe the process the business will use to verify the consumer request, including any information the consumer must provide.

  • (3) Right to Opt-Out of the Sale of Personal Information

    • a. Explain that the consumer has a right to opt-out of the sale of their personal information by a business.

    • b. Include the contents of the notice of right to opt-out or a link to it in accordance with section 999.306.

  • (4) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights a. Explain that the consumer has a right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by the CCPA.

  • (5) Authorized Agent

    • a. Explain how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.

  • (6) Contact for More Information: Provide consumers with a contact for questions or concerns about the business’s privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumer.

  • (7) Date the privacy policy was last updated.

  • (8) If subject to the requirements set forth section 999.317(g), the information compiled in section 999.317(g)(1) or a link to it.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.115, 1798.120, 1798.125 and 1798.130, Civil Code.

Article 3. Business Practices for Handling Consumer Requests

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete

(a) A business shall provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number, and if the business operates a website, an interactive webform accessible through the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.

(b) A business shall provide two or more designated methods for submitting requests to delete. Acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a link or form available online through a business’s website, a designated email address, a form submitted in person, and a form submitted through the mail.

(c) A business shall consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know. Illustrative examples follow:

  • (1) Example 1: If the business is an online retailer, at least one method by which the consumer may submit requests should be through the business’s retail website.

  • (2) Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods to submit requests to know—a toll-free telephone number, an interactive webform accessible through the business’s website, and a form that can be submitted in person at the retail location.

(d) A business shall use a two-step process for online requests to delete where the consumer must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted.

(e) If a business does not interact directly with consumers in its ordinary course of business, at least one method by which a consumer may submit requests to know or requests to delete shall be online, such as through the business’s website or a link posted on the business’s website.

(f) If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either:

  • (1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or

  • (2) Provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code.

§ 999.313. Responding to Requests to Know and Requests to Delete

(a) Upon receiving a request to know or a request to delete, a business shall confirm receipt of the request within 10 days and provide information about how the business will process the request. The information provided shall describe the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request.

(b) Businesses shall respond to requests to know and requests to delete within 45 days. The 45- day period will begin on the day that the business receives the request, regardless of time required to verify the request. If necessary, businesses may take up to an additional 45 days to respond to the consumer’s request, for a maximum total of 90 days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.

(c) Responding to Requests to Know

  • (1) For requests that seek the disclosure of specific pieces of information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 4, the business shall not disclose any specific pieces of personal information to the requestor and shall inform the consumer that it cannot verify their identity. If the request is denied in whole or in part, the business shall also evaluate the consumer’s request as if it is seeking the disclosure of categories of personal information about the consumer pursuant to subsection (c)(2).

  • (2) For requests that seek the disclosure of categories of personal information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 4, the business may deny the request to disclose the categories and other information requested and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the business shall provide or direct the consumer to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy.

  • (3) A business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.

  • (4) A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.

  • (5) If a business denies a consumer’s verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial. If the request is denied only in part, the business shall disclose the other information sought by the consumer.

  • (6) A business shall use reasonable security measures when transmitting personal information to the consumer.

  • (7) If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4.

  • (8) Unless otherwise specified, the 12-month period covered by a consumer’s verifiable request to know referenced in Civil Code section 1798.130(a)(2) shall run from the date the business receives the request, regardless of the time required to verify the request.

  • (9) In responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA. It shall not refer the consumer to the businesses’ general practices outlined in its privacy policy unless its response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be in a response to a request to know such categories.

  • (10) In responding to a verified request to know categories of personal information, the business shall provide for each identified category of personal information it has collected about the consumer:

    • a. The categories of sources from which the personal information was collected;

    • b. The business or commercial purpose for which it collected the personal information;

    • c. The categories of third parties to whom the business sold or disclosed the category of personal information for a business purpose; and

    • d. The business or commercial purpose for which it sold or disclosed the category of personal information.

  • (11) A business shall identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed.

(d) Responding to Requests to Delete

  • (1) For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified and shall instead treat the request as a request to opt-out of sale.

  • (2) A business shall comply with a consumer’s request to delete their personal information by:

    • a. Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;

    • b. De-identifying the personal information; or

    • c. Aggregating the personal information.

  • (3) If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is next accessed or used.

  • (4) In its response to a consumer’s request to delete, the business shall specify the manner in which it has deleted the personal information.

  • (5) In responding to a request to delete, a business shall disclose that it will maintain a record of the request pursuant to Civil Code section 1798.105(d).

  • (6) In cases where a business denies a consumer’s request to delete the business shall do all of the following:

    • a. Inform the consumer that it will not comply with the consumer’s request and describe the basis for the denial, including any statutory and regulatory exception therefor;

    • b. Delete the consumer’s personal information that is not subject to the exception; and

    • c. Not use the consumer’s personal information retained for any other purpose than provided for by that exception.

  • (7) In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered, and more prominently presented than the other choices. The business shall still use a two-step confirmation process where the consumer confirms their selection as required by section 999.312(d).

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.

§ 999.314. Service Providers

(a) To the extent that a person or entity provides services to a person or organization that is not a business, and would otherwise meet the requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.

(b) To the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, and would otherwise meet all other requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.

(c) A service provider shall not use personal information received either from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. A service provider may, however, combine personal information received from one or more entities to which it is a service provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.

(d) If a service provider receives a request to know or a request to delete from a consumer regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services, and does not comply with the request, it shall explain the basis for the denial. The service provider shall also inform the consumer that it should submit the request directly to the business on whose behalf the service provider processes the information and, when feasible, provide the consumer with contact information for that business.

(e) A service provider that is a business shall comply with the CCPA and these regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code.

§ 999.315. Requests to Opt-Out

(a) A business shall provide two or more designated methods for submitting requests to opt-out, including, at a minimum, an interactive webform accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.

(b) A business shall consider the methods by which it interacts with consumers when determining which methods consumers may use to submit requests to opt-out, the manner in which the business sells personal information to third parties, available technology, and ease of use by the average consumer. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer.

(c) If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

(d) In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sales of certain categories of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.

(e) Upon receiving a request to opt-out, a business shall act upon the request as soon as feasibly possible, but no later than 15 days from the date the business receives the request.

(f) A business shall notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information. The business shall notify the consumer when this has been completed.

(g) A consumer may use an authorized agent to submit a request to opt-out on the consumer’s behalf if the consumer provides the authorized agent written permission to do so. A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on the consumer’s behalf. User-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.

(h) A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requesting party that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.

Note: Authority cited: Sections 1798.135 and 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, 1798.140, and 1798.185, Civil Code.

§ 999.316. Requests to Opt-In After Opting Out of the Sale of Personal Information

(a) Requests to opt-in to the sale of personal information shall use a two-step opt-in process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.

(b) A business may inform a consumer who has opted-out when a transaction requires the sale of their personal information as a condition of completing the transaction, along with instructions on how the consumer can opt-in.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185, Civil Code.

§ 999.317. Training; Record-Keeping

(a) All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.

(b) A business shall maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months.

(c) The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

(d) A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations.

(e) Information maintained for record-keeping purposes shall not be used for any other purpose.

(f) Aside from this record-keeping purpose, a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

(g) A business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers, shall:

  • (1) Compile the following metrics for the previous calendar year:

    • a. The number of requests to know that the business received, complied with in whole or in part, and denied;

    • b. The number of requests to delete that the business received, complied with in whole or in part, and denied;

    • c. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and

    • d. The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

  • (2) Disclose the information compiled in subsection (g)(1) within their privacy policy or posted on their website and accessible from a link included in their privacy policy.

  • (3) Establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.130, 1798.135, and 1798.185, Civil Code.

§ 999.318. Requests to Access or Delete Household Information

(a) Where a consumer does not have a password-protected account with a business, a business may respond to a request to know or request to delete as it pertains to household personal information by providing aggregate household information, subject to verification requirements set forth in Article 4.

(b) If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements set forth in Article 4, then the business shall comply with the request.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.130, 1798.140, and 1798.185, Civil Code.

Article 4. Verification of Requests

§ 999.323. General Rules Regarding Verification

(a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.

(b) In determining the method by which the business will verify the consumer’s identity, the business shall:

  • (1) Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.

  • (2) Avoid collecting the types of personal information identified in Civil Code section 1798.81.5(d), unless necessary for the purpose of verifying the consumer.

  • (3) Consider the following factors:

    • a. The type, sensitivity, and value of the personal information collected and maintained about the consumer. Sensitive or valuable personal information shall warrant a more stringent verification process. The types of personal information identified in Civil Code section 1798.81.5(d) shall be considered presumptively sensitive;

    • b. The risk of harm to the consumer posed by any unauthorized access or deletion. A greater risk of harm to the consumer by unauthorized access or deletion shall warrant a more stringent verification process;

    • c. The likelihood that fraudulent or malicious actors would seek the personal information. The higher the likelihood, the more stringent the verification process shall be;

    • d. Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;

    • e. The manner in which the business interacts with the consumer; and

    • f. Available technology for verification.

(c) A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes. The business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with section 999.317.

(d) A business shall implement reasonable security measures to detect fraudulent identityverification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.

(e) If a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code.

§ 999.324. Verification for Password-Protected Accounts

(a) If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 999.323. The business shall also require a consumer to re-authenticate themselves before disclosing or deleting the consumer’s data.

(b) If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information. The business may use the procedures set forth in section 999.325 to further verify the identity of the consumer.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.

§ 999.325. Verification for Non-Accountholders

(a) If a consumer does not have or cannot access a password-protected account with the business, the business shall comply with subsections (b) through (g) of this section, in addition to section 999.323.

(b) A business’s compliance with a request to know categories of personal information requires that the business verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business, which the business has determined to be reliable for the purpose of verifying the consumer.

(c) A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business that it has determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. Businesses shall maintain all signed declarations as part of their record-keeping obligations.

(d) A business’s compliance with a request to delete may require that the business verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty. A business shall act in good faith when determining the appropriate standard to apply when verifying the consumer in accordance with the regulations set forth in Article 4.

(e) Illustrative scenarios follow:

  • (1) If a business maintains personal information in a manner associated with a named actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if the business maintains the consumer’s name and credit card number, the business may require the consumer to provide the credit card’s security code and identifying a recent purchase made with the credit card to verify their identity to reasonable degree of certainty.

  • (2) If a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. This may require the business to conduct a fact-based verification process that considers the factors set forth in section 999.323(b)(3).

(f) If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and, if this is the case for all consumers whose personal information the business holds, in the business’s privacy policy. The business shall also explain why it has no reasonable method by which it can verify the identity of the requestor. The business shall evaluate on a yearly basis whether such a method can be established and shall document its evaluation.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.

§ 999.326. Authorized Agent

(a) When a consumer uses an authorized agent to submit a request to know or a request to delete, the business may require that the consumer:

  • (1) Provide the authorized agent written permission to do so; and

  • (2) Verify their own identity directly with the business.

(b) Subsection (a) does not apply when a consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465.

(c) A business may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.

Article 5. Special Rules Regarding Minors

§ 999.330. Minors Under 13 Years of Age

(a) Process for Opting-In to Sale of Personal Information

  • (1) A business that has actual knowledge that it collects or maintains the personal information of children under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq.

  • (2) Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include:

    • a. Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;

    • b. Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

    • c. Having a parent or guardian call a toll-free telephone number staffed by trained personnel;

    • d. Having a parent or guardian connect to trained personnel via video-conference;

    • e. Having a parent or guardian communicate in person with trained personnel; and

    • f. Verifying a parent or guardian’s identity by checking a form of government issued identification against databases of such information, where the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

(b) When a business receives an affirmative authorization pursuant to subsection (a) of this section, the business shall inform the parent or guardian of the right to opt-out at a later date and of the process for doing so on behalf of their child pursuant to section 999.315.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185(a)(6), Civil Code.

§ 999.331. Minors 13 to 16 Years of Age

(a) A business that has actual knowledge that it collects or maintains the personal information of minors at least 13 and less than 16 years of age shall establish, document, and comply with a reasonable process for allowing such minors to opt-in to the sale of their personal information, pursuant to section 999.316.

(b) When a business receives a request to opt-in to the sale of personal information from a minor at least 13 and less than 16 years of age, the business shall inform the minor of the right to opt-out at a later date and of the process for doing so pursuant to section 999.315.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185, Civil Code. § 999.332.

Notices to Minors Under 16 Years of Age

(a) A business subject to section 999.330 and 999.331 shall include a description of the processes set forth in those sections in its privacy policy.

(b) A business that exclusively targets offers of goods or services directly to consumers under 16 years of age and does not sell the personal information of such minors without their affirmative authorization, or the affirmative authorization of their parent or guardian for minors under 13 years of age, is not required to provide the notice of right to opt-out.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185, Civil Code.

Article 6. Non-Discrimination

§ 999.336. Discriminatory Practices

(a) A financial incentive or a price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125, if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.

(b) Notwithstanding subsection (a) of this section, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data as that term is defined in section 999.337.

(c) Illustrative examples follow:

  • (1) Example 1: A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

  • (2) Example 2: A retail store offers discounted prices to consumers who sign up to be on their mailing list. If the consumer on the mailing list can continue to receive discounted prices even after they have made a request to know, request to delete, and/or request to opt-out, the differing price level is not discriminatory.

(d) A business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.

(e) A business shall notify consumers of any financial incentive or price or service difference subject to Civil Code section 1798.125 that it offers in accordance with section 999.307.

(f) A business’s charging of a reasonable fee pursuant to Civil Code section 1798.145(g)(3) shall not be considered a financial incentive subject to these regulations.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130, and 1798.185, Civil Code.

§ 999.337. Calculating the Value of Consumer Data

(a) The value provided to the consumer by the consumer’s data, as that term is used in Civil Code section 1798.125, is the value provided to the business by the consumer’s data and shall be referred to as “the value of the consumer’s data.”

(b) To estimate the value of the consumer’s data, a business offering a financial incentive or price or service difference subject to Civil Code section 1798.125 shall use and document a reasonable and good faith method for calculating the value of the consumer’s data. The business shall use one or more of the following:

  • (1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;

  • (2) The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;

  • (3) Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value;

  • (4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information;

  • (5) Expenses related to the sale, collection, or retention of consumers’ personal information;

  • (6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;

  • (7) Profit generated by the business from sale, collection, or retention of consumers’ personal information; and

  • (8) Any other practical and reliable method of calculation used in good-faith.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130, and 1798.185, Civil Code.

Article 7. Severability

§ 999.341.

(a) If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.145, 1798.185, and 1798.196, Civil Code.