California Consumer Privacy Act

Right to Know What Personal Information is Being Collected.

1798.100
  1. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.
  2. A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of section 1798.104, the information specified in subdivision (a) of this section upon receipt of a verifiable request from the consumer.
  3. A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of section 1798.104, the categories of personal information it has collected about consumers.

Right to Know Whether Personal Information is Sold or Disclosed and to Whom.

1798.101
  1. A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer: (1) the categories of personal information that the business sold about the consumer and the identity of the third parties to whom such personal information was sold, by category or categories of personal information for each third party to whom such personal information was sold; and (2) the categories of personal information that the business disclosed about the consumer for a business purpose and the identity of the persons to whom such personal information was disclosed for a business purpose, by category or categories of personal information for each person to whom such personal information was disclosed for a business purpose.
  2. A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of section 1798.104, the information specified in subdivision (a) of this section to the consumer upon receipt of a verifiable request from the consumer.
  3. A business that sells consumers' personal information, or that discloses consumers' personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of section 1798.104: (1) the category or categories of consumers' personal information it has sold; or if the business has not sold consumers' personal information, it shall disclose that fact; and (2) the category or categories of consumers' personal information it has disclosed for a business purpose; or if the business has not disclosed the consumers' personal information for a business purpose, it shall disclose that fact.

Right to Say No to Sale of Personal Information.

1798.102
  1. A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer's personal information. This right may be referred to as the right to opt out.
  2. A business that sells consumers' personal information shall provide notice to consumers, pursuant to subdivision (a) of section 1798.105, that such information may be sold and that consumers have the right to opt out of the sale of their personal information.
  3. A business that has received direction from a consumer not to sell the consumer's personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of section 1798.105, from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale of the consumer's personal information.

Right to Equal Service and Price.

1798.103

A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer's personal information pursuant to section 1798.102, or because the consumer exercised the consumer's rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (c) providing a different level or quality of goods or services to the consumer; or (d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer's rights under this Act.

Compliance with Right to Know and Disclosure Requirements.

1798.104
  1. In order to comply with sections 1798.100, 1798.101, and 1798.103, a business shall:
    1. Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to sections 1798.100 and 1798.101, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address.
    2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business's duty to disclose and deliver the information within 45 days of receipt of the consumer's request. The disclosure shall cover the twelve-month period preceding the business's receipt of the verifiable request and shall be made in writing and delivered through the consumer's account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business. The business shall not require the consumer to create an account with the business in order to make a verifiable request.
    3. For purposes of subdivision (b) of section 1798.100: (A) to identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer; and (B) identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information collected.
    4. For purposes of subdivision (b) of section 1798.101: (A) to identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer; (B) identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information, and provide accurate names and contact information for the third parties to whom the consumer's personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information sold for each third party; and (C) identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information, and provide accurate names and contact information for the persons to whom the consumer's personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information disclosed for each person. The business shall disclose the information required by subparagraphs (B) and (C) in two separate lists.
    5. Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights, or if the business does not maintain such policies, on its website, and update such information at least once every 12 months:
      1. A description of a consumer's rights pursuant to sections 1798.100, 1798.101, and 1798.103, and one or more designated methods for submitting requests;
      2. For purposes of subdivision (c) of section 1798.100, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information collected; and
      3. For purposes of paragraphs (1) and (2) of subdivision (c) of section 1798.101, two separate lists: (i) a list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information sold, or if the business has not sold consumers' personal information in the preceding 12 months, the business shall disclose that fact; and (ii) a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) of this section that most closely describe(s) the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.
    6. Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this Act are informed of all requirements in sections 1798.100, 1798.101, 1798.103, and this section, and how to direct consumers to exercise their rights under those sections; and
    7. Use any personal information collected from. the consumer in connection with the business's verification of the consumer's request solely for the purposes of verification.
  2. A business is not obligated to provide the information required by sections 1798.100 and 1798.101 to the same consumer more than once in a 12-month period.
  3. The categories of personal information required to be disclosed pursuant to sections 1798.100 and 1798.101 are all of the following:
    1. Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
    2. All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected;
    3. All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
    4. Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
    5. Biometric data;
    6. Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
    7. Geolocation data;
    8. Audio, electronic, visual, thermal, olfactory, or similar information;
    9. Psychometric information;
    10. Professional or employment-related information;
    11. Inferences drawn from any of the information identified above; and
    12. Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

Compliance with Right to Say No and Notice Requirements.

1798.105
  1. A business that is required to comply with section 1798.102 shall:
    1. Provide a clear and conspicuous link on the business's homepage, titled "Do Not Sell My Personal Information," to a webpage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer's personal information;
    2. Include a description of a consumer's rights pursuant to section 1798.102, along with a separate link to the "Do Not Sell My Personal Information" webpage in: (A) its online privacy policy or policies if the business has an online privacy policy or policies, and (B) any California-specific description of consumers' privacy rights;
    3. Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this Act are informed of all requirements in section 1798.102 and this section, and how to direct consumers to exercise their rights under those sections;
    4. For consumers who exercise their right to opt out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer;
    5. For a consumer who has opted out of the sale of the consumer's personal information, respect the consumer's decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer's personal information; and
    6. Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.
  2. Nothing in this Act shall be construed to require a business to comply with the Act by including the required links and text on the homepage that the business makes available to the public generally if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
  3. A consumer may authorize another person to opt out on the consumer's behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf.

Definitions.

1798.106

For purposes of Sections 1798.100 to 1798.115, inclusive, the following definitions shall apply:

  1. "Biometric data" means an individual's physiological, biological or behavioral characteristics, including an individual's deoxyribonucleic acid, that can be used, singly or in combination with each other or with other identifying data to establish individual identity. Biometric data includes but is not limited to imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
  2. "Business" means:
    1. a sole-proprietorship, partnership, limited-liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) has annual gross revenues in excess of $50,000,000, as adjusted pursuant to paragraph (5) of subdivision (a) of section 1798.115; or (B) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices; or (C) derives 50 percent or more of its annual revenues from selling consumers' personal information; and
    2. any entity that controls or is controlled by a business, as defined in paragraph (1) of this subdivision, and that shares common branding with the business. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise, directly or indirectly, a controlling influence over the management or policies of a company. "Common branding" means a shared name, service mark, or trademark.
  3. "Business purpose" means the use of personal information for the business's operational purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which it is specifically permitted. Unreasonable or disproportionate use shall not be considered a "business purpose." Business purposes are:
    1. Auditing related to a current interaction with the consumer and concurrent transactions, including but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards;
    2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such activity;
    3. Debugging to identify and repair errors that impair existing intended functionality;
    4. Short-term, transient use, provided the personal information is not disclosed to another person and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including but not limited to, the contextual customization of ads shown as part of the same interaction; and
    5. Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business.
  4. "Clear and conspicuous" means (1) in a color that contrasts with the background color or is otherwise distinguishable; (2) written in larger type than the surrounding text and in a fashion that calls attention to the language; and (3) prominently displayed so that a reasonable viewer would be able to notice, read, and understand it.
  5. "Commercial purposes" means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes" do not include for the purpose of engaging in speech that state or federal courts have recognized as non-commercial speech, including political speech and journalism.
  6. "Collects," "collected" or "collection" means buying, renting. gathering, obtaining, storing, using, monitoring, accessing, or making inferences based upon, any personal information pertaining to a consumer by any means.
  7. "Consumer” means a natural person who is a California resident, as defined in the California Code of Regulations, title 18, section 17014, as that section read on September 1, 2017, however identified, including by any unique identifier.
  8. "De-identified" means information that cannot reasonably identify, relate to, describe, reference, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer or device, provided that a business that uses de-identified information: (1) has implemented technical safeguards that prohibit re-identification of the consumer(s) to whom the information may pertain; (2) has implemented business processes that specifically prohibit re-identification of the information; (3) has implemented business processes to prevent inadvertent release of de-identified information; and (4) makes no attempt to re-identify the information.
  9. "Designated methods for submitting requests" means a mailing address, e-mail address, web page, web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this Act, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to section 1798.115. If the consumer does not maintain an account with the business, the business shall provide an opportunity for the consumer to designate whether the consumer wishes to receive the information required to be disclosed pursuant to sections 1798.100 and 1798.101 by mail or electronically, at the consumer's option.
  10. "Homepage” means the introductory page of a website and any webpage where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page, a link within the application, such as from the application configuration, "About," "Information," or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of section 1798.105, including but not limited to, before downloading the application.
  11. "Infer" or "inference" means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
  12. "Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
  13. "Personal information" means information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device, including, but not limited to:
    1. Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
    2. Any categories of personal information enumerated in Civil Code 1798.80 *et. seq*;
    3. Characteristics of protected classifications under California or federal law;
    4. Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
    5. Biometric data;
    6. Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
    7. Geolocation data;
    8. Audio, electronic, visual, thermal, olfactory, or similar information;
    9. Psychometric information;
    10. Professional or employment-related information;
    11. Inferences drawn from any of the information identified above; and
    12. Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

    "Personal information" does not include information that is publicly available or that is de-identified.

  14. "Probabilistic identifier" means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in subdivision (m).
  15. "Psychometric information" means information derived or created from the use or application of psychometric theory or psychometrics, whereby through the use of any method, model, tool, or formula, observable phenomena, such as actions or events, are connected, measured, assessed, or related to a consumer's attributes, including, but not limited to, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  16. "Publicly available" means information that is lawfully made available from federal, state, or local government records or that is available to the general public. “Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.
    1. "Sell," "selling," "sale," or "sold," means: (A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes.
    2. For purposes of this Act, a business does not sell personal information when:
      1. A consumer uses the business: (i) to intentionally disclose personal information, or (ii) to intentionally interact with a third party. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party; or
      2. The business uses an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information.
  17. "Service" or "services" means work, labor, and services, including services furnished in connection with the sale or repair of goods.
  18. "Third party" means any person who is not:
    1. The business that collects personal information from consumers under this Act; or
    2. A person to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract:
      1. Prohibits the person receiving the personal information from: (i) selling the personal information; (ii) retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and (iii) retaining, using, or disclosing the information outside of the direct business relationship between the person and the business; and
      2. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

    A person covered by paragraph (2) that violates any of the restrictions set forth in this Act shall be liable for such violations under this Act. A business that discloses personal information to a person covered by paragraph (2) in compliance with paragraph (2) shall not be liable under this Act if the person receiving the personal information uses it in violation of the restrictions set forth in this Act, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

  19. "Unique identifier" means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
  20. "Verifiable request" means a request that: (1) is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a person authorized by the consumer to act on the consumer's behalf; and (2) that the business has verified, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of section 1798.115, to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to sections 1798.100 and 1798.101 if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of section 1798.115, that the consumer making the request is the consumer about whom the business has collected information.

Exemptions.

1798.107
  1. The obligations imposed on businesses by sections 1798.100 through 1798.105 shall not restrict a business's ability to:
    1. comply with federal, state, or local laws;
    2. comply with a civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities;
    3. cooperate with law enforcement agencies concerning conduct or activity that the business reasonably and in good faith believes may violate federal, state, or local law; or
    4. collect and sell a consumer's personal information if every aspect of such commercial conduct takes place wholly outside of California. For purposes of this Act, commercial conduct takes place wholly outside of California if the business collected such information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold.
  2. The obligations imposed on businesses by sections 1798.100 through 1798.105 shall not apply where compliance by the business with the Act would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
  3. This Act shall not apply to protected health information that is collected by a covered entity governed by the medical privacy and security rules issued by the Federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).For purposes of this subdivision, the definitions of "protected health information" and "covered entity" from the federal privacy rule shall apply.
  4. This Act shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681 (a) of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act, 15 U.S.C. § 1681, et. seq.

Enforcement By Consumers Who Have Suffered An Injury In Fact.

1798.108
  1. A consumer who has suffered a violation of this Act may bring an action for statutory damages. For purposes of Business and Professions Code section 17204 and any other applicable law, a violation of this Act shall be deemed to constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this Act.
    1. Any consumer who suffers an injury in fact, as described in subdivision (a) of this section, shall recover statutory damages in the amount of one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation from the business or person responsible for the violation, except that in the case of a knowing and willful violation by a business or person, an individual shall recover statutory damages of not less than one thousand dollars ($1,000) and not more than three thousand dollars ($3,000),or actual damages, whichever is greater, for each violation from the business or person responsible for the violation.
    2. In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the following: the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.
  2. Notwithstanding any other law, whenever a judgment, including any consent judgment, decree, or settlement agreement, is approved by the court in a class action based on a violation of this Act, any cy pres award, unpaid cash residue, or unclaimed or abandoned class member funds attributable to a violation of this Act shall be distributed exclusively to one or more nonprofit organizations to support projects that will benefit the class or similarly situated persons, further the objectives and purposes of the underlying class action or cause of action, or promote the law consistent with the objectives and purposes of the underlying class action or cause of action, unless for good cause shown the court makes a specific finding that an alternative distribution would better serve the public interest or the interests of the class. If not specified in the judgment, the court shall set a date when the parties shall submit a report to the court regarding a plan for the distribution of any moneys pursuant to this subdivision.
  3. The remedies provided by this section are cumulative to each other and to the remedies or penalties available under all other laws of this State.

Enforcement by Public Entities.

1798.109
  1. Any business or person that violates this Act shall be liable for a civil penalty as provided in section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General, by any district attorney, by any county counsel authorized by agreement with the district attorney in actions involving a violation of a county ordinance, by any city attorney of a city having a population in excess of750,000, by any city attorney of any city and county, or, with the consent of the district attorney, by a city prosecutor in any city having a full-time city prosecutor, in any court of competent jurisdiction.
  2. Notwithstanding section 17206 of the Business and Professions Code, any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each violation.
  3. Notwithstanding section 17206 of the Business and Professions Code, any civil penalty assessed pursuant to section 17206 for a violation of this Act, and the proceeds of any settlement of an action brought pursuant to subdivision (a) of this section, shall be allocated as follows:
    1. 20 percent to the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of section 1798.110, with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this Act.
    2. 80 percent to the jurisdiction on whose behalf the action leading to the civil penalty was brought.
  4. The Legislature shall adjust the percentages specified in subdivision (c) of this section and in subdivision (b) of section 1798.111, as necessary to ensure that any civil penalties assessed for a violation of this Act fully offset any costs incurred by the state courts and the Attorney General in connection with this Act, including a sufficient amount to cover any deficit from a prior fiscal year. The Legislature shall not direct a greater percentage of assessed civil penalties to the Consumer Privacy Fund than reasonably necessary to fully offset any costs incurred by the state courts and the Attorney General in connection with this Act.

Consumer Privacy Fund.

1798.110
  1. A special account to be known as the "Consumer Privacy Fund" is hereby created within the General Fund in the State Treasury, and notwithstanding Government Code section 13340, is continuously appropriated without regard for fiscal year to offset any costs incurred by the state courts in connection with actions brought to enforce this Act and any costs incurred by the Attorney General in carrying out the Attorney General's duties under this Act.
  2. Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this Act. Such funds shall not be subject to appropriation or transfer by the Legislature for any other purpose, unless the Director of Finance determines that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this Act, in which case the Legislature may appropriate excess funds for other purposes.

Whistleblower Enforcement.

1798.111
  1. Any person who becomes aware, based on non-public information, that a person or business has violated this Act may file a civil action for civil penalties pursuant to section 1798.109, if prior to filing such action, the person files with the Attorney General a written request for the Attorney General to commence the action. The request shall include a clear and concise statement of the grounds for believing a cause of action exists. The person shall make the non-public information available to the Attorney General upon request.
    1. If the Attorney General files suit within 90 days from receipt of the written request to commence the action, no other action may be brought unless the action brought by the Attorney General is dismissed without prejudice.
    2. If the Attorney General does not file suit within 90 days from receipt of the written request to commence the action, the person requesting the action may proceed to file a civil action.
    3. The time period within which a civil action shall be commenced shall be tolled from the date of receipt by the Attorney General of the written request to either the date that the civil action is dismissed without prejudice, or for 150 days, whichever is later, but only for a civil action brought by the person who requested the Attorney General to commence the action.
  2. Notwithstanding subdivision (c) of section 1798.109, if a judgment is entered against the defendant or defendants in an action brought pursuant to this section, or the matter is settled, amounts received as civil penalties or pursuant to a settlement of the action shall be allocated as follows:
    1. If the action was brought by the Attorney General upon a request made by a person pursuant to subdivision (a), the person who made the request shall be entitled to 15 percent of the civil penalties, and the remaining proceeds shall be deposited in the Consumer Privacy Fund within the General Fund.
    2. If the action was brought by the person who made the request pursuant to subdivision (a) of this section, that person shall receive an amount the court determines is reasonable for collecting the civil penalties on behalf of the government. The amount shall be not less than 25 percent and not more than 50 percent of the proceeds of the action and shall be paid out of the proceeds. The remaining proceeds shall be deposited in the Consumer Privacy Fund within the General Fund.
  3. For purposes of this section, "non-public information" means information that has not been disclosed in a criminal, civil, or administrative proceeding, in a government investigation, report, or audit, or by the news media or other public source of information, and that was not obtained in violation of the law.

Security Breach.

1798.112

A business that suffers a breach of the security of the system, as defined in subdivision (g) of section 1798.82, involving consumers' personal information, as defined in subdivision (h) of section 1798.82, shall be deemed to have violated this Act and may be held liable for such violation or violations under sections 1798.108, 1798.109, and 1798.111, if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

Construction.

1798.113

This Act is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information, including but not limited to the California Internet Privacy Act (chapter22 of Division 8 of the Business and Professions Code, commencing with section 22575) and the California Shine the Light Act (Title1.81 of Part 4 of Division 3 of the Civil Code, commencing with section 1798.80). The provisions of this Act are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, existing law relating to consumers' personal information should be construed to harmonize with the provisions of this Act, but in the event of a conflict between existing law and the provisions of this Act, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

Imposition of Additional Privacy Safeguards.

1798.114

Nothing in this Act shall prevent a city, county, city and county, municipality, or local agency from safeguarding the constitutional right of privacy by imposing additional requirements on businesses regarding the collection and sale of consumers' personal information by businesses provided that the requirement does not prevent a person or business from complying with this Act.

Regulations.

1798.115
  1. The Attorney General shall adopt regulations in the following areas to further the purposes of this Act:
    1. Adding additional categories to those enumerated in subdivision (c) of section 1798.104 and subdivision (m) of section 1798.106 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns. In addition, upon receipt of a request made by a California city attorney or district attorney to add a new category or categories, the Attorney General shall promulgate a regulation to add such category or categories unless the Attorney General concludes, based on factual or legal findings, that there is a compelling reason not to add the category or categories. The Attorney General may also add additional categories to those enumerated in subdivision (c) of section 1798.104 and subdivision (m) of section 1798.106 in response to a petition filed pursuant to section 11340.6 of the Government Code;
    2. Adding additional items to the definition of "unique identifiers" to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of "designated methods for submitting requests" to facilitate a consumer's ability to obtain information from a business pursuant to section 1798.104;
    3. Establishing any exceptions necessary to comply with state or federal law;
    4. Establishing rules and procedures: (A) to facilitate and govern the submission of a request by a consumer, and by an authorized agent of the consumer, to opt out of the sale of personal information pursuant to paragraph (1) of subdivision (a) of section 1798.105; (B) to govern a business's compliance with a consumer's opt-out request; and (C) for the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information;
    5. Adjusting the monetary threshold in subparagraph (A) of paragraph (1) of subdivision (b) of section 1798.106 in January of every odd-numbered year to reflect any increase in the Consumer Price Index;
    6. Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this Act are provided in a manner so as to be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer;
    7. Establishing rules and procedures to further the purposes of sections 1798.100 and 1798.1Of" and to facilitate a consumer or the consumer's authorized agent's ability to obtain information pursuant to section 1798.104, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business's determination that a request for information received by a consumer is a verifiable request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business's authentication of the consumer's identity;
    8. Defining the term "valuable consideration" as used in in paragraph (1) of subdivision (q) of section 1798.106 to ensure that a business that discloses, except as permitted by this Act, a consumer's personal information to a third party, including through a series of transactions involving multiple third parties, in exchange for any economic benefit is subject to this Act, and to include business practices involving the disclosure of personal information in exchange for something of value. Valuable consideration does not include the exchange of value in a transaction involving non-commercial speech, such as journalism and political speech; and
    9. Further interpret the terms "de-identified," "sell," "third party," and "business purpose" as set forth in section 1798.106, to address changes in technology, data collection, obstacles to implementation, and privacy concerns and to ensure compliance with the purposes of this Act, provided that such regulations do not reduce consumer privacy or the ability of consumers to stop the sale of their personal information.
  2. The Attorney General shall be precluded from adopting regulations that limit or reduce the number or scope of categories of personal information enumerated in subdivision (c) of section 1798.104 and subdivision (m) of section 1798.106, or that limit or reduce the number or scope of categories added pursuant to paragraph (1) of subdivision (a) of this section, except as necessary to comply with paragraph (3) of subdivision (a) of this section. The Attorney General shall also be precluded from reducing the scope of the definition of "unique identifiers," except as necessary to comply with paragraph (3) of subdivision (a) of this section.
  3. To the extent the Attorney General determines that it is necessary to adopt certain regulations in order implement this Act, the Attorney General shall adopt any such regulations within six months of the date of the election at which this Act is adopted. Notwithstanding the California Administrative Procedure Act (APA), and in order to facilitate the implementation of this Act, the Attorney General may adopt interim regulations without compliance with the procedures set forth in the APA. The interim regulations shall remain in effect for 270 days unless earlier superseded by regulations adopted pursuant to the APA.
  4. The Attorney General may adopt additional regulations as necessary to further the purposes of this Act.