For your ease of reference, we reproduce here a formatted, hyperlinked copy of the California Consumer Privacy Act of 2018 (CCPA), current as of February 4, 2020. We've included in parentheses the general topic for each section, though this our own interpretation and not set out in the CCPA itself. For the official text of the CCPA, you should go here. If you have questions about the CCPA, see our FAQs (Parts one, two(a) & two(b)) or contact a member Cooley's cyber/data/privacy team.
Title 1.81.5. California Consumer Privacy Act of 2018
[Cal. Civ. Code §§ 1798.100–1798.199]
Index
1798.100 (Notice at Collection; Right to Know)
1798.105 (Right to Deletion)
1798.110 (Request to Know – General)
1798.115 (Request to Know – Sales)
1798.120 (Right to Opt-Out of Sales)
1798.125 (Right to Nondiscrimination)
1798.130 (CCPA Requests; Privacy Policies)
1798.135 ('Do Not Sell' Link and Compliance
Obligations)
1798.140 (Definitions)
1798.145 (Exemptions)
1798.150 (Private Right of Action)
1798.155 (Civil Penalties)
1798.160 (Fund Creation)
1798.175 (Applicability)
1798.180 (State Preemption)
1798.185 (Attorney General Obligations)
1798.190 (Noncircumvention of Sale Restrictions)
1798.192 (Consumer Waivers)
1798.194 (Interpretation)
1798.196 (Federal Preemption)
1798.198 (Operative Date)
1798.199 (Operative Date – State Preemption)
1798.100 (Right to Access)
- A consumer shall have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
- A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
- A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
- A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
- This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
1798.105 (Right to Deletion)
- A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.
- A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.
- A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to:
-
- Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
1798.110 (Right to Request Disclosure of Information Collected)
- A consumer shall have the right to request that a business that
collects personal information about the consumer disclose to the
consumer the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
- A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer.
- A business that collects personal information about consumers
shall disclose, pursuant to subparagraph (B) of paragraph (5) of
subdivision (a) of Section 1798.130:
- The categories of personal information it has collected about consumers.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.
- This section does not require a business to do the
following:
- Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
- Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
1798.115 (Right to Disclosure of Information Sold)
- A consumer shall have the right to request that a business that
sells the consumer's personal information, or that discloses it
for a business purpose, disclose to that consumer:
- The categories of personal information that the business collected about the consumer.
- The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold.
- The categories of personal information that the business disclosed about the consumer for a business purpose.
- A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.
- A business that sells consumers' personal information, or
that discloses consumers' personal information for a business
purpose, shall disclose, pursuant to subparagraph (C) of paragraph
(5) of subdivision (a) of Section 1798.130:
- The category or categories of consumers' personal information it has sold, or if the business has not sold consumers' personal information, it shall disclose that fact.
- The category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers' personal information for a business purpose, it shall disclose that fact.
- A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.
Download: California Consumer Privacy Act of 2018 – Full Text
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.