If the business sells persInformation required by sectA link to the - PDF document

1 If the business sells persInformation”
If the business sells persInformation” required by sectA link to the business¶s If a business collects personal information from a consumer online, the notice at collection may be given to the consumer by prmation required in subsection (b)A business that does not collect personal information directly from the consumer does not ction to the consumer if it does not sell the consumer¶s personal information. at collection to the consumer if it has tration submission a link to its online prinstructions on how a consumer can submit a request to opt-out.A business collecting employment-related information shall comply with the provisions of of employment-related informatiothe link or web address to the lional Information”. employment-related information Subsection (f) shall become inoperative on January 1, 2021, unless the CCPA is amended § 999.306. Notice of Right to Opt-Out of Sale of Personal Information. Purpose and General Principles The purpose of the notice of r consumers of their right to ir personal information to stopinformation. The notice of right to opt-umers. The notice shall:Use a format that draws the consumer¶s attention to the notice and makes the notice readable, including on sma Explanation that a consumer has the right to request that the business disclose what personal information it coInstructions for submitting a verifiable consumer request tonline request form or portal for making the request, if offereGeneral description of the process the business will use to verify the consumer request, includi

2 ng any information the consumer must pro
ng any information the consumer must provide. ies of personal information thabout consumers in the preceding 12 months. The categories shaa manner that provides consumers a meaningful understanding of the information Identification of twhich the personal information is Identification of the business or commercial purpose for colpersonal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is Disclosure or Sale of Personal Information. ies of personal information, if any, that the parties in the preceding 12 months. For each category of personal information identified, the cparties to whom the information was disclosed or sold. Statement regarding whether the business has actual knowledge that it sells the personal information of consumers under 16 years of age. Right to Request Deletion of Personal Information. information collectInstructions for submitting a verifiable consumer request tonline request form or portal for making the request, if offereGeneral description of the process the business will use to verify the consumer request, including any information the consumer must provide. Right to Opt-Out of the Salinformation by a business.Statement regarding whethernal information. If thebusiness sells personal informaright to opt-out or a link to it in accordance with section 999 A good-faith estimate of the value of the consumer¶s data that forms the basis for or price or service difference; and A description of the method theconsumer¶s data.

3 Privacy Policy. The purpose of the p
Privacy Policy. The purpose of the privacy policy is to provide consumers with a comprehensive disclosure, and sale of personal information and of the rights of consumers regarding their personal information. The privacy policy shall beunderstandable to consumeUse a format that makes the policy readable, including on smaller screens, if applicable.Be available in the languages in which the business in its contracts, disclaimers, sale announcements, and other information to consumers in Be reasonably accessible to consumers with disabilities. Fw generally recognized industry standards, such as the Web Content AccessibilitWorld Wide Web Consortium, inccontexts, the business shall provide information on how a consumer with a disability may access the policy in an alternative format. Be available in a format that allows a consumer to print itThe privacy policy shall bsite homepage or on the downloadmobile application. If the business has a California-specific description of consumers¶ ebsite shall make the privacyavailable to consumers. A mobile application may include a linthe application¶s settings menu. The privacy policy shall include the following information:Right to Know About Personal Information Collected, Disclo § 999.307. Notice of Financial Incentive. The purpose of the notice oflain to the consumer the material terms of a financial incentive or price or service difference the business is offering so that the consumer may make an informed decision aboparticipate. A business that doeentive.The notice of financi

4 al isumers. The notice shall:Use a form
al isumers. The notice shall:Use a format that draws the consumer¶s attention to the notice and makes the notice readable, including on smaBe available in the languages in which the business in its contracts, disclaimers, sale announcements, and other information to consumers in Be reasonably accessible to consumers with disabilities. Fw generally recognized industry standards, such as the Web Content AccessibilitWorld Wide Web Consortium, inccontexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format. Be readily available where consumers will encounter it befofinancial incentive or priIf the business offers the financial incentive or price ornotice may be given by providing that contains the informatiancial incentive: A succinct summary of the fA description of the material terms of the fies of personal information that are implicated by the e of the consumer¶s data; How the consumer can opt-in to the financial incentive or A statement of the consumer¶s right to withdraw frominancial incentive at any time and how the consumer may exercise that right; and An explanation of how the financial incentive or price or of the consumer¶s data, includi Be available in the languages in which the business in its contracts, disclaimers, sale announcements, and other information to consumers in Be reasonably accessible to consumers with disabilities. Fw generally recognized industry standards, such as the Web Content AccessibilitWorld Wide Web Consortium, incconte

5 xts, the business shall provide informat
xts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format. A business that sells the personal information of consumers shall provide the notice of right to opt-out to consumers as follows: A business shall post thethe consumer is directed afterPersonal Information” link on the website homepage or a mobile application. In addition, a businformation through a mobile application may provide athrough the application¶s settings menu. The notice shall include the information contains the same information. A business that does not opera, document, and comply with another method by which it informs consumers of their right to opt-out. That method shall comply with the requiremeA business shall include theA description of the consumer¶s right to opt-out of the sainformation by the business;The interactive form by which the consumer can submit theiection (a), or if the business does not operate a website, the offline method by which the consumer can submit thInstructions for any other method by which the consumer may submit their request to t-out if: It does not sell personal information; and It states in its privacy poes not sell personal information. he personal information it collected during the time the business ins the affirmative authorization of the consumer. contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format. The notice at collection shall be made readily available where c

6 onsumers will point of collection of an
onsumers will point of collection of any personal information. Illustrative examples follow: When a business collects consumers¶ personal information online, it may post a and on all webpages where personal information is collected. When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application¶s dongs menu. When a business collects consumers¶ personal information offline, it may include the notice on printed forms that collect personal information, consumer with a paper version of the notice, or post prominent consumers to where the When a business collects personal information over the telephonmay provide the notice orally. When a business collects personal information from a consumer¶s mobile device for a purpose that the consumer would not provide a just-in-time notice containing a summary of thmation being collected information, the n-time notice, such as through athe consumer opens the application, that contains the informatiA business shall not collect categories of personal informacategories of personal informacollection.If a business does not givee consumer at or before the point of collection of their personal information, the businessinformation fromthe consumer. A business shall include thellection: A list of the categories of personal information about consumers to be collected. Eachcategory of personal information shall be written in a manner ta meaningful understanding of the information being collected. The business or commercia

7 l puinformation will be used. “Verifyâ
l puinformation will be used. “Verify” means to determine that the consumer making a requdelete is the consumer about whom the business has collected information, or if that consumer is less than 13 years of age, the consumer¶s parent orArticle 2. NOTIC ust comply with the CCPprivacy policy in accordance with the CCPA and section 999.308.A business that collects personal information from a consumcollection in accordance with the CCPA and section 999.305. A business that sells personal information shall provide a accordance with the CCPA and section 999.306. A business that offers a financial incentive or price or sen accordance with the CCPA and section 999.307. § 999.305. Notice at Collection of Personal Information.Purpose and General Principles The purpose of the notice atumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposormation will be used.The notice at collection sand understandable to consumers. The notice shall:Use a format that draws the consumer¶s attention to the notice and makes the notice readable, including on smaBe available in the languages in which the business in its contracts, disclaimers, sale announcements, and other information to consumers in Be reasonably accessible to consumers with disabilities. Fthe Web Content AccessibilitWorld Wide Web Consortium, inc “Privacy policy,” as refe8.130, subdivision (a)(5), means the statement that a business shall make available to consumerspersonal informat

8 ion, and of the rinformation. “Request
ion, and of the rinformation. “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil “Request to know” means a consumer request that a business disclose personal information 1798.110, or 1798.115. It includes a request for any or all of the following: Specific pieces of personal information that a business has cconsumer; Categories of personal information it has collected about the consumer; Categories of sources from which the personal information is collected; Categories of personal informabusiness purpose about the consumer; o whom the personal information The business or commercial puinformation. “Request to opt-in” means thet the business may sell personal information about the consumer by a parent or guardian of a consumer less than 13 years of age, by a consumer at least 13 ar by a consumer who had of their personal information.“Request to opt-out” means a consumer request that a business not sell the consumer¶s personal information to third par“Signed” means that the written attestation, declaration, or permission has either been physically signed or provided electronically in accordance with the Uniform Electronic ivil Code section 1633.1 “Third-party identity verification service” means a securitmer making a request to the business. Third-party identity vect to the requirements set forth “Value of the consumer¶s data” means the value provided to the business by the

9 consumer¶s may include the consumer di
consumer¶s may include the consumer directlanalytics providers, government entities, operating systems and platforms, social networks, “Categories of third parties” means types or groupings of third parties with whombusiness shares personal information, described with enough parconsumers with a meaningful undeparty. They may include s providers, government entities, operating systems and platforms, social networks, and“CCPA” means the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 “COPPA” means the Children¶s Online Privacy Protection Act,6508 and 16 Code of Federal R“Employment benefits” means retirement, health, and other benefit programs, services, or products to which consumers and ticiaries receive access through the consumer¶s employer. “Employment-related information” means personal informatiosubdivision (h)(1). The collection of employment-related information, including for the purpose of administering employma program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information. “Household” means a perside at the same address, share a common device or the same service provided by a busby the business as sharing the same group account or unique identifier.“Notice at collection” ms to a consumer at or before the s personal information from the consumer as required by (m)“Notice of right to opt-out” means the notice given by a business informing consumers of personal informatio“Notice of f

10 inancial incentive” means the notice g
inancial incentive” means the notice given by “Price or service difference” means (1) any difference in goods or services to any consumer rinformation, including through thepayments, or other benefits or penalties; or (2) any difference in the level or quality of anyconsumer related to the collecnal information, including the s to the consumer. FINAL TEXT OF PROPOSED REGULATIONS TITLE 11. LAW DIVISION 1. ATTORNEY GENERAL CHAPTER 20. CALIFORNIA CONSUMER PRIVACY ACT REGULATIONS Article 1. GENERAL PROVISIONS § 999.300. Title and Scope. n as the California Consumer Privacy Act Regulations. It may regulations govern compliance with the California Consumer Privacy Act and do not limit any other rights that consumers may have. A violation of these regulion of the CCPA and be subject to the remedies provided for therein. § 999.301. Definitions. forth in Civil Code section 1798.140, for purposes of these “Affirmative authorization” means an action that demonstrathe consumer to opt-in to the sale of personal information. Wionsumer under 13 years of age, it means that the parent or the sale of the consumer¶s personal information in accordance with the methods set forth in section 999.330. For consumers 13 years of age and older, it is demonstrated ty the consumer shall first, hen second, separately confirm t“Attorney General” means the California Attorney General or any officer or employee of the California Department of Justicthe California Attorney “Authorized agent” means aity registered with the Secretary alif

11 ornia that a consumer has rements set fo
ornia that a consumer has rements set forth in section 999.326or entities from which a business collects personal information about consumers, describto provide consumers with a m 999.337. Calculating the Value of Consumer Dataal incentive or price or service difference subject to Civil Codeaith method for calculating the value of the consumer¶s data. The business shall consider one or more of the following: The marginal value to the business of the sale, collection, or deletion of a consumer¶sThe average value to the business of the sale, collection, or deletion of a consumer¶sThe aggregate value to then, or deletion of consumers¶ number of consumers. Revenue generated by the business from sale, collection, or retention of consumers¶personal information. Expenses related to the consumers¶ personalinformation. Expenses related to the offer, provision, or imposition ofProfit generated by the busin retention of consumers¶personal information. Any other practical and reasonably reliable method of calclating the value of consumer data, a business may consider theconsumers. Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130and 1798.185, Civil Code. : A clothing business offers a loyalty program whereby custome$5-off coupon by email after spending $100 with the business. A consumer submits a nformation the business has collected about them but also informs the business that tprogram. The business may deny thegard to their email address and the amount the consumer has spent with the

12 business because that information is ne
business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably antongoing relationship with them pur(d)(1). : A grocery store offers a loyalty program whereby consumers ren they provide their phone numbers. A consumer submits a request to opt-out of trmation. The retailercomplies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grdemonstrate that the value of trmation about consumers, including their email addresses. It offers coupons to consumers through windows while the consumer usesnsumer submits a nformation that the bookseller has collected about them, including their email address abookseller complies with the reqconsumer. The bookseller¶s faiminatory unless the related to the value provided to the business by the consumer¶s data. The bookseller may not deny the consumer¶s reregard to the email address because the email address is not neumer based on the consumer¶s relationshiumers of any financial incentivA business¶s charging of a reasonable fee pursuant to Civil Code section 1798.145, compliance with a state or federal law ed discriminatory. consumer of the right to opt-out§ 999.332. Notices to Consumers Under 16 Years of Age.A business subject to sections 999.330 and 999.331 shall include a description of the A business that exclusively targets offers of goods or services directly to consumers under 16 years of age and does not sell the perso

13 nal information without the affirmative
nal information without the affirmative affirmative authorization of themers under 13 years of age, is Article 6. NON-DISCRIMINATION Discriminatory Practices. financial incentive or adiscriminatory, and therefore ts a consumer differently because the consumer exercised a right conferred by the CCPA orA business may offer a financial incentive or price or service difference if it is reasonably umer¶s data. If a business is estimate of the value of the consumer¶s data or cannot show that the financial incentive or of the consumer¶s data, that A business¶s denial of a consumer¶s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall nodiscriminatory. Illustrative examples follow: : A music streaming business offers a free service as well as a premiumh. If only the consumers who paystreaming service are allowed tersonal information, then the practice is discriminator is reasonably related affirmative authorization is in addition to any verifiable pareMethods that are reasonablthe child¶s parent or guardian include, but are not limited to: business by postal mail, facsimile,n, in connection with a monetar online payment system that o the primary account holder; all a toll-free telephone numbonnect to trained personnel via video-conference; ommunicate in person with traiVerifying a parent or guardian¶s identity by checking a fortabases of such information, asor guardian¶s identification is deleted by the business from its records promptly after such verificatio

14 n is complete. When a business receives
n is complete. When a business receives an affirmative authorization pursbusiness shall inform the parenthild pursuant to section 999.315, subsections (a)-(f). A business shall establish, document, and comply with a reasonable method, in accordance with the methods set forth in s, for determining that a person submitting a ete the personal information§ 999.331. Consumers 13 to 15 Years of Age.A business that has actual knowsonal information of consumers at lish, document, and comply allowing such consumers to opt-ininformation, pursuant to section 999.316. When a business receives a request to opt-in to the sale of personal information from a consumer at least 13 years of a e method by which a business can verify the identity of the consumer to the degree of certainty required by this se has no reasonable method by whicof the requestor. If the business has no reasonable method by which it can verify any consumer, the business shall explerification method in its privacy policy. The business shall evaluate and document whether a reasonable method can ery 12 months, in connection with the requirement to update § 999.326. Authorized Agent. When a consumer uses an authorized agent to submit a requedelete, a business may require that the consumer do the followiProvide the authorized agent signed permission to do so. Verify their own identitDirectly confirm with the business that they provided the authorized agent permission to submit the request. Subsection (a) does not apply when a consumer has providedAn authorized agent shall imp

15 lement and maintain reasonablpractices t
lement and maintain reasonablpractices to protect the consumer¶s information. use a consumer¶s personal information, or any information onsumer, for any purposes other than to fulfill the consumer¶s Article 5. SPECIAL RULES REGARDING CONSUMERS UNDER 16 YEARS OF§ 999.330. Consumers Under 13 Years of Age.Process for Opting-In toSale of Personal InformationA business that has actual knowledge that it sells the personal information of a consumer under the age of 13 shall establish, document, and commethod for determining that the person affirmatively authorizing the sale of the personal information about the c points provided by the consumer with data points maintained by determined to be reliable for the purpose of verifying the consumer. A business¶s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintaineermined to be reliable for the purpose of verifying the consumer together with a signed declarperjury that the requestor is the consumer whose personal information is the subject of the request. If a business uses this method for verification, the business shall maintain all signed declarations as part of its record-keepiA business¶s compliance with a request to delete may requiidentity of the consumer to a reasonable or reasonably high degree of certainty depending on information

16 and the risk of harm to the consumer po
and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs may require a sing history may require only faith when determining the n verifying the consumer in acIllustrative examples follow: If a business maintains personal information in a manner associa named actual person, the business may verify the consumer by consumer to provide evidence that matches the personal information maintained by the business. For example, if a retailer maintains chases made by a consumer, the business may require the consumer to identify items that they recently dollar amount of their most recIf a business maintains personal information in a manner that iassociated with a named actual person, the business may verify the consumer by requiring the consumer to demonstratnsumer associated with the personal information. For example, a business may have a mobile application that bout the consumer but does not rbusiness may determine whether, based on the facts and considering the factors set forth in section 999.323, subsection (b)(3), it may reasonably verify a consumer by to provide informad the mobile application may know or by requiring the consumer to respond toA business shall deny a request to know specific pieces of personal information if it cannot verify the identity of the requestor pursua security, or fraud-prevention. Tew personal information after processing the consumer¶s request, except as required to comply with section 999.317. A business shall not require the consumer or

17 the consumer¶may not require a consumer
the consumer¶may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.A business shall implement reasonable security measures to verification activity and prevent the unauthorized access to or deletion of a consumer¶s personal information. If a business maintains consumer information that is deidermation in response to a consumery a consumer request. § 999.324. Verification for Password-Protected Accounts.If a business maintains a password-protected account with the consumer, the business may verify the consumer¶s identity tthe consumer¶s account, provided requirements in section uire a consumer to re-authenticate themself beforee consumer¶s data. If a business suspects fraudulent or malicious activity on or from the password-protected omply with a consumer¶s request to know or request to on procedures determine that the consumer request is authentic and the consumer making the requeinformation. The business may use the procedures set forth in verify the identity of the consumer. § 999.325. Verification for Non-Accountholders.If a consumer does not have or cannot access a password-prthe business shall comply with this section, in addition to secA business¶s compliance with a request to know categories of personal information requires ntity of the consumer making th reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data Article 4. VERIFICATION OF REQUESTS§ 999.323. G

18 eneral Rules Regarding Verification. bu
eneral Rules Regarding Verification. business shall establish, document, and comply with a reasonable method for verifying that the person making a request is the consumer about whomllected information. In determining the method by which the businessy the consumer¶s identity, the business shall: Whenever feasible, match tded by the consumer to the personal information of the consumer already maintained by the ervice that complies with thAvoid collecting the types of personal information identif verifying the consumer. Consider the following factors: ity, and value of the personal informatiomaintained about the consumer. Sensitive or valuable personal information shall rsonal information presumptively sensitive; The risk of harm to the consumer posed by any unauthorized access ordeletion. A greater risk of harm to the consumer by unauthorized access or deletionThe likelihood that fraudulent or malicious actors would seinformation. The higher the likelihood, the more stringent theshall be; Whether the personal information to be provided by the consumer to verify their The manner in which the business interacts with the consume ormation from the consumer for purposes of verification. If, howconsumer fromthe information already maintained by the business, the business may request additional information from the consumer, which shall o consumer seeking to exercise their rights under the CCPA, In its disclosure pursuant tmay choose to disclose the number of requests that itonsumer, called for information exempt fromEstablish

19 , document, and comply with a training p
, document, and comply with a training policy to ensure that all individuals er requests made under the CCPA compliance with the CCPA are informed of all the requirements iA business may choose to compile and disclose the informati(g)(1) for requests received fromconsumers. The business shall state whether it has done so in its disclosure and shall, upon vide to the Attorney General the inform(g)(1) for requests received fromconsumers. Requests to Know or Delete Household Information. Where a household does not have a password-protected accoushall not comply with a request to know specific pieces of personal information about the household personal informationAll consumers of the household jointly request to know specific pieces of information for the household or the deletion of household personal informaes all the members of the houseverification requirements seThe business verifies that each member making the request is currently a member of Where a consumer has a password-protected account with a buinformation about a household, the business may process requests to know and requests to ormation through the business¶sand in compliance with these regulations. If a member of a household is a consumer under the age of 13, a business must obtain information for the household oronal information pursuant to requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations. A business shall maintain records of consumer requests made pursuant to the CCPA and

20 usiness shall implement and maintain rea
usiness shall implement and maintain reasonable security procedures and practices in maintaining these records.The records may be maintained in a ticket or log format prh the request was made, the nied in whole or in part. A business¶s maintenance of the information required by this section, where that information is not used for any other purposeInformation maintained forcompliance with the CCPA and these regulations. Information mat as necessary to comply with a legal obligation. Other than as required by subsection (b), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA. A business that knows or rlone or in combination, buys, mmercial purposes, sells, or sharthe personal information of 10,000,000 or more consumers in a cCompile the following metriar: The number of requests to knowcomplied with in The number of requests to delete that the business received, complied with in The number of requests to optd, complied with in The median or mean number ofDisclose, by July 1 of every calendar year, the informatio(g)(1) within their privacy policy or posted on their website and accessible from a link formation is more prominentlyA business shall comply with a request to opt-out as soon than 15 business days from the daconsumer¶s personal informaticonsumer submits their complies with that request, it e third parties that the consumer has exercised their right to opt-out and shall direct those third parties not to sell that consumer¶s information.

21 A consumer may use an authorized agent
A consumer may use an authorized agent to submit a request to opt-out on the consumer¶s behalf if the consumer provides rmission signed by the consumer. A business may deny a request from an authorized agent if the agent cannot umer¶s signed permission demonstrating that they have been authorized by the consumer to act on the consumer¶s behalf. Ussetting, or other mechanism, that communicate or signal the consumer¶s choice to opt-out of the sale oftheir personal information shall be considered a request directly from the consumer, not through an A request to opt-out need not be a verifiable consumer reqgood-faith, reasonable, and documentebusiness may deny the request. The business shall inform the rcomply with the request and shaRequests to Opt-In After Opting-Out of the Sale of Personal InfRequests to opt-in to thewhereby the consumer shall firsconfirm their choice to opt-in. If a consumer who has opted-nal information initiates a transaction or attempts to use ainformation, a business may inform the consumer that the transasonal information and provide instructions on how the consumer All individuals responsible for handling consumer inquiriepractices or the business¶s compliance with the CCPA shall be informed of all of the inform the consumer that the request cannot be acted upon because the request has been sent A service provider that is a business shall comply with the CCPA and these regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a Requests to Op

22 t-Out.A business shall provide two or mo
t-Out.A business shall provide two or more designated methods for submitting requests to opt-out, including aninteractive form accessible via a clear and conspiMy Personal Information,” on the business¶s website or mobile aacceptable methods for submitting these requests include, but aphone number, a designated email address, a form submittedin person, a formsubmitted through the mail, and user-enableprivacy setting, device setting, or other mechanism, that commuconsumer¶s choice to opt-out of thermation. A business shall consider the methods by which it interacts with consumers, the manner in l information to third parties,of use by the consumer when determining which methods consumers may use to submit requests to opt-out. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer. If a business collects personal information from consumers online, the business shall treat setting, or other mechanism, that communicate or signal the consumer¶s choice to opt-out of ation as a valid request submithe consumer. Any privacy control developed in accordance with these regulations shall clearly onsumer intends to opt-out of theinformation. licts with a consumer¶s existinl incentive program, the obal privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy tive program. o opt-out, a business may present the consumer with the choice es of personal information as accordance with section 999.306. o de

23 lete, a business may present the consume
lete, a business may present the consumer with the of their personal information delete all personal information is also offered and more promin business that provides services to a person or organization that is not a business, and that would otherwise meet the requirements and obligations of a “serCCPA and these regulations, shall be deemed a service provider To the extent that a busineollect personal information directly from a consumer, or about a consumer, on the first business¶s behalf, and the second entity would otherwise meet the requirements and obligations of a “serCCPA and these regulations, theCCPA and these regulations. A service provider shall not retain, use, or disclose personal information obtained in the To process or maintain personal information on behalf of the buthe personal information or directinformation, and in compliance withTo retain and employ another sersubcontractor meets the requiremeer the CCPA and these For internal use by the service provider to build or improve thusehold or consumer orrecting or augmenting data acquired from another source; or illegal activity; orFor the purposes enumerated in Civil Code section 1798.145, subA service provider shall not sell data on behalf of a business when a consumer has opted-out nformation with the business. For requests to delete, if n Article 4, the business may denA business shall comply with a consumer¶s request to delete their personal information Permanently and completely erasing the personal informationsystems with the exception of arc

24 hived or back-up systems; onal informat
hived or back-up systems; onal information; or Aggregating the consumer information. If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer¶s request to delete, with rethe archived or backup system, until the archived or backup syssystem or next accessed or used for a sale, disclosure, or rm the consumer whether or not it has complied with the consumer¶s request. If the business complies with the consumer¶s request, the business shall inform the consumer that it will maintain a record of the request as requisubsection (b). A business may retonal information remains deleted from the business¶s nies a consumer¶s request to deInform the consumer that it will not comply with the consumdescribe the basis for the denial, including any conflict with Delete the consumer¶s personal information that is not subjNot use the consumer¶s personal information retained for any other purpose than If a business that denies a consumer¶s request to delete sells personal information and the consumer has not already made a request to opt-out, the busconsumer if they would like to op ormation that the consumer is eCCPA and these regulations, usesUnless otherwise specifier period of time, the 12month period covered by a consume), shall run from the dreceives the request, regardless of the time required to verifyIn responding to a consumer¶sinformation, categories of sources, and/or categories of third e to the consumer as required by the CCPA. It shallnot refer the consumer t

25 o the buspolicy unless its response woul
o the buspolicy unless its response would be the same for all consumers discloses all the information thapersonal information, the nformation the business has colconsumer in the preceding 12 months; which the personal informatioThe business or commercialinformation; es with whom the business sharinformation; The categories of personal information that the business solntified, the categories of third parties to whom it sold that particular category of personal information; and The categories of personal information that the business dispurpose in the preceding 12 months, and for each category identified, the hom it disclosed that particular category of personal information. mation, categories of sources of personal information, and categm a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed. Responding to Requests to Delete. For requests that seek thesonal information about the consumer, if a business cannot verin making the request s may deny the request to r information requested and shall inform the requestor the consumer to its general business practices regarding the collection, maintormation set forth in its information if all of the following conditions are met: The business does not maintain the personal information in areasonably accessible format; The business maintains the personal information solely for legal or compliance The business does not sell the personal information and does consumer the categories of records that may con

26 tain personal information that it did no
tain personal information that it did not search because it meets the conditions stated A business shall not disclose in response to a request to know a consumer¶s Social se number or other government-issued identification number, financial account number, any health insurance or medicnumber, an account password, secu unique biometric measurements or technical analysis of humanbusiness shall, however, inform the consumer with sufficient particularitythat it has collected the type of information. For example, a business shacollects “unique biometric data including a fingerprint scan” without disclosing the If a business denies a consumer¶s verified request to know specific pieces of personal information, in whole or in part, bexception to the CCPA, the business shall inform the requestor se the other information sought by the consumer. A business shall use reasonable security measures when transmitting personal information to the consumer. If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal an online form, or a telephone with which the consumer can callnumber. A business may use a two-step process for online requests to delete where the consumer must first, submit the requesttheir personal information deleted. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is defici

27 ent in some manner unrelated to the vers
ent in some manner unrelated to the vershall either: Treat the request as if it had been submitted in accordancdesignated manner, or Provide the consumer with information on how to submit the request or remedy any deficiencies with the reqw and Requests to Delete. Upon receiving a request to know or a request to delete, a days and provide information about how the business will process the request. The information provided shall describe i consumer should expect a respThe confirmation may be given in the same manner in whir example, if the request is made over the phone, the confirmation may be given orally durinBusinesses shall respondto delete within ves the request, regardless of time required to verify the rerify the consumer within the 45day time period, the business may deny the request. If necessary, businesses may take up to o respond to the consumer¶s request, for a maximum total of 90 calendar days from the day tthe consumer with notice and an ethe businessResponding to Requests to Know. For requeststhat seek the disclosure of specific pieces of information about the consumer, if a business cannot verin making the request ormation to the requestor and shall inform the requestor business shall also evaluate the consumer¶s request as if it iscategories of personal information about the consumer pursuant Right to Non-Discrimination for the Exercise of a Consumer¶s Privacy Rights. Explanation that the consumer has a right not to receive discriminatory treatment zed agent can make a request under the CCPA on the consu

28 mer¶s behalf. Contact for More Informat
mer¶s behalf. Contact for More Information. practices using a method reflecting the manner in which the business primarily interacts with the consumer. Date the privacy policy was last updated. If subject to the requirements set forth in section 999.31information compiled in sectonal information of consumers under 16 years of age, a description of the processesArticle 3. BUSINESS PRACTICES FOR HANDLING CONSUMER REQUESTS to Know and Requests to Delete.A business that operates exct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. All other businesses shall provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number. Other acceptable methods for submitting thesnot limited to, a designated email address, a formsubmitted in person, and a form submitted through the mail. o or more designated methods for submitting requests to delete. Acceptable methods for submitting these requests include, but aphone number, a link or form available online through a business¶s website, a designated email address, a formsubmitted in person, and a formsubmitted through the mail. A business shall consider the methods by which it primarily interacts with consumers when determining which methods to provide for submitting requests todelete. If the business interacts with consumers in person, ths a printed form the consumer can directly submit or send by mail, a tablet or compute