Policy Tracker

California Consumer Privacy Act of 2018: data broker registration: accessible deletion mechanism.

CA · Legislation · 2025 · SB1104

LegislationPrivacy
Introduced

Record updated May 14, 2026

Summary

An act to amend Sections 1798.99.80 and 1798.99.82 of the Civil Code, and to add Section 12815.5 to the Government Code, relating to privacy.

Timeline

2026-05-14

S

May 14 hearing: Held in committee and under submission.

2026-05-12

S

Set for hearing May 14.

2026-05-11

S

May 11 hearing: Placed on APPR. suspense file.

2026-05-04

S

Set for hearing May 11.

2026-04-23

S

Read second time and amended. Re-referred to Com. on APPR.

2026-04-22

S

From committee: Do pass as amended and re-refer to Com. on APPR. (Ayes 7. Noes 1.) (April 20).

2026-04-09

S

Set for hearing April 20.

2026-04-09

S

From committee with author's amendments. Read second time and amended. Re-referred to Com. on P., D.T., & C.P.

Bill Text

Rendered XML Filing

Official document markup is preserved and restyled to match the active site theme.


Amended  IN  Senate  April 23, 2026
Amended  IN  Senate  April 09, 2026

CALIFORNIA LEGISLATURE— 2025–2026 REGULAR SESSION

Senate Bill
No. 1104


Introduced by Senator Cabaldon

February 13, 2026


An act to amend Sections 1798.99.80, 1798.99.82, 1798.99.86, and 1798.130 of, and to add Section 1798.99.87.1 to, 1798.99.80 and 1798.99.82 of the Civil Code, and to add Section 12815.5 to the Government Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 1104, as amended, Cabaldon. California Consumer Privacy Act of 2018: data broker registration: accessible deletion mechanism.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants to a consumer various rights with respect to personal information that is collected by a business. Existing law generally requires businesses to make certain methods of communication available for consumers to submit personal information requests, including requests for deletion or correction. Existing law requires a business that does not operate exclusively online to make available to consumers at least 2 methods for submitting personal information requests, including, at a minimum, a toll-free telephone number and, if the business maintains an internet website, a website address.

This bill would require that a business that does not operate exclusively online make available to consumers an email address for submitting personal information requests.

Existing law, the California Privacy Rights Act of 2020 (CPRA), an initiative measure approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law requires a data broker to register with the agency, and defines “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.
This bill would define a “direct relationship” as, among other things, when a consumer has intentionally interacted with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services. The bill would provide that specify circumstances when a data broker does not have a “direct relationship” relationship,” including if it sells personal information outside of a “first-party” interaction with the consumer. The bill would define a “first party” as a consumer-facing business with which the consumer intends and expects to interact.
Existing law requires a data broker, in registering with the agency, to provide specified information, including, among other things, whether the data broker collects the personal information of minors or a consumer’s reproductive health care data. Existing law requires the agency to establish an accessible deletion mechanism that, among other things, allows a consumer to request that a specified data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
This bill would require a data broker to provide additional information to the agency regarding whether the data broker sells inferences about the attributes of the consumer based on their analysis of specified data, including the personal information of minors and a consumer’s reproductive health care data.

Existing law requires the agency to establish an accessible deletion mechanism that, among other things, allows a consumer to request that a specified data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor.

Existing law establishes the Office of Data and Innovation (office) within the Government Operations Agency with a mission to deliver better government services to the people of California through technology and service innovation, data, and design.
This bill would require the agency office to establish an online tool a privacy preference tool to enable a consumer to define and store a privacy preference profile regarding data broker data collection and use practices. practices, among other things. The bill would require the tool to, among other things, identify and categorize registered data brokers whose practices are consistent or inconsistent with a consumer’s privacy preferences based on a data broker’s most recent registration disclosures to the agency. evaluate relevant privacy, data management, and practice and policies against the consumer’s preference profile. The bill would require the office to make the online tool available to other state agencies, including the agency.

The bill would require the tool to permit the exclusion of brokers categorized as consistent from a deletion request, as provided, and would require the agency to store consumer profiles and notify consumers of specific data broker registration changes. The bill would authorize specified enforcement on a data broker who provides systematically incomplete information material to the privacy preference profile tool.

This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.99.80 of the Civil Code is amended to read:

1798.99.80.
 For purposes of this title:
(a) The definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) “Authorized agent” has the same meaning as used in Chapter 1 (commencing with Section 7000) of Division 6 of Title 11 of the California Code of Regulations.
(c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(4) An entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146. For purposes of this paragraph, “business associate” and “covered entity” have the same meanings as defined in Section 1798.146.
(d) “Direct relationship” means that a consumer has intentionally interacted with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services.
(1) A “direct relationship” requires a consumer to intend to interact with the business.

(2)A business does not have a “direct relationship” with a consumer because it collects personal information directly from the consumer.

(2) A consumer does not have a “direct relationship” with a business if the purpose of their engagement is to exercise any right described under Section 1798, or for the business to verify the consumer’s identity.
(3) A business does not have a “direct relationship” with a consumer as to personal information it sells about the consumer that it collected outside of a first-party interaction with the consumer.
(e) “First party” means a consumer-facing business with which the consumer intends and expects to interact.

SEC. 2.

 Section 1798.99.82 of the Civil Code is amended to read:

1798.99.82.
 (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.
(C) Whether the data broker collects the personal information of minors and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the personal information of minors.
(D) Whether the data broker collects consumers’ names, dates of birth, ZIP Codes, email addresses, or telephone phone numbers.
(E) Whether the data broker collects consumers’ account login or account number in combination with any required security code, access code, or password that would permit access to a consumer’s account with a third party.
(F) Whether the data broker collects consumers’ drivers’ license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(G) Whether the data broker collects consumers’ mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers (VIN).
(H) Whether the data broker collects consumers’ citizenship data and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the consumer’s citizenship data, including immigration status.
(I) Whether the data broker collects consumers’ union membership status and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the consumer’s union membership.
(J) Whether the data broker collects consumers’ sexual orientation status and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the consumer’s sexual orientation.
(K) Whether the data broker collects consumers’ gender identity and gender expression data and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the consumer’s gender identity and gender expression.
(L) Whether the data broker collects consumers’ biometric data.
(M) Whether the data broker collects consumers’ precise geolocation.
(N) Whether the data broker collects consumers’ reproductive health care data and whether the data broker sells inferences about the attributes of the consumer based on their analysis of the consumer’s reproductive health care data.
(O) Whether the data broker has shared or sold consumers’ data to a foreign actor in the past year.
(P) Whether the data broker has shared or sold consumers’ data to the federal government in the past year.
(Q) Whether the data broker has shared or sold consumers’ data to other state governments in the past year.
(R) Whether the data broker has shared or sold consumers’ data to law enforcement in the past year, unless that data was shared pursuant to a subpoena or court order.
(S) Whether the data broker has shared or sold consumers’ data to a developer of a GenAI system or model in the past year.
(T) Up to three, but no fewer than one, of the most common types of personal information that the data broker collects, if the data broker does not collect the information described in subparagraphs (D) and (G).
(U) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
(V) A link to a page on the data broker’s internet website that does both of the following:
(i) Details how consumers may exercise their privacy rights by doing all of the following:
(I) Deleting personal information, as described in Section 1798.105.
(II) Correcting inaccurate personal information, as described in Section 1798.106.
(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.
(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.
(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.
(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
(ii) Does not make use of any dark patterns.
(W) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:
(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(X) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.
(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.
(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.
(f) For purposes of this section, the following definitions apply:
(1) (A) “Foreign actor” means either of the following:
(i) The government of a foreign adversary country.
(ii) A partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a foreign adversary country.
(B) For purposes of subparagraph (A), “foreign adversary country” has the same meaning as “covered nation” as defined in Section 4872 of Title 10 of the United States Code.
(2) “Developer of a GenAI system” means a business, person, partnership, corporation, or other entity that designs, codes, produces, or substantially modifies a GenAI system.
(3) “Generative artificial intelligence system” or “GenAI system” means an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system’s training data.

SEC. 3.Section 1798.99.86 of the Civil Code is amended to read:1798.99.86.

(a)By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:

(1)Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.

(2)Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.

(3)Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).

(4)Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.

(b)The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:

(1)The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.

(2)The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.

(3)The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.

(4)The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.

(5)The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).

(6)The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.

(7)The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.

(8)The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request.

(9)The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.

(10)The accessible deletion mechanism shall provide a description of all of the following:

(A)The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).

(B)The process for submitting a deletion request pursuant to this section.

(C)Examples of the types of information that may be deleted.

(11)A privacy preference profile tool as described in Section 1798.99.87.1.

(c)(1)Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:

(A)Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.

(B)In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146, within 45 days of receiving the request.

(C)Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).

(D)Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.

(2)Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:

(A)It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.

(B)The deletion is not required pursuant to Section 1798.145 or 1798.146.

(3)Personal information described in paragraph (2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.

(d)(1)Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).

(2)Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.

(e)(1)Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.

(2)For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.

(3)A data broker shall maintain the report and materials described in paragraph (2) for at least six years.

(f)(1)The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (c) that does not exceed the reasonable costs of providing that access.

(2)A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.

SEC. 4.Section 1798.99.87.1 is added to the Civil Code, to read:1798.99.87.1.

(a)The privacy preference profile tool established under this section shall enable a consumer to do both of the following:

(1)Define and store a privacy preference profile expressing the consumer’s preferences regarding data broker data collection and use practices.

(2)Use the profile to identify registered data brokers whose disclosed practices are consistent with the consumer’s preferences so that a consumer may make an informed decision as to whether to exclude those data brokers from a deletion request.

(b)In designing the tool, the agency shall consider input modalities that optimize comprehensibility and alignment with consumer intent and minimize cognitive load, including a natural language input or a structured schematic interface.

(c)The tool shall evaluate each registered data broker’s most recent annual registration disclosures under Section 1798.99.82 against the consumer’s preference profile and shall categorize each data broker as one of the following:

(1)“Consistent,” if the data broker’s disclosed practices are compatible with the consumer’s stated preferences across all profile dimensions the consumer has specified.

(2)“Inconsistent,” if the data broker’s disclosed practices conflict with the consumer’s stated preferences on one or more dimensions.

(3)“Indeterminate,” if the data broker’s registration is silent, ambiguous, or incomplete with respect to a profile dimension that is material to the consumer’s preferences. The tool shall display the specific gap in disclosure that produced this categorization.

(d)(1)In the absence of a consumer instruction to the contrary, a data broker categorized as indeterminate shall be treated as inconsistent for purposes of the accessible deletion mechanism exclusion. The tool shall permit the consumer to override this default for individual data brokers.

(2)The tool shall display the list of registered data brokers categorized under subdivision (c) prior to the consumer’s submission of a deletion request through the accessible deletion mechanism described in Section 1798.99.86.

(3)The consumer may, with explicit confirmation for each data broker or for all data brokers categorized as consistent collectively, elect to exclude any data broker categorized as consistent from a pending deletion request. An exclusion under this subdivision shall have the same legal effect as a selective exclusion under subdivision (a) of Section 1798.99.86.

(4)The tool shall clearly inform the consumer, prior to any exclusion, of all of the following:

(A)That exclusion means the data broker will not be directed to delete the consumer’s personal information.

(B)That the categorization is based solely on the data broker’s self-reported registration disclosures and not on independently verified practices.

(C)That the consumer may at any time resubmit a request that includes previously excluded data brokers.

(5)Exclusion of a data broker from a deletion request pursuant to this section does not constitute consent by the consumer to the data broker’s data practices and does not limit any right the consumer may exercise under the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)) or any other state law.

(e)(1)The agency shall store a consumer’s preference profile in association with the consumer’s account for the accessible deletion mechanism described in Section 1798.99.86. The consumer may modify or delete the stored profile at any time.

(2)A stored preference profile shall be applied automatically to generate a prepopulated exclusion list when the consumer initiates a future deletion request through the accessible deletion mechanism. The consumer shall have the opportunity to review and adjust the resulting categorizations before submission.

(3)The tool shall notify the consumer when a data broker previously categorized as consistent has filed an amended registration that materially changes its disclosed practices and shall prompt the consumer to review the updated categorization before the next deletion request cycle.

(f)(1)This section does not impose obligations on registered data brokers beyond those applicable under Section 1798.99.82. The tool shall operate exclusively on the basis of information data brokers are already required to disclose.

(2)Notwithstanding paragraph (1), a data broker whose registration is found by the agency to be systematically incomplete with respect to information material to the privacy preference profile tool described in this section may be subject to enforcement under Section 1798.99.84 for failure to make the disclosures required under Section 1798.99.82.

SEC. 5.Section 1798.130 of the Civil Code is amended to read:1798.130.

Notice, Disclosure, Correction, and Deletion Requirements

(a)In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1)(A)Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a minimum, a toll-free telephone number and an email address. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

(B)If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

(2)(A)Disclose and deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer’s personal information, based on the consumer’s request, within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information, to correct inaccurate personal information, or to delete personal information within 45 days of receipt of the consumer’s request. The time period to provide the required information, to correct inaccurate personal information, or to delete personal information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure of the required information shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request provided that if the consumer, has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request.

(B)The disclosure of the required information shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request provided that, upon the adoption of a regulation pursuant to paragraph (8) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request required information beyond the 12-month period, and a business’ obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to keep personal information for any length of time.

(3)(A)A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’ response to a verifiable consumer request, including, but not limited to, by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100, taking into account the nature of the processing.

(B)For purposes of subdivision (b) of Section 1798.110:

(i)To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(ii)Identify by category or categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected; the categories of sources from which the consumer’s personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer’s personal information; and the categories of third parties to whom the business discloses the consumer’s personal information.

(iii)Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. Personal information is not considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer’s personal information from one business to another in the context of switching services.

(4)For purposes of subdivision (b) of Section 1798.115:

(A)Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(B)Identify by category or categories the personal information of the consumer that the business sold or shared during the applicable period of time by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold or shared during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold or shared. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

(C)Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of persons to whom the consumer’s personal information was disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

(5)Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:

(A)A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided in subparagraph (A) of paragraph (1) of subdivision (a).

(B)For purposes of subdivision (c) of Section 1798.110:

(i)A list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

(ii)The categories of sources from which consumers’ personal information is collected.

(iii)The business or commercial purpose for collecting, selling, or sharing consumers’ personal information.

(iv)The categories of third parties to whom the business discloses consumers’ personal information.

(C)For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

(i)A list of the categories of personal information it has sold or shared about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold or shared, or if the business has not sold or shared consumers’ personal information in the preceding 12 months, the business shall prominently disclose that fact in its privacy policy.

(ii)A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(6)Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

(7)Use any personal information collected from the consumer in connection with the business’ verification of the consumer’s request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

(b)A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

(c)The categories of personal information required to be disclosed pursuant to Sections 1798.100, 1798.110, and 1798.115 shall follow the definitions of personal information and sensitive personal information in Section 1798.140 by describing the categories of personal information using the specific terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section 1798.140 and by describing the categories of sensitive personal information using the specific terms set forth in subparagraphs (A) to (F), inclusive, of paragraph (1), and subparagraphs (A) to (C), inclusive, of paragraph (2), of subdivision (ae) of Section 1798.140.

SEC. 3.

 Section 12815.5 is added to the Government Code, to read:

12815.5.
 (a) The Office of Data and Innovation shall establish a privacy preference profile tool that shall enable a consumer to do both of the following:
(1) Define and store a privacy preference profile expressing the consumer’s preferences regarding data collection and use practices.
(2) Use the profile to identify relevant privacy and data management practices and policies that are consistent with the consumer’s preferences so that a consumer may make informed decisions with regard to their personal information.
(b) The tool shall be capable of evaluating relevant privacy and data management practices and policies against the consumer’s preference profile.
(c) The Office of Data and Innovation shall design the tool using input modalities that optimize comprehensibility and alignment with consumer intent and minimize cognitive load, including a natural language input or a structured schematic interface.
(d) The Office of Data and Innovation shall make the privacy preference profile tool available to other state agencies, including the California Privacy Protection Agency.

SEC. 6.SEC. 4.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Back to Tracker