California — Lawful Bases for Processing

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA, Proposition 24, effective January 1, 2023), does not impose a GDPR-style "lawful basis" gatekeeping requirement before a business may process personal information. Unlike the European Union's General Data Protection Regulation (GDPR), which requires a controller to identify one of six lawful bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests) under Art. 6(1) GDPR before any processing may begin, the CCPA/CPRA operates on a default-permission model with mandatory transparency, consumer rights, and proportionality constraints.

Under Cal. Civ. Code § 1798.100(a), a business that controls the collection of a consumer's personal information must provide notice at or before the point of collection, disclosing the categories of personal information to be collected, the purposes for which they will be used, and whether the information will be sold or shared. The statute does not require the business to demonstrate a legal justification or "basis" for the initial collection itself. Instead, the law creates a presumption that businesses may collect and process personal information, subject to three core statutory disciplines:

1. Notice and purpose limitation (§ 1798.100(a)–(c)). The business must inform consumers of the categories and purposes at or before collection. Section 1798.100(c) requires that collection, use, retention, and sharing be "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected." This proportionality standard is the CCPA's functional substitute for legitimate interests balancing, but it does not require advance legal justification—only disclosed purpose and contextual compatibility.

2. Consumer rights framework (§§ 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121). Consumers hold enumerated rights to access, delete, correct, and opt out of the sale or sharing of their personal information. For sensitive personal information (defined in § 1798.140(ae), including SSN, financial account credentials, precise geolocation, racial or ethnic origin, health data, and sex life), consumers have a statutory right under § 1798.121 to limit use and disclosure to purposes necessary to perform the services requested or certain enumerated permitted uses (fraud prevention, security, compliance, transient use, etc.). These rights operate post-collection as ongoing governance obligations, not as preconditions to lawful processing.

3. Prohibition on unlawful discrimination and dark patterns (§§ 1798.125, 1798.140(l), CPPA regulations § 7004). A business may not discriminate against a consumer for exercising CCPA rights (though financial incentives tied to the value of the consumer's data are permissible if properly disclosed). The CPPA's regulations prohibit "dark patterns"—user-interface designs that substantially subvert or impair consumer autonomy, decision-making, or choice.

The CCPA/CPRA does contain a consent requirement in one narrow context: the sale or sharing of personal information of consumers under 16 years of age requires opt-in consent (§ 1798.120(c)–(d)). For consumers age 13–15, the consumer must affirmatively authorize the sale or sharing; for consumers under age 13, a parent or guardian must authorize. All other processing—including sensitive personal information processing for adults—does not require consent as a precondition, though consumers retain the right to opt out or limit use after the fact.

Supervisory authority. The California Privacy Protection Agency (CPPA), established by Proposition 24 in 2020, has "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA (§ 1798.199.10). The CPPA has adopted comprehensive regulations codified at Title 11, Division 6 of the California Code of Regulations, effective March 29, 2023, with additional cybersecurity audit, risk assessment, and automated decision-making technology (ADMT) regulations effective January 1, 2026. Prior to the CPPA's establishment, the California Attorney General enforced the CCPA; both the CPPA and the Attorney General retain concurrent enforcement authority.

Practical implications. For a privacy professional or in-house counsel accustomed to GDPR compliance, the CCPA's absence of a lawful-basis requirement means:

• No need to perform a "legal-basis assessment" before launching a new data collection.
• No formal legitimate-interests balancing test (though the proportionality and compatibility standard in § 1798.100(c) performs a similar function).
• No requirement to obtain consent for routine business processing (employment, payroll, customer relationship management, analytics), except for selling or sharing data of minors under 16.
• Heavy emphasis on transparency at collection (the § 1798.100(a) notice) and ongoing consumer-rights responsiveness (45-day deadline to respond to access/deletion/correction requests under § 1798.130(a)(2)).

The CCPA/CPRA's "lawful bases" inquiry, insofar as it exists, reduces to two questions: (1) Did you disclose the purpose at or before collection? (2) Is the current use reasonably necessary, proportionate, and compatible with that disclosed purpose? If yes to both, the processing is presumptively lawful, subject to consumer exercise of their statutory rights.

Source: Cal. Civ. Code §§ 1798.100–1798.199.100 Source: CPPA Regulations, Title 11 Cal. Code Regs. § 7000 et seq. Source: CPPA homepage

California Civil Code § 1798.120(c), as enacted by the CCPA and amended by the CPRA, creates the only affirmative consent requirement in California privacy law: a business shall not sell or share the personal information of consumers under 16 years of age unless it obtains opt-in consent before the sale or sharing occurs. This is the sole context in the CCPA/CPRA where processing personal information without advance authorization is categorically prohibited. All other processing remains permissible under the default-permission model described in the framework section, subject to transparency, proportionality, and consumer-rights obligations.

The two-tier consent structure. Section 1798.120(c) distinguishes between consumers 13 through 15 years of age and consumers under 13 years of age:

• Ages 13–15: The consumer must affirmatively authorize the sale or sharing. The statute permits the teenager to provide their own consent; parental or guardian authorization is not required.
• Under age 13: The consumer's parent or guardian must affirmatively authorize the sale or sharing. The child's own consent is not sufficient.

The CPRA broadened the prohibition beyond "sale" (defined in § 1798.140(ad) to mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information by the business to a third party for monetary or other valuable consideration) to also encompass "sharing" (defined in § 1798.140(ah) as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration). As a result, both direct monetization and ad-tech sharing for cross-contextual targeting of minors under 16 require opt-in consent as of January 1, 2023.

"Actual knowledge" and the willful-disregard standard. The prohibition applies only when the business has actual knowledge that the consumer is less than 16 years of age. Section 1798.120(c) immediately qualifies this standard: "A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age." This anti-avoidance rule prevents a business from turning a blind eye to age signals. In enforcement proceedings, the California Privacy Protection Agency (CPPA) or the California Attorney General may prove "actual knowledge" either by direct evidence (the business collected date-of-birth data, received a parent's request, processed an opt-in for a minor) or by showing that the business consciously avoided learning the consumer's age despite contextual indicators (a children's game app, a school-focused service, receipt of Global Privacy Control or age-disclosure signals).

Verification obligations and CPPA regulations. The CPPA's regulations, codified at Title 11, Division 6 of the California Code of Regulations, require a business that has actual knowledge it sells or shares personal information of consumers under 13 to establish, document, and comply with a reasonable method for determining that the person providing consent is the parent or guardian of that child (Cal. Code Regs. tit. 11, § 7070, formerly § 999.330). For consumers ages 13–15, the business must establish a reasonable process for allowing the consumer to opt in directly (§ 7071, formerly § 999.331). The regulations specify that the affirmative authorization is in addition to any verifiable parental consent requirement under the federal Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), which applies to operators of websites or online services directed to children under 13 or that have actual knowledge of collecting personal information from children under 13. COPPA requires verifiable parental consent before collection, whereas § 1798.120(c) requires consent before sale or sharing. A business subject to both regimes must satisfy both consent obligations.

Procedural discipline — the 12-month re-solicitation bar. Section 1798.135(c)(5) prohibits a business from re-requesting consent for at least 12 months after a consumer under 16 (or their parent or guardian) declines to provide opt-in consent to the sale or sharing of that minor's personal information. This mirrors the general 12-month bar on re-soliciting opt-in consent from adult consumers who opted out (§ 1798.135(c)(4)). The business must wait a full year, or until the consumer turns 16 years of age (whichever occurs first), before presenting another opt-in request. CPPA regulations adopted January 1, 2026 may further specify when re-solicitation is permissible "as authorized by regulations."

Heightened penalty tier for minors. Violations involving personal information of consumers the business has actual knowledge are under 16 carry an elevated administrative penalty: up to $7,500 per violation (Cal. Civ. Code § 1798.155(b)), compared to the general $2,500 cap for non-intentional violations. This penalty tier applies to any CCPA violation involving minors under 16, not only consent failures. The CPRA removed the requirement that the violation be "intentional" to trigger the $7,500 cap when minors are involved; the heightened penalty now applies to both intentional and non-intentional violations affecting children under 16 (as amended by Proposition 24, effective January 1, 2023).

Interaction with the right to limit use of sensitive personal information. The CCPA does not categorically define personal information of minors as "sensitive personal information" (Cal. Civ. Code § 1798.140(ae) lists 11 enumerated categories, none of which is "minor status"). Therefore, the § 1798.121 right to limit use and disclosure of sensitive personal information and the § 1798.120(c) opt-in consent requirement operate independently. A business that collects, for example, precise geolocation (a § 1798.140(ae) sensitive category) from a 15-year-old must (1) comply with the § 1798.121 limitation framework (use only for enumerated purposes unless the consumer consents to broader use) and (2) obtain the 15-year-old's affirmative authorization before selling or sharing that geolocation data.

Enforcement and supervisory authority. The CPPA has "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA (§ 1798.199.10), including the minor-consent provisions. The California Attorney General retains concurrent enforcement authority (§ 1798.199.90). There is no private right of action for CCPA violations other than data-breach claims under § 1798.150. Violations of § 1798.120(c) are enforceable solely by the CPPA and the Attorney General through administrative proceedings and civil actions seeking injunctive relief, actual damages, and administrative penalties.

Cross-reference to COPPA. Businesses subject to both CCPA and COPPA should note that COPPA's reach is broader (it regulates collection of personal information from children under 13, not only sale or sharing) and its verification standards for parental consent are detailed in 16 C.F.R. § 312.5. A COPPA-compliant consent mechanism (government-issued ID check, credit-card transaction, video conference, etc.) will typically also satisfy the CPPA's "reasonable method" standard for verifying parental or guardian identity, but businesses must ensure the consent covers both COPPA's collection permission and CCPA's sale/sharing permission where both statutes apply.

Source: Cal. Civ. Code § 1798.120 Source: Cal. Civ. Code § 1798.135 Source: Cal. Civ. Code § 1798.140 Source: Cal. Civ. Code § 1798.155 Source: CPPA Regulations, Title 11 Cal. Code Regs. §§ 7070–7071

California Civil Code § 1798.100(c), added by the CPRA and operative January 1, 2023, creates the data minimization and proportionality discipline that functions as the CCPA's closest analog to GDPR's legitimate-interests balancing test. The statute provides: "A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."

This provision operates as an ongoing substantive constraint on processing after collection. Unlike GDPR Art. 6, it does not require a business to identify a legal basis before processing begins. Instead, it requires that every stage of the data lifecycle—collection, use, retention, and sharing—remain tethered to the disclosed purpose and pass a three-part test: (1) the purpose must align with consumer expectations or be compatible with the collection context; (2) the processing must be reasonably necessary to achieve that purpose; and (3) the processing must be proportionate, meaning the data collected and retained is the minimum necessary and the negative impact on the consumer is justified by the purpose.

CPPA regulation § 7002: the four-factor and three-factor frameworks. The California Privacy Protection Agency adopted comprehensive implementing regulations, codified at Title 11, California Code of Regulations, § 7002, effective March 29, 2023. Section 7002 breaks the statutory standard into two pathways:

1. Original disclosed purpose (§ 7002(a)(1) and (b)). Processing for the purpose disclosed at collection is permissible if that purpose is "consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed." Regulation § 7002(b) enumerates four factors for assessing consumer expectations:

• The relationship between the consumer(s) and the business, including the type and nature of the relationship (e.g., a one-time purchase vs. an ongoing subscription vs. an employment relationship).
• The type, amount, and nature of the personal information being collected or processed (e.g., name and email for a newsletter subscription vs. precise geolocation and biometric data).
• The consumer's understanding of how the personal information will be used, based on the business's notice at collection and any other communications.
• Any other relevant contextual factors, such as whether the consumer is a child, whether the information is sensitive personal information under § 1798.140(ae), or industry-specific norms.

2. Compatible disclosed purpose (§ 7002(a)(2) and (c)). Processing for "another disclosed purpose that is compatible with the context in which the personal information was collected" requires a three-part compatibility assessment:

• Consumer's reasonable expectations at the time of collection, based on the § 7002(b) factors.
• The nature of the new purpose, including whether it is one of the enumerated business purposes in § 1798.140(e)(1)–(8) (fraud prevention, security, debugging, transient use, internal research, quality control, legal compliance, certain advertising).
• The strength of the link between the original purpose and the new purpose. The regulation provides an example: if a consumer reasonably expects their personal information will be used to provide a requested service, a strong link exists to using that information to repair errors that impair the functionality of that service (debugging). By contrast, a weak link exists between providing a location-based service (finding nearby gas prices) and selling the consumer's geolocation data to data brokers for monetization—the latter is incompatible and requires consent under § 7002(e).

The "reasonably necessary and proportionate" floor (§ 7002(d)). Regardless of which pathway applies—original purpose or compatible purpose—the processing must satisfy the proportionality floor. Regulation § 7002(d) requires assessment of:

• The minimum personal information necessary to achieve the identified purpose. The regulation gives an illustrative example: to complete an online purchase and send an email confirmation, an online retailer may need the consumer's order information, payment and shipping information, and email address—but not the consumer's Social Security number, driver's license, or browsing history on unrelated websites.
• The possible negative impacts on consumers posed by the business's collection or processing. For example, collecting precise geolocation may reveal sensitive personal information about the consumer (health condition inferred from visits to medical facilities, religious affiliation inferred from worship-site visits, etc.), and that risk must be weighed against the purpose. If the purpose can be achieved with less precise location data (e.g., ZIP code instead of GPS coordinates), the business must use the less intrusive method.

Retention discipline. Section 1798.100(a)(3) requires the notice at collection to disclose "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period." The statute adds: "A business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose." This is a mandatory data-deletion obligation tied to purpose expiration. A business that collects an email address to send a one-time shipping notification must delete that email address once the notification has been sent and any reasonable dispute or return window has closed, unless the consumer has separately consented to marketing or the business has disclosed and justified a longer retention purpose (e.g., fraud prevention, legal compliance).

When consent is required — the incompatible-use gateway (§ 7002(e)). If a business wishes to process personal information for a purpose that is incompatible with the context in which it was collected—meaning it fails the § 7002(c) compatibility factors—the business must obtain the consumer's freely given, specific, informed, and unambiguous consent before processing. The CPPA's regulations prohibit bundling incompatible purposes with compatible ones as a condition of service. For example, a mobile app that provides a location-based service (finding nearby restaurants) may collect geolocation data for that compatible purpose without consent, but it may not require the consumer to consent to selling that geolocation to data brokers as a condition of using the restaurant-finder feature (§ 7004, subsection on choice architecture and dark patterns).

CPPA enforcement advisory on data minimization (Enforcement Advisory No. 2024-01, April 2024). The CPPA issued formal guidance emphasizing that the proportionality requirement applies not only to initial collection but also to verification and consumer-request workflows. When a business receives a consumer request to delete, opt out of sale/sharing, or access personal information, the business may not collect more personal information to verify the request than is reasonably necessary and proportionate given the sensitivity of the data at issue and the risk of harm from unauthorized access or deletion. The advisory provides two scenarios:

• Opt-out of sale/sharing request. If the business sells or shares only online activity data in the context of cross-context behavioral advertising, and the consumer submits an opt-out request via a Global Privacy Control (GPC) signal, the business may not demand the consumer's name, email, or government ID to process the opt-out. The GPC signal itself is sufficient, and demanding additional information violates the proportionality standard (11 Cal. Code Regs. § 7002(d)).
• Deletion request for low-sensitivity data. If the business holds only a consumer's name and email address (low-sensitivity data), and the consumer requests deletion of that data, the business generally may verify identity by sending a confirmation link to the email address on file. Demanding a government-issued ID or Social Security number to verify a deletion request for non-sensitive data is disproportionate and violates § 7002(d).

The advisory warns that businesses "should carefully review whether they are applying the data minimization principle in their collection, use, retention, and sharing of consumers' personal information," and that the CPPA will enforce the proportionality requirement both in response to consumer complaints and through proactive audits.

Practical implications for privacy professionals. The § 1798.100(c) proportionality requirement imposes three ongoing compliance obligations:

1. Purpose inventory and linkage discipline. Document the disclosed purpose for every category of personal information collected. Map every use, retention period, and sharing arrangement to a disclosed purpose. Identify any secondary uses and conduct the § 7002(c) compatibility assessment in writing, documenting the link strength.

1. Data minimization at every stage. Before collecting a new data element, ask: Is this the minimum information necessary to achieve the disclosed purpose? Could we use a less intrusive proxy (ZIP code instead of GPS coordinates, age range instead of date of birth, hashed identifier instead of email)? Avoid "collect now, figure out the use case later" practices—the statute prohibits hoarding data for speculative future purposes.

1. Retention schedules tied to purpose expiration. Implement automated or manual deletion triggers keyed to the disclosed purpose. If you collected payment information to process a transaction, delete it once the transaction is complete, the chargeback window has closed, and any legal-hold or fraud-prevention retention period has expired. Blanket multi-year retention policies ("we keep everything for seven years") are incompatible with the proportionality standard unless the business can justify each category's retention period by reference to a specific disclosed purpose and regulatory or contractual obligation.

The CPPA has signaled that proportionality violations will be a priority enforcement area. Unlike the GDPR's legitimate-interests balancing test, which requires a documented assessment before processing begins, the CCPA's proportionality standard is enforced retrospectively through investigations, complaints, and audits. A business that cannot demonstrate, when challenged, that its processing was reasonably necessary and proportionate to the disclosed purpose faces administrative penalties of up to $2,500 per violation (or $7,500 per violation if the personal information is from a consumer the business has actual knowledge is under 16 years of age), injunctive relief, and mandatory corrective action including deletion of improperly retained data.

Source: Cal. Civ. Code § 1798.100 Source: Cal. Code Regs. tit. 11, § 7002 Source: CPPA Enforcement Advisory No. 2024-01 (Data Minimization)

California Civil Code § 1798.121, operative January 1, 2023, creates a consumer-initiated restriction on the use and disclosure of sensitive personal information (SPI). Unlike GDPR Art. 9, which requires a legal basis before processing special-category data, the CCPA does not prohibit businesses from collecting or using SPI without advance authorization. Instead, § 1798.121 grants consumers the right, at any time, to direct a business that collects SPI to limit its use and disclosure to a narrow set of enumerated purposes. A business that receives such a direction must honor it prospectively, restricting SPI processing to the permitted uses unless and until the consumer subsequently provides consent for broader processing.

This is the CCPA's substitute for GDPR's special-category consent requirement: a default-permission model with an opt-down consumer right rather than an opt-in legal-basis gate.

## The eleven categories of sensitive personal information — § 1798.140(ae)

Sensitive personal information is defined in Cal. Civ. Code § 1798.140(ae) as personal information that reveals any of the following:

1. Social Security number, driver's license, state identification card, or passport number.
2. Financial account credentials (account log-in, financial account number, debit or credit card number) in combination with any required security or access code, password, or credentials allowing access to an account.
3. Precise geolocation (within a radius of 1,850 feet).
4. Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
5. Contents of a consumer's mail, email, and text messages (unless the business is the intended recipient of the communication).
6. Genetic data.
7. Biometric information for the purpose of uniquely identifying a consumer (as defined in § 1798.140(c): physiological, biological, or behavioral characteristics including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information).
8. Health information (information identifying an individual relating to the individual's physical or mental health, including medical history, diagnosis, treatment, or prognosis).
9. Sex life or sexual orientation.
10. Personal information collected and analyzed concerning a consumer's health (overlapping with category 8 but broader, including inferred health conditions).
11. Personal information collected and analyzed concerning a consumer's sex life or sexual orientation (again, overlapping with category 9 but including inferred attributes).

Neural data was added to this list effective January 1, 2025, by Senate Bill 1223 (2023–2024). Cal. Civ. Code § 1798.140(ae) now includes as SPI: information generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information. This extends CCPA's SPI regime to brain-computer interfaces, neurotechnology devices, and any business processing electroencephalography (EEG), functional MRI, or other direct neural data.

The definition is inclusive of inferences: if a business processes data from which one of these 11 categories can be revealed, the data is SPI. For example, GPS coordinates (category 3), an email message discussing a medical diagnosis (category 5), or a facial-recognition template (category 7) are all SPI regardless of whether the business actively draws the inference—the statutory test is whether the data reveals the enumerated category.

## The right to limit — § 1798.121(a) and the permitted-use framework

Section 1798.121(a) provides: "A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services," plus certain enumerated "business purposes" under § 1798.140(e) and any additional purposes authorized by CPPA regulation.

Once a consumer exercises the right to limit, the business may use or disclose the consumer's SPI only for:

1. Performing services or providing goods reasonably expected by an average consumer. This is a contextual expectation standard. If a consumer creates an account on a health-and-wellness app and provides health data (SPI category 8) to receive personalized exercise recommendations, the business may use that health data to generate the recommendations—that is the service the consumer reasonably expects. The business may not use that health data to build a medical-underwriting profile and sell it to insurance data brokers, because an average consumer does not reasonably expect a fitness app to monetize their health data for third-party insurance purposes.

2. Enumerated "business purposes" under § 1798.140(e)(2), (4), (5), and (8):

• § 1798.140(e)(2): Detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible for that activity.
• § 1798.140(e)(4): Debugging to identify and repair errors that impair existing intended functionality.
• § 1798.140(e)(5): Short-term, transient use (processing that is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction, provided the personal information is not disclosed to another third party and is not used to build a profile or otherwise alter the consumer's experience).
• § 1798.140(e)(8): Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device.

3. Any additional purposes authorized by CPPA regulations under § 1798.185(a)(18)(C). The CPPA adopted comprehensive regulations, codified at Title 11, California Code of Regulations, § 7027(l) (formerly § 999.305(d)), which consolidate the statutory permitted uses and clarify that businesses may use SPI for compliance with legal obligations and to provide the services or goods the consumer requested when those services or goods include disclosure of SPI to a service provider or contractor acting on behalf of the business (e.g., a business may disclose a consumer's financial account credentials—SPI category 2—to a payment processor to complete a transaction the consumer initiated).

The CPPA regulations do not expand the statutory list to include new discretionary purposes such as "legitimate business interests" or "research." Any use of SPI outside the § 1798.121(a) permitted-use framework after a consumer exercises the right to limit requires freely given, specific, informed, and unambiguous consent under Cal. Code Regs. tit. 11, § 7002(e).

## Notice and opt-out mechanism — § 1798.135(a)(2) and CPPA regulations § 7014

A business that uses or discloses a consumer's SPI for purposes other than those authorized by § 1798.121(a) must provide notice to consumers that they have the right to limit use and disclosure. Section 1798.135(a)(2) requires the business to post a clear and conspicuous link on its internet homepage, titled "Limit the Use of My Sensitive Personal Information," that enables a consumer (or a person authorized by the consumer) to exercise the right to limit.

The CPPA's regulations, effective March 29, 2023 (and subsequently amended January 1, 2026), prescribe detailed notice and user-interface requirements (Cal. Code Regs. tit. 11, §§ 7014, 7004):

• The "Limit the Use of My Sensitive Personal Information" link must appear in a form that is reasonably accessible to consumers—typically in the footer or header of the business's website, alongside or combined with the "Do Not Sell or Share My Personal Information" link.
• The link may immediately effectuate the consumer's right to limit (a "one-click" opt-out), or it may direct the consumer to a web page with a simple opt-out form. If the latter, the form must not require the consumer to create an account or provide additional information beyond what is reasonably necessary and proportionate to verify the request (§ 7004(c)(1)).
• A business may provide a combined opt-out link under § 7015, titled "Your Privacy Choices" or "Your California Privacy Choices," that enables the consumer to exercise both the right to opt out of sale/sharing (§ 1798.120) and the right to limit SPI use (§ 1798.121) in one interface.
• The business must provide the notice in the same manner in which it collects the SPI. For example, if the business collects SPI via a mobile app, the notice must appear within the app; if via offline in-store forms, the business must post signage or include notice on the paper form (§ 7014(e)(3)).

A business that does not use or disclose SPI for purposes beyond those enumerated in § 1798.121(a) has no obligation to post the "Limit the Use of My Sensitive Personal Information" link or provide the notice. This is a safe harbor: if the business's SPI processing is limited to performing the requested service, fraud prevention, debugging, transient use, and quality/safety verification—purposes already authorized by statute—consumers have nothing to limit, and the notice is not required.

## Effect of a consumer's request to limit — § 1798.121(b) and prohibition on consent re-solicitation

Once a business receives a consumer's direction to limit SPI use, the business shall limit its use of the consumer's SPI to the permitted purposes set forth in § 1798.121(a) and may not use or disclose the consumer's SPI for any other purpose unless the consumer subsequently provides consent for additional purposes (§ 1798.121(b)). This is a hard stop on broader use, analogous to an opt-out of sale/sharing.

The business must honor the limitation prospectively and may not condition the provision of goods or services on the consumer's withdrawal of the limitation (§ 1798.125 anti-discrimination prohibition applies). The business may, however, offer a financial incentive tied to the consumer consenting to broader SPI use, provided the incentive is disclosed in a notice of financial incentive (§ 1798.125(b)) and the business can demonstrate that the value of the SPI justifies the incentive (Cal. Code Regs. tit. 11, § 7016).

Re-solicitation bar. Section 1798.135(c)(5) prohibits a business from requesting that a consumer consent to the use or disclosure of SPI for purposes beyond those authorized by § 1798.121(a) for at least 12 months after the consumer exercises the right to limit, or "as authorized by regulations." This mirrors the 12-month bar on re-soliciting opt-in consent for sale/sharing of minors' personal information (§ 1798.135(c)(4)). Revised CPPA regulations effective January 1, 2026, clarify that a business may ask for consent to use SPI for an incompatible purpose tied to a new transaction the consumer initiates after exercising the right to limit, provided the consent request complies with § 7004 (no dark patterns, no bundling incompatible purposes as a condition of service) and is limited to the SPI necessary for the new transaction (Cal. Code Regs. tit. 11, § 7028(b)).

## The § 1798.121(d) carve-out — SPI "collected or processed without the purpose of inferring characteristics"

Section 1798.121(d) creates a narrow exemption from the right-to-limit framework: "Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100."

This carve-out applies when a business collects data that happens to fall within one of the 11 SPI categories but does not use or intend to use that data to infer anything about the consumer. The canonical example provided in CPPA enforcement guidance: a street-address database that includes ZIP codes and GPS coordinates (precise geolocation, SPI category 3) collected solely for routing delivery trucks. If the business does not use the coordinates to infer anything about the consumer (health status from visits to medical facilities, religious affiliation from worship-site visits, etc.), the coordinates are treated as ordinary personal information under § 1798.100 rather than SPI under § 1798.121. The consumer retains all other CCPA rights (access, deletion, opt-out of sale/sharing), but not the § 1798.121 right to limit.

The CPPA has signaled in enforcement advisories that this exemption will be narrowly construed. A business claiming the § 1798.121(d) carve-out bears the burden of documenting that its processing does not involve inferring characteristics about the consumer. Collection of facial imagery (biometric SPI, category 7), health data (category 8), or racial/ethnic origin data (category 4) will almost always involve inferential use and therefore trigger the right to limit unless the business can demonstrate a purely ministerial, non-inferential purpose.

## Enforcement and penalties

Violations of § 1798.121 are enforceable by the California Privacy Protection Agency (CPPA) under § 1798.199.10 and the California Attorney General under § 1798.199.90. There is no private right of action for § 1798.121 violations (the CCPA's private right of action under § 1798.150 is limited to data-breach claims involving unencrypted or unredacted personal information).

Administrative penalties for § 1798.121 violations are assessed under the tiered framework in § 1798.155(b):

• $2,500 per violation for non-intentional violations.
• $7,500 per violation for intentional violations or for any violation involving personal information of consumers the business has actual knowledge are under 16 years of age (whether or not the violation was intentional).

The CPPA issued Enforcement Advisory No. 2024-01 (April 2024) emphasizing that businesses must apply the proportionality requirement from § 1798.100(c) when collecting SPI for verification purposes in response to a consumer request to limit. The advisory warns that demanding government-issued ID or Social Security number (both SPI categories 1 and 2) to process a limit request is disproportionate and violates both § 1798.100(c) and § 1798.121. A business should use the minimum information necessary to verify the consumer's identity given the sensitivity of the SPI at issue.

## Practical implications for privacy professionals

The § 1798.121 right-to-limit framework imposes three core compliance obligations:

1. SPI inventory and use-purpose mapping. Identify every category of SPI the business collects, and for each category, document the specific use purposes. Map each use to one of the § 1798.121(a) permitted purposes (performing the requested service, fraud prevention, debugging, transient use, quality/safety). Any use that does not map to a permitted purpose triggers the notice obligation under § 1798.135(a)(2).

2. Notice and opt-out infrastructure. If the business uses SPI for purposes beyond those enumerated in § 1798.121(a)—including, most commonly, selling or sharing SPI for cross-context behavioral advertising or using SPI for product development, analytics, or marketing—post the "Limit the Use of My Sensitive Personal Information" link (or the combined "Your Privacy Choices" link) on the homepage and implement a back-end mechanism to honor consumer limit requests prospectively. Test that the mechanism actually restricts SPI use and disclosure to permitted purposes after a consumer exercises the right.

3. Consent pathway for incompatible SPI uses. If the business wishes to use SPI for purposes incompatible with § 1798.121(a) permitted uses, obtain freely given, specific, informed, and unambiguous consent under Cal. Code Regs. tit. 11, § 7002(e). The consent interface must comply with § 7004 anti-dark-pattern rules: no bundling incompatible purposes with compatible ones as a condition of service, no pre-checked boxes, no denial of service for refusal to consent unless the SPI use is objectively necessary to provide the service the consumer requested. For example, a telehealth app may condition the provision of medical advice on the consumer's consent to the app's use of the consumer's health data (SPI category 8) to generate that advice—that is a necessary, compatible use. The app may not condition access to telehealth on the consumer's consent to the app's sale of that health data to pharmaceutical marketers—that is an incompatible use, and making it a condition of service violates § 7004.

The CCPA's SPI regime is less restrictive than GDPR Art. 9 (no advance legal-basis requirement, no blanket prohibition on processing special-category data) but more consumer-facing (the consumer, not the DPA, decides post-collection whether to restrict use). For a multiregional business, this means: GDPR compliance (Art. 9 legal basis before processing) does not automatically satisfy CCPA compliance (consumer notice and honor limit requests), and vice versa. The two regimes must be mapped and implemented independently, with cross-references in the privacy policy to avoid consumer confusion when the same data set (e.g., health data) is governed by both frameworks.

Source: Cal. Civ. Code § 1798.121 Source: Cal. Civ. Code § 1798.140 Source: Cal. Civ. Code § 1798.135 Source: Cal. Code Regs. tit. 11, § 7014 (Notice of Right to Limit) Source: Cal. Code Regs. tit. 11, § 7002 (Proportionality)

California Civil Code § 1798.120(a)(1) grants consumers the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This is one of the CCPA's foundational consumer protections, and unlike GDPR's consent-before-processing model, it operates as a consumer-initiated opt-out right that applies post-collection. A business may collect and initially process personal information without advance authorization, but once a consumer exercises the right to opt out, the business must prospectively cease selling or sharing that consumer's personal information, subject to narrow statutory exceptions.

The scope of this right hinges on two statutory definitions—"sale" and "sharing"—both of which are far broader than ordinary commercial understanding and are the source of most CCPA compliance complexity for businesses that engage in ad-tech, analytics, or data-broker partnerships.

## "Sale" — § 1798.140(ad): Disclosure for monetary or other valuable consideration

California Civil Code § 1798.140(ad) defines "sale," "selling," "sell," or "sold" as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration."

This definition encompasses any disclosure of personal information to a third party in exchange for something of value, whether or not cash changes hands. The California Privacy Protection Agency (CPPA) and the California Attorney General have consistently interpreted "other valuable consideration" to include:

• Quid pro quo data exchanges. A business that provides a consumer's email address and browsing history to an advertising network in exchange for the network's provision of free ad-serving software is selling personal information, even though no money is paid. The "consideration" is the advertiser's service.

• Reciprocal data-sharing arrangements. Two businesses that exchange customer lists or analytics data for mutual benefit are each selling personal information to the other, because each receives valuable consideration (the other party's data or insights).

• Data monetization through partnerships. A retailer that allows a data broker to scrape its transaction history in exchange for aggregate market insights is selling personal information. The aggregate report is the consideration.

The statute enumerates four categories of disclosures that do NOT constitute a sale, even when consideration flows:

1. Disclosure to a service provider or contractor (§ 1798.140(ad)(1), (2)). A business does not "sell" personal information when it discloses data to a service provider (as defined in § 1798.140(ag): a sole proprietor, partnership, LLC, corporation, association, or other legal entity that processes personal information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract) or a contractor (§ 1798.140(j): a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract that prohibits the contractor from retaining, using, or disclosing the personal information except as necessary to perform the business purpose or as otherwise permitted by the CCPA). The CPPA's regulations, codified at Title 11, California Code of Regulations, § 7051, require the contract to expressly prohibit the service provider or contractor from selling or sharing the personal information, disclosing it to third parties except as permitted by the statute, or retaining, using, or disclosing the personal information for any purpose other than performing the specified business purpose. If the contract does not contain these restrictions, or if the recipient uses the data outside the contract's scope, the disclosure is a sale.

2. Disclosure when the consumer uses the business to intentionally interact with or direct the business to intentionally disclose personal information to a third party (§ 1798.140(ad)(3)). Example: A consumer uses a bank's bill-pay feature to send a payment to a utility company, and the bank discloses the consumer's name and account number to the utility. This is not a sale because the consumer intentionally directed the bank to make the disclosure.

3. Disclosure when the consumer intentionally uses the business to interact with a third party, provided the third party does not also sell the consumer's personal information unless the consumer has received explicit notice and an opportunity to opt out (§ 1798.140(ad)(4)). This covers social-media "share" buttons and similar widgets where the consumer knows they are engaging with a third-party service.

4. Disclosure of information the consumer directs the business to disclose (§ 1798.140(ad)(5)). This overlaps with exception (3) but captures explicit consumer instructions to transfer data to another service (e.g., "Download my data and upload it to my personal cloud storage").

In practice, the most litigated boundary is the service-provider exception. The CPPA has signaled in enforcement advisories that a disclosure to a third-party analytics provider, ad network, or tag-management platform is a sale unless: (1) a compliant written contract is in place restricting the third party's use to the enumerated business purpose; (2) the business actually limits the third party's use to that purpose (the contract is not a paper formality if the third party is embedding tracking pixels and retargeting the consumer across the web); and (3) the third party does not combine the data with data from other sources to build a cross-context profile. If any of these conditions fail, the disclosure is a sale and triggers the § 1798.120 opt-out right.

## "Sharing" — § 1798.140(ah): Cross-context behavioral advertising

The California Privacy Rights Act (CPRA), effective January 1, 2023, added a second category of restricted disclosures: "sharing" (or "share"), defined in § 1798.140(ah) as "sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged."

"Cross-context behavioral advertising" is separately defined in § 1798.140(k) as "the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts."

The "sharing" definition targets ad-tech targeting practices in which a consumer's activity on one website (e.g., browsing a shoe retailer's catalog) is used to deliver targeted ads on an unrelated website (e.g., a news publisher showing ads for the same shoes the consumer viewed on the retailer). Unlike "sale," which requires consideration, "sharing" applies even when no value is exchanged—the statute expressly includes "transactions ... in which no money is exchanged."

This expansion closes the loophole identified in early CCPA enforcement: some businesses argued they were not "selling" personal information to ad networks because the advertiser was not paying for the data, only for ad placements. The CPRA clarified that disclosing data to facilitate cross-context behavioral advertising is independently restricted as sharing, regardless of whether consideration flows.

Sharing does NOT include:

• First-party advertising. A retailer that shows a consumer ads for products the consumer viewed on the retailer's own website, using only data the retailer collected directly from the consumer, is not sharing. The targeting is not cross-context—it occurs within the single business the consumer intentionally interacts with.

• Contextual advertising. A news website that shows a car advertisement on an article about automobiles, based solely on the article's content (not the consumer's browsing history or profile), is not sharing. The ad is contextual, not behavioral.

• Service-provider and contractor disclosures. The same exceptions that apply to "sale" apply to "sharing." A disclosure to a service provider or contractor acting solely on behalf of the business, pursuant to a compliant written contract, is not a share (Cal. Code Regs. tit. 11, § 7051).

## The opt-out right — § 1798.120(a) and enforcement obligations

A consumer who exercises the right to opt out under § 1798.120(a)(1) directs the business not to sell or share the consumer's personal information. Section 1798.120(b) requires the business to provide notice to consumers that their personal information may be sold or shared and that consumers have the right to opt out. Once the business receives an opt-out request, the business must:

1. Cease selling or sharing the consumer's personal information prospectively. The business must honor the opt-out "at any time" (§ 1798.120(a)(1)). There is no grace period or implementation delay. The business may continue to use the consumer's personal information for purposes that do not constitute a sale or share (first-party advertising, analytics solely for internal use by service providers, fraud prevention under § 1798.140(e) business purposes).

2. Instruct downstream third parties to cease selling or sharing. California Code of Regulations, Title 11, § 7023(b) requires the business to notify all third parties to whom it has sold or shared the consumer's personal information within the 90 days before the business received the opt-out request that the consumer has exercised the right to opt out and direct those third parties not to further sell or share the consumer's personal information. This creates a cascade obligation: the business must not only stop its own sales/sharing but also instruct its data recipients to do the same.

3. Respect the opt-out for at least 12 months before re-soliciting consent. Section 1798.135(c)(4) prohibits a business from requesting that a consumer who has opted out authorize the sale or sharing of personal information for at least 12 months after the consumer opted out, unless authorized by CPPA regulations. This prevents "opt-out fatigue" from repeated re-solicitation prompts. CPPA regulations effective January 1, 2026, clarify that a business may ask for consent to sell or share personal information in connection with a new transaction the consumer initiates (e.g., signing up for a promotional offer that requires data sharing with a partner), but the request must comply with § 7004 anti-dark-pattern rules and be specific to the new transaction (Cal. Code Regs. tit. 11, § 7028(c)).

4. Not discriminate against the consumer for exercising the opt-out right. Section 1798.125(a)(1) prohibits a business from denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services to a consumer because the consumer exercised the right to opt out. The business may, however, offer a financial incentive (discount, free service, premium feature) tied to the consumer's consent to the sale or sharing of personal information, provided the business (a) discloses the incentive in a notice of financial incentive (§ 1798.125(b)); (b) obtains the consumer's prior opt-in consent to the incentive; and (c) can demonstrate that the value of the consumer's personal information to the business is reasonably related to the value of the incentive (Cal. Code Regs. tit. 11, § 7016). A business may not condition access to goods or services on the consumer's consent to sell or share personal information unless the sale or sharing is reasonably necessary to provide the service the consumer requested (§ 1798.125(a)(2)(B)).

## Notice and opt-out mechanism — § 1798.135 and the "Do Not Sell or Share My Personal Information" link

Section 1798.135(a)(1) requires a business that sells or shares personal information to provide a clear and conspicuous link on the business's internet homepage, titled "Do Not Sell or Share My Personal Information," to an internet web page or web form that enables a consumer (or a person authorized by the consumer, including an authorized agent under Cal. Code Regs. tit. 11, § 7000) to opt out of the sale or sharing. The link must:

• Appear in a form that is reasonably accessible to consumers. CPPA regulations require the link to be visible on the homepage or within the header or footer, in a font size at least as large as surrounding text, and not obscured by pop-ups, banners, or other user-interface elements (§ 7013).

• Allow the consumer to opt out immediately, without creating an account. Section 1798.135(a)(1) expressly prohibits requiring the consumer to create an account in order to exercise the opt-out right. The business may ask for the minimum information reasonably necessary to verify the consumer's identity (e.g., email address or phone number if the business needs to link the request to an existing account), but may not demand government ID, Social Security number, or payment information unless the sale or sharing involves highly sensitive categories and verification is necessary to prevent fraud (Cal. Code Regs. tit. 11, § 7002(d), proportionality requirement).

• Be included in the business's privacy policy. Section 1798.135(a)(2) requires the business to include a description of the consumer's right to opt out, along with a link to the opt-out mechanism, in (A) its online privacy policy; and (B) any California-specific description of consumers' privacy rights.

• Train staff to handle opt-out requests. Section 1798.135(a)(3) requires the business to ensure that all individuals responsible for handling consumer privacy inquiries are informed of the § 1798.120 and § 1798.135 requirements and know how to direct consumers to exercise their opt-out rights.

Businesses may use a combined opt-out link under CPPA regulation § 7015, titled "Your Privacy Choices" or "Your California Privacy Choices," that enables the consumer to exercise both the right to opt out of sale/sharing and the right to limit use of sensitive personal information (§ 1798.121) in a single interface. Many businesses prefer this approach to reduce homepage clutter and consumer confusion.

## Global Privacy Control (GPC) and opt-out preference signals — § 1798.135(b)

Section 1798.135(b), as amended by the CPRA effective January 1, 2023, requires businesses to treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt out of the sale and sharing of personal information, as a valid consumer request to opt out for that browser or device, or, if known, for the consumer.

The CPPA's regulations, codified at Title 11, California Code of Regulations, §§ 7025–7026, specify the requirements for an opt-out preference signal (OOPS) and the business's obligations when it receives such a signal:

1. Criteria for a valid OOPS (§ 7025(b)). An opt-out preference signal must:

• Represent the consumer's affirmative, freely given, and unambiguous choice to opt out of the sale and sharing of personal information.
• Be user-enabled (the consumer must actively enable the signal; it may not be on by default without the consumer's knowledge).
• Be clear and conspicuous to the consumer that the signal will communicate the consumer's choice to opt out.
• Be sent with the consumer's request to interact with the business (e.g., in HTTP headers when visiting a website, in mobile app requests).

The Global Privacy Control (GPC) is the most widely adopted OOPS. GPC is a browser extension and protocol (published at globalprivacycontrol.org) that sends an HTTP header Sec-GPC: 1 with every web request, signaling the consumer's opt-out choice. As of 2026, GPC is natively supported by Mozilla Firefox, Brave, DuckDuckGo, and available as a browser extension for Google Chrome, Microsoft Edge, and Apple Safari. The CPPA has issued enforcement guidance (including a September 2025 multi-state investigative sweep with California, Colorado, and Connecticut Attorneys General) emphasizing that businesses must honor GPC signals as valid opt-out requests.

2. Business obligations upon receiving an OOPS (§ 7026). When a business that sells or shares personal information receives a valid OOPS:

• The business must process the signal as a request to opt out for that browser or device. If the business can link the signal to a known consumer account (e.g., the consumer is logged in), the business must apply the opt-out to the consumer's account across all devices.

• The business must not sell or share the personal information collected from that browser or device after receiving the signal, unless the consumer subsequently provides consent to sell or share.

• The business must confirm the opt-out through a user-interface element (e.g., a toggle, banner, or privacy-settings page indicating "Opt-Out Request Honored" or "Do Not Sell or Share: ON"). Section 7026(c) requires the business to inform the consumer that the opt-out preference signal has been processed.

• The business may ask the consumer to confirm the opt-out or create an account to extend the opt-out across devices, but may not require the consumer to confirm or create an account as a condition of honoring the OOPS (§ 7026(b)). The initial signal must be honored immediately for that browser or device; any additional confirmation step is optional and solely for the consumer's benefit (to persist the opt-out across devices).

3. Exception for known-fraud or child-directed signals. If a business has a good-faith, reasonable, and documented belief that an OOPS is the result of fraud (e.g., a bot sending mass GPC requests to disrupt service) or is sent by a child who does not understand the signal's effect, the business may disregard the signal—but the business bears the burden of documenting that belief and the factual basis for it, and the CPPA has warned that this exception will be narrowly construed (Cal. Code Regs. tit. 11, § 7026(d), CPPA Enforcement Advisory on OOPS, 2024).

4. Enforcement priority. The CPPA's 2025 Annual Report (published February 2026) identifies failure to honor GPC signals as a top enforcement priority. The September 2025 multi-state sweep targeted businesses that ignored GPC headers or required consumers to disable the signal before accessing the site. Violations of § 1798.135(b) are subject to administrative penalties of up to $2,500 per violation (or $7,500 if the violation involves personal information of consumers the business has actual knowledge are under 16 years of age, § 1798.155(b)).

## Interaction with the minor-consent rule — opt-out for consumers 13–15 versus opt-in for sale/sharing of consumers under 16

Section 1798.120(c) creates a separate, stricter rule for minors: a business shall not sell or share personal information of consumers under 16 years of age unless the business obtains affirmative opt-in authorization before the sale or sharing. For consumers 13 through 15 years of age, the consumer must affirmatively authorize the sale or sharing; for consumers under 13, the consumer's parent or guardian must authorize. This is covered in detail in the Opt-in consent for minors under 16 section.

The practical interaction: adult consumers (16 and older) have a default-permission, opt-out model for sale and sharing—the business may sell or share unless the consumer opts out. Consumers under 16 have an opt-in model—the business may not sell or share unless the consumer (or parent/guardian) affirmatively authorizes.

## Enforcement and supervisory authority

The California Privacy Protection Agency (CPPA), established by Proposition 24 in 2020, has "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA (§ 1798.199.10), including the sale/sharing and opt-out provisions. The California Attorney General retains concurrent enforcement authority (§ 1798.199.90). There is no private right of action for violations of § 1798.120 or § 1798.135; enforcement is exclusively governmental.

Administrative penalties are tiered under § 1798.155(b):

• $2,500 per violation for non-intentional violations.
• $7,500 per violation for intentional violations or for any violation involving personal information of consumers the business has actual knowledge are under 16 years of age (whether or not the violation was intentional).

The CPPA may also seek injunctive relief, mandatory corrective action (including deletion of improperly sold or shared data), and disgorgement of proceeds from unlawful sales.

## Practical implications for privacy professionals

The § 1798.120 opt-out right and the sale/sharing definitions impose three core compliance obligations:

1. Sale/sharing inventory and disclosure mapping. Identify every third-party recipient of consumer personal information. For each, determine: (a) Is the recipient a service provider or contractor acting solely on behalf of the business pursuant to a compliant written contract restricting use to the enumerated business purpose? If yes, the disclosure is not a sale or share. (b) If no, does the disclosure involve monetary or other valuable consideration? If yes, it is a sale. (c) Does the disclosure facilitate cross-context behavioral advertising (targeting the consumer based on activity across distinctly-branded websites or apps)? If yes, it is a share, even without consideration. Any "yes" to (b) or (c) triggers the § 1798.120 opt-out notice and mechanism obligations.

2. Opt-out mechanism and GPC implementation. Post the "Do Not Sell or Share My Personal Information" link (or combined "Your Privacy Choices" link) on the homepage. Implement back-end logic to honor consumer opt-out requests, including GPC signals, prospectively. Test that the mechanism actually stops data flows to third parties flagged as sales or shares. Configure web servers to read the Sec-GPC: 1 HTTP header and pass it to tag-management and ad-serving systems. Confirm opt-out status in the consumer's privacy settings or via a visible banner ("Your Opt-Out Request Has Been Honored").

3. Service-provider and contractor contract discipline. Every contract with a third-party recipient of personal information must comply with Cal. Code Regs. tit. 11, § 7051. The contract must: (a) restrict the recipient's use of personal information to the specific business purpose; (b) prohibit the recipient from selling, sharing, or retaining the data for any other purpose; (c) require the recipient to delete or return the data upon termination of the contract; and (d) grant the business the right to audit the recipient's compliance. If the recipient is using the data outside the contract's scope—embedding tracking pixels, combining data with other sources, retargeting the consumer across the web—the disclosure is a sale or share, not a service-provider disclosure, and the opt-out right applies.

For a privacy professional or in-house counsel, the sale/sharing boundary is the CCPA's highest-stakes determination. Unlike GDPR, where "legitimate interests" is an affirmative legal basis the controller chooses, the CCPA's sale/sharing regime is enforced retrospectively: the business makes the call in advance, and the CPPA or Attorney General challenges it in an investigation or enforcement action. Document the analysis. A spreadsheet mapping every third-party disclosure to the sale/sharing definitions, the statutory exceptions, and the contract restrictions is the first artifact the CPPA will request in an audit.

Source: Cal. Civ. Code § 1798.120 Source: Cal. Civ. Code § 1798.135 Source: Cal. Civ. Code § 1798.140 Source: Cal. Code Regs. tit. 11, §§ 7000–7051 (CPPA Regulations) Source: CPPA Enforcement: Global Privacy Control (GPC) sweep announcement, Sept. 2025

California Civil Code § 1798.100(a) imposes the notice at collection obligation, the foundational transparency requirement on which the CCPA's proportionality standard, consumer rights, and opt-out framework all depend. Section 1798.100(a) provides: "A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to:" (1) the categories of personal information to be collected and the purposes for which they are collected or used, and whether that information is sold or shared; (2) if the business collects sensitive personal information, the categories of SPI to be collected, the purposes for which they are collected or used, and whether that information is sold or shared; and (3) the length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine that period.

This notice is not optional and cannot be waived. It must be provided at or before the business collects any personal information from the consumer. A business that fails to provide the notice at collection violates § 1798.100(a) and is subject to administrative penalties under § 1798.155(b): up to $2,500 per violation (or $7,500 per violation for personal information of consumers the business has actual knowledge are under 16 years of age). Unlike GDPR's layered-notice flexibility (where a controller may provide summary information and a link to the full policy), the CCPA requires the notice at collection to be presented at or before the point of collection itself, in the consumer's path of engagement with the business.

## Timing — "At or before the point of collection"

The statute's "at or before" language means the consumer must encounter the notice before or simultaneously with the business's collection of personal information. The California Privacy Protection Agency (CPPA) regulations, codified at Title 11, California Code of Regulations, § 7012(c), require the notice to be "made readily available where consumers will encounter it at or before the point of collection of any personal information." The CPPA has issued enforcement guidance emphasizing that the notice may not be buried in a linked privacy policy that the consumer must hunt for; it must be presented in the consumer's immediate interaction with the business.

Illustrative examples from CPPA regulation § 7012(g):

• Online collection via web form. If a business collects personal information through an online registration form, the notice at collection must appear on the same page as the form fields, either directly above the submit button or in a conspicuous banner at the top of the form. A link in the footer of the homepage that the consumer may never visit is insufficient.

• Offline collection at a retail location. If a business collects personal information at a point-of-sale terminal (e.g., email address for a receipt), the business must provide the notice at the point of sale, either via conspicuous signage at the register, on the receipt, or orally by the cashier before asking for the information. A privacy policy posted only on the business's website is insufficient for in-store collection.

• Third-party collection on the business's premises. If a coffee shop (Business H) allows a Wi-Fi provider (Business I) to collect personal information from customers using the Wi-Fi on the coffee shop's premises, both businesses must provide their own notice at collection. Business H may post conspicuous signage at the entrance or point of sale directing consumers to where Business H's notice can be found online; Business I must provide its notice on the first webpage or interface consumers see before connecting to the Wi-Fi (§ 7012(g)(3)(B)).

• Vehicle-based collection. If a car rental business (Business J) allows a third party (Business K) to collect personal information from consumers within rented vehicles (e.g., via an in-dash infotainment system), Business J may provide its notice at the rental counter (at the point of sale), and Business K must provide its own notice within the vehicle, such as through signage on the vehicle's dashboard directing consumers to where the notice can be found online (§ 7012(g)(3)(C)).

The common thread: the notice must be in the consumer's path at the moment of collection, not hidden behind a link the consumer must affirmatively seek out.

## Required content — Categories, purposes, sale/sharing disclosure, and retention

Section 1798.100(a) mandates four categories of disclosure in the notice at collection:

1. Categories of personal information to be collected and the purposes for which they are collected or used (§ 1798.100(a)(1)). The business must disclose the categories (not the specific data elements) using the statutory categories defined in § 1798.140(v): identifiers (name, email, IP address); commercial information (purchase history); Internet or other electronic network activity (browsing history, search history); geolocation data; audio, electronic, visual, or similar information; professional or employment-related information; education information; and inferences drawn from any of the foregoing. The business must also disclose the purposes—the business or commercial purposes enumerated in § 1798.140(e) (performing services, security, debugging, transient use, internal research, quality control, legal compliance, advertising and marketing) or a similarly specific purpose description. Generic purposes such as "business operations" or "to improve our services" are insufficient under CPPA enforcement guidance; the purpose must be specific enough for the consumer to understand how the data will actually be used.

2. Whether the personal information is sold or shared (§ 1798.100(a)(1)). If the business sells or shares any category of personal information (as defined in §§ 1798.140(ad) and (ah)), the notice must explicitly state that the business sells or shares personal information and identify which categories are sold or shared. The notice must also include a link to the business's Notice of Right to Opt-Out of Sale/Sharing (the "Do Not Sell or Share My Personal Information" link required by § 1798.135(a)(1)). A business that does not sell or share personal information is not required to include this disclosure, but if circumstances change (e.g., the business begins sharing data with an ad network for cross-context behavioral advertising), the business must update the notice at collection before the new sale or sharing begins (§ 1798.100(a)(1), second sentence: "A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.").

3. Sensitive personal information disclosures (§ 1798.100(a)(2), operative January 1, 2023). If the business collects sensitive personal information (as defined in § 1798.140(ae): Social Security number, driver's license, passport number, financial account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, mail/email/text contents, genetic data, biometric data for unique identification, health information, sex life or sexual orientation, or neural data), the notice must disclose: (a) the categories of SPI to be collected; (b) the purposes for which they are collected or used; and (c) whether the SPI is sold or shared. If the business uses or discloses SPI for purposes beyond those enumerated in § 1798.121(a)—performing the requested service, fraud prevention, debugging, transient use, or quality/safety verification—the business must also provide the consumer with a link to the Notice of Right to Limit (the "Limit the Use of My Sensitive Personal Information" link required by § 1798.135(a)(2)) or explain in the notice how the consumer can exercise the right to limit (Cal. Code Regs. tit. 11, § 7014).

4. Retention period or criteria (§ 1798.100(a)(3), operative January 1, 2023). The CPRA added a retention disclosure requirement borrowed from GDPR Art. 13(2)(a). The notice must state "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period." The statute adds: "A business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose." This creates a substantive retention ceiling tied to purpose expiration. In practice, businesses typically disclose retention periods by category and purpose in the notice: "We retain identifiers (name, email) for the duration of your account relationship plus 2 years to comply with record-retention obligations under California tax law. We retain purchase history for 7 years to comply with financial audit requirements. We retain browsing history for 90 days for analytics purposes, after which it is automatically deleted." If the business cannot commit to a specific retention period, it must describe the criteria: "We retain customer service correspondence until the issue is resolved and any applicable dispute or statute-of-limitations period has expired."

## Format and accessibility requirements — CPPA regulation § 7003

The notice at collection must comply with the general notice standards in Cal. Code Regs. tit. 11, § 7003:

• Plain language. The notice must "use plain, straightforward language and avoid technical or legal jargon" (§ 7003(a)(1)). Terms of art such as "sale," "sharing," "sensitive personal information," and "business purpose" should be defined or explained in consumer-accessible terms on first use. For example: "We share your personal information (meaning we disclose your browsing activity to advertising partners to show you targeted ads on other websites)."

• Readable format. The notice must "use a format that draws the consumer's attention to the notice and makes the notice readable, including on smaller screens, if applicable" (§ 7012(a)(2)(B)). The CPPA has warned against microscopically small font, low-contrast text (light gray on white background), or notices embedded in a wall of dense legalese. The notice should be visually distinct from surrounding content—use a heading ("Notice at Collection" or "Your California Privacy Rights—Information We Collect"), bold subheadings for each required disclosure, and bullet points for category lists.

• Available in languages used by the business. The notice must be "available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California" (§ 7003(b)(2)). If the business operates a Spanish-language website or customer-service line, the notice at collection must be available in Spanish as well as English.

• Accessible to consumers with disabilities. For online notices, the business must "follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium" (§ 7003(b)(3)). This includes keyboard navigability, screen-reader compatibility, sufficient color contrast, and alt text for any images or icons. For offline notices (e.g., signage in a retail store), the business must "provide information on how a consumer with a disability may access the notice in an alternative format" (e.g., a phone number to request a large-print or Braille version).

## Prohibition on additional collection or incompatible use without updated notice

Section 1798.100(a)(1) and (a)(2) each contain the same mandatory-update rule: "A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section." This creates a real-time notice obligation. If a business initially discloses that it collects "identifiers (name, email) for account creation and customer service" and later decides to collect precise geolocation (a new category) or to use the email address for third-party marketing (a new purpose incompatible with account creation and customer service), the business must update the notice at collection and present the updated notice to consumers before collecting the new category or using the data for the new purpose. The update cannot be retroactive (posting a revised privacy policy and deeming all prior data subject to the new purposes); the CPPA has signaled in enforcement advisories that such retroactive re-purposing violates both the notice requirement and the proportionality standard in § 1798.100(c).

## Relationship to the privacy policy — Notice at collection is separate and upstream

The notice at collection (required by § 1798.100(a) and regulated by Cal. Code Regs. tit. 11, § 7012) is distinct from the business's privacy policy (required by § 1798.130(a)(5) and regulated by Cal. Code Regs. tit. 11, § 7011). The privacy policy is a comprehensive, backward-looking disclosure document covering the business's information practices over the preceding 12 months; it must be available via a conspicuous link on the homepage titled "Privacy Policy," "Privacy Notice," or "California Consumer Privacy Act" (§ 7011(d)). The notice at collection, by contrast, is forward-looking and transaction-specific: it discloses what the business is about to collect in this interaction with the consumer. The two notices serve different functions:

• The notice at collection enables the consumer to make an informed decision about whether to proceed with the interaction (create an account, make a purchase, connect to Wi-Fi, submit a form) in light of what data the business will collect and how it will be used.

• The privacy policy enables the consumer to understand the business's overall data practices, exercise consumer rights (access, deletion, opt-out), and review disclosures required by § 1798.130 (categories collected, categories sold/shared, categories disclosed for business purposes, consumer rights descriptions).

A business may link from the notice at collection to the relevant section of the privacy policy for additional detail, but the core disclosures required by § 1798.100(a)—categories, purposes, sale/sharing status, SPI disclosures, and retention period—must appear in the notice at collection itself, not solely in the linked privacy policy. CPPA regulation § 7012(f) provides an illustrative example: a business may state in the notice at collection, "For a description of your rights under the California Consumer Privacy Act, including the right to delete and the right to opt out of sale/sharing, see our [Privacy Policy]." This is permissible because the consumer rights descriptions are required in the privacy policy under § 1798.130(a)(5), not in the notice at collection. But the business may not state, "For information about the categories of personal information we collect and the purposes for which we use them, see our Privacy Policy," because those disclosures are required in the notice at collection by § 1798.100(a)(1).

## Exemptions and carve-outs — When notice at collection is not required

CPPA regulation § 7012(h) and (i) create narrow exemptions from the notice-at-collection requirement:

1. Third-party collection with no sale or sharing (§ 7012(h)). A business that neither collects nor controls the collection of personal information directly from the consumer (i.e., the business receives the data from another source, such as a data broker or a co-marketer) does not need to provide a notice at collection to the consumer if the business does not sell or share the consumer's personal information. This carve-out applies only to secondary recipients who do not have a direct consumer-facing relationship and who process the data solely for internal purposes or as a service provider/contractor to the original collector. If the third-party recipient does sell or share the data, the exemption does not apply and the recipient must provide its own notice at collection (or rely on the original collector's notice if the recipient is acting as a service provider with a compliant written contract under § 1798.100(d)).

2. Registered data brokers (§ 7012(i)). A data broker registered with the California Attorney General pursuant to § 1798.99.80 et seq. that collects personal information from a source other than directly from the consumer does not need to provide a notice at collection to the consumer if the data broker has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt out of sale/sharing. This exemption recognizes that data brokers, by definition, do not have a direct relationship with consumers and cannot feasibly provide notice "at or before the point of collection" when the collection occurs via third-party sources. The trade-off is that the data broker must (a) register publicly as a data broker and (b) provide an accessible opt-out mechanism in its privacy policy.

3. Employment-related information (§ 7012(j)). A business collecting employment-related information (covered by the B2B and employee exemptions in § 1798.145(a)(1)–(2), which were extended through January 1, 2023, and have since expired for most purposes) must comply with § 7012 notice-at-collection requirements, but the notice may be provided in an employee handbook, onboarding materials, or a separate employment privacy notice rather than at the literal point of collection on each employment form. The CPPA has signaled that a one-time comprehensive employment privacy notice provided at hire, updated annually, and re-provided when the business begins collecting new categories or using data for new purposes, satisfies the § 1798.100(a) notice obligation for ongoing employment data collection.

## Enforcement and supervisory authority

The California Privacy Protection Agency (CPPA), established by Proposition 24 in 2020, has "full administrative power, authority, and jurisdiction to implement and enforce" the CCPA (§ 1798.199.10), including the notice-at-collection requirements. The California Attorney General retains concurrent enforcement authority (§ 1798.199.90). There is no private right of action for violations of § 1798.100(a); enforcement is exclusively governmental.

Administrative penalties are assessed under the tiered framework in § 1798.155(b):

• $2,500 per violation for non-intentional violations.
• $7,500 per violation for intentional violations or for any violation involving personal information of consumers the business has actual knowledge are under 16 years of age (whether or not the violation was intentional).

The CPPA has signaled in enforcement advisories that failure to provide notice at collection is a per-consumer, per-collection-event violation. If a business collects personal information from 10,000 consumers without providing the required notice, the CPPA may assess penalties on a per-consumer basis, subject to the statutory cap and the CPPA's prosecutorial discretion. In practice, the CPPA has prioritized notice-at-collection enforcement in two contexts: (1) businesses that bury the notice in a footer link or privacy policy rather than presenting it at the point of collection; and (2) businesses that fail to update the notice when they begin collecting new categories or using data for new purposes, in violation of the § 1798.100(a)(1) mandatory-update rule.

## Practical implications for privacy professionals

The § 1798.100(a) notice-at-collection requirement imposes three core compliance obligations:

1. Design the notice to be encountered, not hidden. Conduct a user-journey audit for every collection touchpoint: online registration forms, mobile app onboarding, in-store sign-ups, point-of-sale email capture, Wi-Fi login pages, contest entries, newsletter subscriptions. For each touchpoint, ask: Will the consumer see the notice before or simultaneously with entering their information? If the notice is only in the footer of the homepage or the privacy policy, the answer is no, and the business is out of compliance. The notice must be in the consumer's path—a banner above the form, a pop-up on first visit, signage at the register, a screen in the mobile app onboarding flow.

2. Maintain a category-purpose-retention mapping document. Every category of personal information the business collects must map to (a) one or more specific purposes (drawn from § 1798.140(e) business purposes or a similarly granular purpose description); (b) a retention period or criteria; and (c) a sale/sharing determination (is this category sold or shared as defined in §§ 1798.140(ad) and (ah)?). This mapping is the source of truth for the notice at collection. When the business launches a new data collection (e.g., adding a geolocation feature to a mobile app), the privacy team must (a) update the mapping; (b) draft the updated notice-at-collection language; (c) implement the updated notice in the app's onboarding or permission-request flow before the feature goes live; and (d) document the update date for audit purposes.

3. Trigger-based notice updates for incompatible uses. Implement a change-control process that flags any new use of personal information for legal review before the use begins. The proportionality requirement in § 1798.100(c) already requires the business to assess whether the new use is "reasonably necessary and proportionate" and "compatible with the context in which the personal information was collected." If the new use is incompatible, the business must (a) update the notice at collection to disclose the new purpose; (b) present the updated notice to consumers before the new use begins; and (c) if the incompatible use requires consent under Cal. Code Regs. tit. 11, § 7002(e), obtain freely given, specific, informed, and unambiguous consent from each affected consumer. A retroactive privacy-policy update ("We updated our Privacy Policy on [date]; by continuing to use our service, you agree to the new terms") does not satisfy the notice-at-collection or consent requirements for incompatible uses of previously collected data.

For a privacy professional or in-house counsel, the notice at collection is the linchpin of CCPA compliance. Every other obligation—proportionality (§ 1798.100(c)), consumer rights (§§ 1798.105, 1798.110, 1798.115, 1798.120, 1798.121), and the sale/sharing opt-out framework (§ 1798.135)—assumes the business provided proper notice of the categories, purposes, and retention period at or before collection. If the notice is missing, buried, or materially incomplete, the business's entire data-processing operation is out of compliance from the moment of collection, and no amount of privacy-policy disclosure or consumer-rights infrastructure can cure the defect retroactively.

Source: Cal. Civ. Code § 1798.100 Source: Cal. Civ. Code § 1798.130 Source: Cal. Civ. Code § 1798.135 Source: Cal. Civ. Code § 1798.140 Source: Cal. Civ. Code § 1798.155 Source: Cal. Code Regs. tit. 11, §§ 7003, 7012 (CPPA Regulations)