Search every question across sub-FAQs

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat Minors under the US CCPA as a source-linked operating decision: if a business has actual knowledge that it sells or shares personal information of a consumer less than 13 years of age, it must establish, document, and comply with a reasonable method for determining that the person consenting is the parent or guardian; if it has actual knowledge that it sells or shares personal information of consumers at least 13 years of age and less than 16 years of age, it must establish, document, and comply with a reasonable process for allowing those consumers to opt in to sale or sharing.

For consumers under 16, the privacy policy must include a description of the processes set forth in sections 7070 and 7071, and the business should route unclear cases to legal, privacy, security, or compliance review before launch.

A visitor would expect direct answers to questions like who counts as a minor under the CCPA, when affirmative authorization or opt-in is required, and what the business must disclose in its privacy policy.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, and privacy-policy disclosure against current source material.

Teams should treat Notice at collection under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, Notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Personal information is information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. It can include names, email addresses, browsing history, geolocation data, and inferences about a person's preferences or characteristics.

Sensitive personal information is a narrower set of personal information that includes things like social security numbers, driver's license numbers, account login or financial account credentials, precise geolocation, the contents of mail, email, and text messages, genetic data, biometric information used to identify a consumer, and information about health, sex life, sexual orientation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should make sure the privacy policy covers the disclosures the CCPA requires: the categories of personal information collected, the categories of sensitive personal information if collected, the purposes for collecting, selling, or sharing that information, the categories of sources, the categories of third parties, the consumer rights listed in Section 1798.130, and the required request methods.

If the business has an online privacy policy or policies, that information must be included there and updated at least once every 12 months; if the business does not maintain those policies, the information must be posted on its internet website.

Useful evidence is not just a Privacy Policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat Risk And Cyber Audits under the US CCPA as an operating workflow, not a generic privacy note: identify whether the business must do a risk assessment before selling or sharing personal information, processing sensitive personal information, using ADMT for a significant decision, or using personal information to train ADMT or AI; identify whether the business must do a cybersecurity audit because its processing presents significant risk to consumers' security; then assign legal, privacy, security, compliance, and executive owners who can approve the work and preserve evidence.

For cybersecurity audits, the first report deadlines in the regulations are April 1, 2028 for qualifying businesses with 2026 revenue above $100 million, April 1, 2029 for qualifying businesses with 2027 revenue between $50 million and $100 million, and April 1, 2030 for qualifying businesses with 2028 revenue below $50 million. For risk assessments, the regulations require the assessment before the processing starts, with older processing that continued into the effective period documented by no later than December 31, 2027.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notices, request logs, vendor terms, audit workpapers, approval trail, and submission records together so the team can show who made the decision, what triggered it, and when the report or certification was due.

For cybersecurity audits, the business and auditor must retain documents relevant to each audit for at least five years after completion, and the audit report must identify the systems assessed, the evidence reviewed, the gaps found, and the plan to address them. For risk assessments, the business must retain the assessment for as long as the processing continues or for five years after completion, whichever is later.

The common failure pattern is treating CCPA as one static notice instead of checking each trigger condition, deadline, and evidence requirement against current source material. Teams also create risk when they miss the specific owner for the audit or assessment, fail to preserve the required records, or assume a completed assessment can never need updating after a material change.

For cybersecurity audits, the audit has to be independent and objective, and the business must make relevant information available to the auditor. For risk assessments, the business must review and update them at least once every three years and within 45 calendar days after a material change that affects the processing or reduces the effectiveness of safeguards.

Teams should use section 7051 to check the contract before personal information is disclosed to a service provider or contractor. The agreement must prohibit selling or sharing personal information, identify the limited and specified business purpose with enough detail, limit use and disclosure to that purpose or another CCPA-permitted purpose, require the same level of privacy protection as businesses, and give the business the right to audit and remediate misuse.

Section 7050 also matters because a person without a contract that complies with section 7051 is not a service provider or contractor under the CCPA. In that case, the disclosure may be treated as a sale or sharing and the business may need to provide opt-out rights instead.

The safest first step is to identify the vendor role, the specific business purpose, whether the vendor will subcontract, and whether the contract already includes the required limits and oversight rights before data is shared.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.