6 Matching Annotations
  1. Oct 2022
    1. A business shall not collect categories of personal information other than those disclosed inits notice at collection in accordance with the CCPA and section 7012. If the businessintends to collect additional categories of personal information or intends to use the personalinformation for additional purposes that are incompatible with the disclosed purpose forwhich the personal information was collected, the business shall provide a new notice atcollection.

      Notice provisions. Not very different from GDPR.

    2. shall be reasonably necessary and proportionate to achieve the purpose(s) for which thepersonal information was collected or processed

      Reasonable & proportionality. Set to expectations of what a consumer would expect of use.

      Cannot be used for other disclosed purposes if they are compatible with what's reasonably expected. This is Article 5 lite.

    3. Request to know” means a consumer request that a business disclose personalinformation that it has collected about the consumer pursuant to Civil Code sections1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:(1) Specific pieces of personal information that a business has collected about theconsumer;(2) Categories of personal information it has collected about the consumer;(3) Categories of sources from which the personal information is collected;(4) Categories of personal information that the business sold or disclosed for abusiness purpose about the consumer;(5) Categories of third parties to whom the personal information was sold ordisclosed for a business purpose; and(6) The business or commercial purpose for collecting or selling personalinformation

      Narrower than the GDPR

    4. “Disproportionate effort” within the context of a business responding to a consumer requestmeans the time and/or resources expended by the business to respond to the individualizedrequest significantly outweighs the benefit provided to the consumer by responding to therequest. For example, responding to a consumer request to know may requiredisproportionate effort when the personal information which is the subject of the request isnot in a searchable or readily-accessible format, is maintained only for legal or compliancepurposes, is not sold or used for any commercial purpose, and would not impact theconsumer in any material manner. In contrast, the benefit to the consumer of responding toa request to correct inaccurate information that the business uses and/or sells may be highbecause it could have a material impact on the consumer, such as the denial of services oropportunities. Accordingly, in order for the business to claim “disproportionate effort,” thebusiness would have to demonstrate that the time and/or resources needed to correct theinformation would be significantly higher than that material impact on the consumer. Abusiness that has failed to put in place adequate processes and procedures to comply withconsumer requests in accordance with the CCPA and these regulations cannot claim thatresponding to a consumer’s request requires disproportionate effort

      This will be absolutely abused to get out of fulfilling any DSARs.

  2. May 2020
    1. it buys, receives, sells, or shares the personal information of 50,000 or more consumers annually for the business’ commercial purposes. Since IP addresses fall under what is considered personal data — and “commercial purposes” simply means to advance commercial or economic interests — it is likely that any website with at least 50k unique visits per year from California falls within this scope.
    2. Under the scope of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”