In enacting this act, it is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this act shall be guided by the following principles:
A. Consumer Rights
1. Consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.
2. Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
3. Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
5. Consumers should be able to exercise these rights without being penalized for doing so.
6. Consumers should be able to hold businesses accountable for failing to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
7. Consumers should benefit from businesses’ use of their personal information.
8. The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.
B. The Responsibilities of Businesses
1. Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice.
2. Businesses should only collect consumers’ personal information for specific, explicit, and legitimate disclosed purposes and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.
3. Businesses should collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
4. Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it or correct it, to opt out of its sale and sharing across business platforms, services, businesses, and devices, and to limit the use of their sensitive personal information.
5. Businesses should not penalize consumers for exercising these rights.
6. Businesses should take reasonable precautions to protect consumers’ personal information from a security breach.
7. Businesses should be held accountable when they violate consumers’ privacy rights, and the penalties should be higher when the violation affects children.
C. Implementation of the Law
1. The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy while giving attention to the impact on business and innovation. Consumer privacy and the development of beneficial new products and services are not necessarily incompatible goals. Strong consumer privacy rights create incentives to innovate and develop new products that are privacy protective.
2. Businesses and consumers should be provided with clear guidance about their responsibilities and rights.
3. The law should place the consumer in a position to knowingly and freely negotiate with a business over the business’ use of the consumer’s personal information.
4. The law should adjust to technological changes, help consumers exercise their rights, and assist businesses with compliance with the continuing goal of strengthening consumer privacy.
5. The law should enable proconsumer new products and services and promote efficiency of implementation for business provided that the amendments do not compromise or weaken consumer privacy.
6. The law should be amended, if necessary, to improve its operation, provided that the amendments do not compromise or weaken consumer privacy, while giving attention to the impact on business and innovation.
7. Businesses should be held accountable for violating the law through vigorous administrative and civil enforcement.
8. To the extent it advances consumer privacy and business compliance, the law should be compatible with privacy laws in other jurisdictions.