ccpa act.yaml

urn: urn:intuitem:risk:library:ccpa_act
locale: en
ref_id: 'CCPA ACT '
name: California Consumer Privacy Act (CCPA)
description: "The California Consumer Privacy Act of 2018 (CCPA) gives consumers more\
  \ control over the personal information that businesses collect about them and the\
  \ CCPA regulations provide guidance on how to implement the law. Effective 1/1/2024\
  \ \u2013 AB 947 and AB 1194 updates\nhttps://cppa.ca.gov/regulations/pdf/cppa_act.pdf"
copyright: State of California
version: 1
provider: State of California
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:ccpa_act
    ref_id: 'CCPA ACT '
    name: California Consumer Privacy Act (CCPA)
    description: "The California Consumer Privacy Act of 2018 (CCPA) gives consumers\
      \ more control over the personal information that businesses collect about them\
      \ and the CCPA regulations provide guidance on how to implement the law. Effective\
      \ 1/1/2024 \u2013 AB 947 and AB 1194 updates\nhttps://cppa.ca.gov/regulations/pdf/cppa_act.pdf"
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      assessable: false
      depth: 1
      ref_id: '1798.100'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-a
      description: "A business that controls the collection of a consumer\u2019s personal\
        \ information shall, at or before the point of collection, inform consumers\
        \ of the following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a-1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a
      ref_id: 1798.100-a-1
      description: 'The categories of personal information to be collected and the
        purposes for which the categories of personal information are collected or
        used and whether that information is sold or shared. A business shall not
        collect additional categories of personal information or use personal information
        collected for additional purposes that are incompatible with the disclosed
        purpose for which the personal information was collected without providing
        the consumer with notice consistent with this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a-2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a
      ref_id: 1798.100-a-2
      description: 'If the business collects sensitive personal information, the categories
        of sensitive personal information to be collected and the purposes for which
        the categories of sensitive personal information are collected or used, and
        whether that information is sold or shared. A business shall not collect additional
        categories of sensitive personal information or use sensitive personal information
        collected for additional purposes that are incompatible with the disclosed
        purpose for which the sensitive personal information was collected without
        providing the consumer with notice consistent with this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-a
      ref_id: 1798.100-a.3
      description: "The length of time the business intends to retain each category\
        \ of personal information, including sensitive personal information, or if\
        \ that is not possible, the criteria used to determine that period provided\
        \ that a business shall not retain a consumer\u2019s personal information\
        \ or sensitive personal information for each disclosed purpose for which the\
        \ personal information was collected for longer than is reasonably necessary\
        \ for that disclosed purpose. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-b
      description: 'A business that, acting as a third party, controls the collection
        of personal information about a consumer may satisfy its obligation under
        subdivision (a) by providing the required information prominently and conspicuously
        on the homepage of its internet website. In addition, if a business acting
        as a third party controls the collection of personal information about a consumer
        on its premises, including in a vehicle, then the business shall, at or before
        the point of collection, inform consumers as to the categories of personal
        information to be collected and the purposes for which the categories of personal
        information are used, and whether that personal information is sold, in a
        clear and conspicuous manner at the location. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-c
      description: "A business\u2019 collection, use, retention, and sharing of a\
        \ consumer\u2019s personal information shall be reasonably necessary and proportionate\
        \ to achieve the purposes for which the personal information was collected\
        \ or processed, or for another disclosed purpose that is compatible with the\
        \ context in which the personal information was collected, and not further\
        \ processed in a manner that is incompatible with those purposes."
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-d
      description: "A business that collects a consumer\u2019s personal information\
        \ and that sells that personal information to, or shares it with, a third\
        \ party or that discloses it to a service provider or contractor for a business\
        \ purpose shall enter into an agreement with the third party, service provider,\
        \ or contractor, that: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      ref_id: 1798.100-d.1
      description: 'Specifies that the personal information is sold or disclosed by
        the business only for limited and specified purposes. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      ref_id: 1798.100-d.2
      description: 'Obligates the third party, service provider, or contractor to
        comply with applicable obligations under this title and obligate those persons
        to provide the same level of privacy protection as is required by this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      ref_id: 1798.100-d.3
      description: "Grants the business rights to take reasonable and appropriate\
        \ steps to help ensure that the third party, service provider, or contractor\
        \ uses the personal information transferred in a manner consistent with the\
        \ business\u2019 obligations under this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      ref_id: 1798.100-d.4
      description: 'Requires the third party, service provider, or contractor to notify
        the business if it makes a determination that it can no longer meet its obligations
        under this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-d
      ref_id: 1798.100-d.5
      description: 'Grants the business the right, upon notice, including under paragraph
        (4), to take reasonable and appropriate steps to stop and remediate unauthorized
        use of personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-e
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-e
      description: "A business that collects a consumer\u2019s personal information\
        \ shall implement reasonable security procedures and practices appropriate\
        \ to the nature of the personal information to protect the personal information\
        \ from unauthorized or illegal access, destruction, use, modification, or\
        \ disclosure in accordance with Section 1798.81.5. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.100-f
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.100
      ref_id: 1798.100-f
      description: 'Nothing in this section shall require a business to disclose trade
        secrets, as specified in regulations adopted pursuant to paragraph (3) of
        subdivision (a) of Section 1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105
      assessable: false
      depth: 1
      ref_id: '1798.105'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105
      ref_id: 1798.105-a
      description: 'A consumer shall have the right to request that a business delete
        any personal information about the consumer which the business has collected
        from the consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105
      ref_id: 1798.105-b
      description: "A business that collects personal information about consumers\
        \ shall disclose, pursuant to Section 1798.130, the consumer\u2019s rights\
        \ to request the deletion of the consumer\u2019s personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-c.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105
      ref_id: 1798.105-c.1
      description: "A business that receives a verifiable consumer request from a\
        \ consumer to delete the consumer\u2019s personal information pursuant to\
        \ subdivision (a) of this section shall delete the consumer\u2019s personal\
        \ information from its records, notify any service providers or contractors\
        \ to delete the consumer\u2019s personal information from their records, and\
        \ notify all third parties to whom the business has sold or shared the  personal\
        \ information to delete the consumer\u2019s personal information unless this\
        \ proves impossible or involves disproportionate effort. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-c.1
      ref_id: 1798.105-c.2
      description: 'The business may maintain a confidential record of deletion requests
        solely for the purpose of preventing the personal information of a consumer
        who has submitted a deletion request from being sold, for compliance with
        laws or for other purposes, solely to the extent permissible under this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-c.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-c.1
      ref_id: 1798.105-c.3
      description: "A service provider or contractor shall cooperate with the business\
        \ in responding to a verifiable consumer request, and at the direction of\
        \ the business, shall delete, or enable the business to delete and shall notify\
        \ any of its own service providers or contractors to delete personal information\
        \ about the consumer collected, used, processed, or retained by the service\
        \ provider or the contractor. The service provider or contractor shall notify\
        \ any service providers, contractors, or third parties who may have accessed\
        \ personal information from or through the service provider or contractor,\
        \ unless the information was accessed at the direction of the business, to\
        \ delete the consumer\u2019s personal information unless this proves impossible\
        \ or involves disproportionate effort. A service provider or contractor shall\
        \ not be required to comply with a deletion request submitted by the consumer\
        \ directly to the service provider or contractor to the extent that the service\
        \ provider or contractor has collected, used, processed, or retained the consumer\u2019\
        s personal information in its role as a service provider or contractor to\
        \ the business."
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105
      ref_id: 1798.105-d
      description: "A business, or a service provider or contractor acting pursuant\
        \ to its contract with the business, another service provider, or another\
        \ contractor, shall not be required to comply with a consumer\u2019s request\
        \ to delete the consumer\u2019s personal information if it is reasonably necessary\
        \ for the business, service provider, or contractor to maintain the consumer\u2019\
        s personal information in order to: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.1
      description: "Complete the transaction for which the personal information was\
        \ collected, fulfill the terms of a written warranty or product recall conducted\
        \ in accordance with federal law, provide a good or service requested by the\
        \ consumer, or reasonably anticipated by the consumer within the context of\
        \ a business\u2019 ongoing business relationship with the consumer, or otherwise\
        \ perform a contract between the business and the consumer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.2
      description: "Help to ensure security and integrity to the extent the use of\
        \ the consumer\u2019s personal information is reasonably necessary and proportionate\
        \ for those purposes. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.3
      description: 'Debug to identify and repair errors that impair existing intended
        functionality. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.4
      description: "Exercise free speech, ensure the right of another consumer to\
        \ exercise that consumer\u2019s right of free speech, or exercise another\
        \ right provided for by law. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.5
      description: 'Comply with the California Electronic Communications Privacy Act
        pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part
        2 of the Penal Code. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.6
      description: "Engage in public or peer-reviewed scientific, historical, or statistical\
        \ research that conforms or adheres to all other applicable ethics and privacy\
        \ laws, when the business\u2019 deletion of the information is likely to render\
        \ impossible or seriously impair the ability to complete such research, if\
        \ the consumer has provided informed consent. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.7
      description: "To enable solely internal uses that are reasonably aligned with\
        \ the expectations of the consumer based on the consumer\u2019s relationship\
        \ with the business and compatible with the context in which the consumer\
        \ provided the information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.105-d
      ref_id: 1798.105-d.8
      description: 'Comply with a legal obligation. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.106
      assessable: false
      depth: 1
      ref_id: '1798.106'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.106-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.106
      ref_id: 1798.106-a
      description: 'A consumer shall have the right to request a business that maintains
        inaccurate personal information about the consumer to correct that inaccurate
        personal information, taking into account the nature of the personal information
        and the purposes of the processing of the personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.106-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.106
      ref_id: 1798.106-b
      description: "A business that collects personal information about consumers\
        \ shall disclose, pursuant to Section 1798.130, the consumer\u2019s right\
        \ to request correction of inaccurate personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.106-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.106
      ref_id: 1798.106-c
      description: 'A business that receives a verifiable consumer request to correct
        inaccurate personal information shall use commercially reasonable efforts
        to correct the inaccurate personal information as directed by the consumer,
        pursuant to Section 1798.130 and regulations adopted pursuant to paragraph
        (8) of subdivision (a) of Section 1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110
      assessable: false
      depth: 1
      ref_id: '1798.110'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110
      ref_id: 1798.110-a
      description: 'A consumer shall have the right to request that a business that
        collects personal information about the consumer disclose to the consumer
        the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      ref_id: 1798.110-a.1
      description: 'The categories of personal information it has collected about
        that consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      ref_id: 1798.110-a.2
      description: 'The categories of sources from which the personal information
        is collected. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      ref_id: 1798.110-a.3
      description: 'The business or commercial purpose for collecting, selling, or
        sharing personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      ref_id: 1798.110-a.4
      description: 'The categories of third parties to whom the business discloses
        personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a.5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-a
      ref_id: 1798.110-a.5
      description: 'The specific pieces of personal information it has collected about
        that consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110
      ref_id: 1798.110-b
      description: 'A business that collects personal information about a consumer
        shall disclose to the consumer, pursuant to subparagraph (B) of paragraph
        (3) of subdivision (a) of Section 1798.130, the information specified in subdivision
        (a) upon receipt of a verifiable consumer request from the consumer, provided
        that a business shall be deemed to be in compliance with paragraphs (1) to
        (4), inclusive, of subdivision (a) to the extent that the categories of information
        and the business or commercial purpose for collecting, selling, or sharing
        personal information it would be required to disclose to the consumer pursuant
        to paragraphs (1) to (4), inclusive, of subdivision (a) is the same as the
        information it has disclosed pursuant to paragraphs (1) to (4), inclusive,
        of subdivision (c). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110
      ref_id: 1798.110-c
      description: 'A business that collects personal information about consumers
        shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision
        (a) of Section 1798.130: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      ref_id: 1798.110-c.1
      description: 'The categories of personal information it has collected about
        consumers. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      ref_id: 1798.110-c.2
      description: 'The categories of sources from which the personal information
        is collected. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      ref_id: 1798.110-c.3
      description: 'The business or commercial purpose for collecting, selling, or
        sharing personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      ref_id: 1798.110-c.4
      description: 'The categories of third parties to whom the business discloses
        personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.110-c
      ref_id: 1798.110-c.5
      description: 'That a consumer has the right to request the specific pieces of
        personal information the business has collected about that consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115
      assessable: false
      depth: 1
      ref_id: '1798.115'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115
      ref_id: 1798.115-a
      description: "A consumer shall have the right to request that a business that\
        \ sells or shares the consumer\u2019s personal information, or that discloses\
        \ it for a business purpose, disclose to that consumer: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a
      ref_id: 1798.115-a.1
      description: 'The categories of personal information that the business collected
        about the consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a
      ref_id: 1798.115-a.2
      description: 'The categories of personal information that the business sold
        or shared about the consumer and the categories of third parties to whom the
        personal information was sold or shared, by category or categories of personal
        information for each category of third parties to whom the personal information
        was sold or shared. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-a
      ref_id: 1798.115-a.3
      description: 'The categories of personal information that the business disclosed
        about the consumer for a business purpose and the categories of persons to
        whom it was disclosed for a business purpose. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115
      ref_id: 1798.115-b
      description: "A business that sells or shares personal information about a consumer,\
        \ or that discloses a consumer\u2019s personal information for a business\
        \ purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of\
        \ Section 1798.130, the information specified in subdivision (a) to the consumer\
        \ upon receipt of a verifiable consumer request from the consumer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115
      ref_id: 1798.115-c
      description: "A business that sells or shares consumers\u2019 personal information,\
        \ or that discloses consumers\u2019 personal information for a business purpose,\
        \ shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision\
        \ (a) of Section 1798.130: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-c.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-c
      ref_id: 1798.115-c.1
      description: "The category or categories of consumers\u2019 personal information\
        \ it has sold or shared, or if the business has not sold or shared consumers\u2019\
        \ personal information, it shall disclose that fact. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-c
      ref_id: 1798.115-c.2
      description: "The category or categories of consumers\u2019 personal information\
        \ it has disclosed for a business purpose, or if the business has not disclosed\
        \ consumers\u2019 personal information for a business purpose, it shall disclose\
        \ that fact. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.115-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.115
      ref_id: 1798.115-d
      description: 'A third party shall not sell or share personal information about
        a consumer that has been sold to, or shared with, the third party by a business
        unless the consumer has received explicit notice and is provided an opportunity
        to exercise the right to opt-out pursuant to Section 1798.120. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.120
      assessable: false
      depth: 1
      ref_id: '1798.120'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.120-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.120
      ref_id: 1798.120-a
      description: "A consumer shall have the right, at any time, to direct a business\
        \ that sells or shares personal information about the consumer to third parties\
        \ not to sell or share the consumer\u2019s personal information. This right\
        \ may be referred to as the right to opt-out of sale or sharing. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.120-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.120
      ref_id: 1798.120-b
      description: "A business that sells consumers\u2019 personal information to,\
        \ or shares it with, third parties shall provide notice to consumers, pursuant\
        \ to subdivision (a) of Section 1798.135, that this information may be sold\
        \ or shared and that consumers have the \u201Cright to opt-out\u201D of the\
        \ sale or sharing of their personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.120-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.120
      ref_id: 1798.120-c
      description: "Notwithstanding subdivision (a), a business shall not sell or\
        \ share the personal information of consumers if the business has actual knowledge\
        \ that the consumer is less than 16 years of age, unless the consumer, in\
        \ the case of consumers at least 13 years of age and less than 16 years of\
        \ age, or the consumer\u2019s parent or guardian, in the case of consumers\
        \ who are less than 13 years of age, has affirmatively authorized the sale\
        \ or sharing of the consumer\u2019s personal information. A business that\
        \ willfully disregards the consumer\u2019s age shall be deemed to have had\
        \ actual knowledge of the consumer\u2019s age. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.120-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.120
      ref_id: 1798.120-d
      description: "A business that has received direction from a consumer not to\
        \ sell or share the consumer\u2019s personal information or, in the case of\
        \ a minor consumer\u2019s personal information has not received consent to\
        \ sell or share the minor consumer\u2019s personal information, shall be prohibited,\
        \ pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from selling\
        \ or sharing the consumer\u2019s personal information after its receipt of\
        \ the consumer\u2019s direction, unless the consumer subsequently provides\
        \ consent, for the sale or sharing of the consumer\u2019s personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.121
      assessable: false
      depth: 1
      ref_id: '1798.121'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.121-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.121
      ref_id: 1798.121-a
      description: "A consumer shall have the right, at any time, to direct a business\
        \ that collects sensitive personal information about the consumer to limit\
        \ its use of the consumer\u2019s sensitive personal information to that use\
        \ which is necessary to perform the services or provide the goods reasonably\
        \ expected by an average consumer who requests those goods or services, to\
        \ perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision\
        \ (e) of Section 1798.140, and as authorized by regulations adopted pursuant\
        \ to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185.\
        \ A business that uses or discloses a consumer\u2019s sensitive personal information\
        \ for purposes other than those specified in this subdivision shall provide\
        \ notice to consumers, pursuant to subdivision (a) of Section 1798.135, that\
        \ this information may be used, or disclosed to a service provider or contractor,\
        \ for additional, specified purposes and that consumers have the right to\
        \ limit the use or disclosure of their sensitive personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.121-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.121
      ref_id: 1798.121-b
      description: "A business that has received direction from a consumer not to\
        \ use or disclose the consumer\u2019s sensitive personal information, except\
        \ as authorized by subdivision (a), shall be prohibited, pursuant to paragraph\
        \ (4) of subdivision (c) of Section 1798.135, from using or disclosing the\
        \ consumer\u2019s sensitive personal information for any other purpose after\
        \ its receipt of the consumer\u2019s direction unless the consumer subsequently\
        \ provides consent for the use or disclosure of the consumer\u2019s sensitive\
        \ personal information for additional purposes. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.121-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.121
      ref_id: 1798.121-c
      description: 'A service provider or contractor that assists a business in performing
        the purposes authorized by subdivision (a) may not use the sensitive personal
        information after it has received instructions from the business and to the
        extent it has actual knowledge that the personal information is sensitive
        personal information for any other purpose. A service provider or contractor
        is only required to limit its use of sensitive personal information received
        pursuant to a written contract with the business in response to instructions
        from the business and only with respect to its relationship with that business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.121-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.121
      ref_id: 1798.121-d
      description: Sensitive personal information that is collected or processed without
        the purpose of inferring characteristics about a consumer is not subject to
        this section, as further defined in regulations adopted pursuant to subparagraph
        (C) of paragraph (19) of subdivision (a) of Section 1798.185, and shall be
        treated as personal information for purposes of all other sections of this
        act, including Section 1798.100.
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      assessable: false
      depth: 1
      ref_id: '1798.125'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-a.1
      description: "A business shall not discriminate against a consumer because the\
        \ consumer exercised any of the consumer\u2019s rights under this title, including,\
        \ but not limited to, by: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      ref_id: 1798.125-a.1.A
      description: Denying goods or services to the consumer
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      ref_id: 1798.125-a.1.B
      description: 'Charging different prices or rates for goods or services, including
        through the use of discounts or other benefits or imposing penalties. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      ref_id: 1798.125-a.1.C
      description: 'Providing a different level or quality of goods or services to
        the consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      ref_id: 1798.125-a.1.D
      description: 'Suggesting that the consumer will receive a different price or
        rate for goods or services or a different level or quality of goods or services. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.1
      ref_id: 1798.125-a.1.E
      description: 'Retaliating against an employee, applicant for employment, or
        independent contractor, as defined in subparagraph (A) of paragraph (2) of
        subdivision (m) of Section 1798.145, for exercising their rights under this
        title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-a.2
      description: "Nothing in this subdivision prohibits a business, pursuant to\
        \ subdivision (b), from charging a consumer a different price or rate, or\
        \ from providing a different level or quality of goods or services to the\
        \ consumer, if that difference is reasonably related to the value provided\
        \ to the business by the consumer\u2019s data. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-a.3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-a.3
      description: 'This subdivision does not prohibit a business from offering loyalty,
        rewards, premium features, discounts, or club card programs consistent with
        this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-b.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-b.1
      description: "A business may offer financial incentives, including payments\
        \ to consumers as compensation, for the collection of personal information,\
        \ the sale or sharing of personal information, or the retention of personal\
        \ information. A business may also offer a different price, rate, level, or\
        \ quality of goods or services to the consumer if that price or difference\
        \ is reasonably related to the value provided to the business by the consumer\u2019\
        s data. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-b.2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-b.2
      description: 'A business that offers any financial incentives pursuant to this
        subdivision, shall notify consumers of the financial incentives pursuant to
        Section 1798.130. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-b.3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-b.3
      description: 'A business may enter a consumer into a financial incentive program
        only if the consumer gives the business prior opt-in consent pursuant to Section
        1798.130 that clearly describes the material terms of the financial incentive
        program, and which may be revoked by the consumer at any time. If a consumer
        refuses to provide optin consent, then the business shall wait for at least
        12 months before next requesting that the consumer provide opt-in consent,
        or as prescribed by regulations adopted pursuant to Section 1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.125-b.4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.125
      ref_id: 1798.125-b.4
      description: 'A business shall not use financial incentive practices that are
        unjust, unreasonable, coercive, or usurious in nature. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130
      assessable: false
      depth: 1
      ref_id: '1798.130'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130
      ref_id: 1798.130-a
      description: 'In order to comply with Sections 1798.100, 1798.105, 1798.106,
        1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably
        accessible to consumers: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      ref_id: 1798.130-a.1.A
      description: 'Make available to consumers two or more designated methods for
        submitting requests for information required to be disclosed pursuant to Sections
        1798.110 and 1798.115, or requests for deletion or correction pursuant to
        Sections 1798.105 and 1798.106, respectively, including, at a minimum, a tollfree
        telephone number. A business that operates exclusively online and has a direct
        relationship with a consumer from whom it collects personal information shall
        only be required to provide an email address for submitting requests for information
        required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for
        requests for deletion or correction pursuant to Sections 1798.105 and 1798.106,
        respectively. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.1.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.1.a
      ref_id: 1798.130-a.1.B
      description: 'If the business maintains an internet website, make the internet
        website available to consumers to submit requests for information required
        to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for
        deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.2.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      ref_id: 1798.130-a.2.A
      description: "Disclose and deliver the required information to a consumer free\
        \ of charge, correct inaccurate personal information, or delete a consumer\u2019\
        s personal information, based on the consumer\u2019s request, within 45 days\
        \ of receiving a verifiable consumer request from the consumer. The business\
        \ shall promptly take steps to determine whether the request is a verifiable\
        \ consumer request, but this shall not extend the business\u2019s duty to\
        \ disclose and deliver the information, to correct inaccurate personal information,\
        \ or to delete personal information within 45 days of receipt of the consumer\u2019\
        s request. The time period to provide the required information, to correct\
        \ inaccurate personal information, or to delete personal information may be\
        \ extended once by an additional 45 days when reasonably necessary, provided\
        \ the consumer is provided notice of the extension within the first 45-day\
        \ period. The disclosure of the required information shall be made in writing\
        \ and delivered through the consumer\u2019s account with the business, if\
        \ the consumer maintains an account with the business, or by mail or electronically\
        \ at the consumer\u2019s option if the consumer does not maintain an account\
        \ with the business, in a readily useable format that allows the consumer\
        \ to transmit this information from one entity to another entity without hindrance.\
        \ The business may require authentication of the consumer that is reasonable\
        \ in light of the nature of the personal information requested, but shall\
        \ not require the consumer to create an account with the business in order\
        \ to make a verifiable consumer request provided that if the consumer, has\
        \ an account with the business, the business may require the consumer to use\
        \ that account to submit a verifiable consumer request. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.2.a
      ref_id: 1798.130-a.2.B
      description: "The disclosure of the required information shall cover the 12-month\
        \ period preceding the business\u2019 receipt of the verifiable consumer request\
        \ provided that, upon the adoption of a regulation pursuant to paragraph (9)\
        \ of subdivision (a) of Section 1798.185, a consumer may request that the\
        \ business disclose the required information beyond the 12-month period, and\
        \ the business shall be required to provide that information unless doing\
        \ so proves impossible or would involve a disproportionate effort. A consumer\u2019\
        s right to request required information beyond the 12-month period, and a\
        \ business\u2019s obligation to provide that information, shall only apply\
        \ to personal information collected on or after January 1, 2022. Nothing in\
        \ this subparagraph shall require a business to keep personal information\
        \ for any length of time. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      ref_id: 1798.130-a.3.A
      description: "A business that receives a verifiable consumer request pursuant\
        \ to Section 1798.110 or 1798.115 shall disclose any personal information\
        \ it has collected about a consumer, directly or indirectly, including through\
        \ or by a service provider or contractor, to the consumer. A service provider\
        \ or contractor shall not be required to comply with a verifiable consumer\
        \ request received directly from a consumer or a consumer\u2019s authorized\
        \ agent, pursuant to Section 1798.110 or 1798.115, to the extent that the\
        \ service provider or contractor has collected personal information about\
        \ the consumer in its role as a service provider or contractor. A service\
        \ provider or contractor shall provide assistance to a business with which\
        \ it has a contractual relationship with respect to the business\u2019 response\
        \ to a verifiable consumer request, including, but not limited to, by providing\
        \ to the business the consumer\u2019s personal information in the service\
        \ provider or contractor\u2019s possession, which the service provider or\
        \ contractor obtained as a result of providing services to the business, and\
        \ by correcting inaccurate information or by enabling the business to do the\
        \ same. A service provider or contractor that collects personal information\
        \ pursuant to a written contract with a business shall be required to assist\
        \ the business through appropriate technical and organizational measures in\
        \ complying with the requirements of subdivisions (d) to (f), inclusive, of\
        \ Section 1798.100, taking into account the nature of the processing. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.a
      ref_id: 1798.130-a.3.B
      description: 'For purposes of subdivision (b) of Section 1798.110: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b
      ref_id: 1798.130-a.3.B.i
      description: 'To identify the consumer, associate the information provided by
        the consumer in the verifiable consumer request to any personal information
        previously collected by the business about the consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b
      ref_id: 1798.130-a.3.B.ii
      description: "Identify by category or categories the personal information collected\
        \ about the consumer for the applicable period of time by reference to the\
        \ enumerated category or categories in subdivision (c) that most closely describes\
        \ the personal information collected; the categories of sources from which\
        \ the consumer\u2019s personal information was collected; the business or\
        \ commercial purpose for collecting, selling, or sharing the consumer\u2019\
        s personal information; and the categories of third parties to whom the business\
        \ discloses the consumer\u2019s personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.3.b
      ref_id: 1798.130-a.3.B.iii
      description: "Provide the specific pieces of personal information obtained from\
        \ the consumer in a format that is easily understandable to the average consumer,\
        \ and to the extent technically feasible, in a structured, commonly used,\
        \ machine-readable format that may also be transmitted to another entity at\
        \ the consumer\u2019s request without hindrance. \u201CSpecific pieces of\
        \ information\u201D do not include data generated to help ensure security\
        \ and integrity or as prescribed by regulation. Personal information is not\
        \ considered to have been disclosed by a business when a consumer instructs\
        \ a business to transfer the consumer\u2019s personal information from one\
        \ business to another in the context of switching services. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      ref_id: 1798.130-a.4
      description: 'For purposes of subdivision (b) of Section 1798.115: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4
      ref_id: 1798.130-a.4.A
      description: 'Identify the consumer and associate the information provided by
        the consumer in the verifiable consumer request to any personal information
        previously collected by the business about the consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4
      ref_id: 1798.130-a.4.B
      description: "Identify by category or categories the personal information of\
        \ the consumer that the business sold or shared during the applicable period\
        \ of time by reference to the enumerated category in subdivision (c) that\
        \ most closely describes the personal information, and provide the categories\
        \ of third parties to whom the consumer\u2019s personal information was sold\
        \ or shared during the applicable period of time by reference to the enumerated\
        \ category or categories in subdivision (c) that most closely describes the\
        \ personal information sold or shared. The business shall disclose the information\
        \ in a list that is separate from a list generated for the purposes of subparagraph\
        \ (C). "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.4
      ref_id: 1798.130-a.4.C
      description: "Identify by category or categories the personal information of\
        \ the consumer that the business disclosed for a business purpose during the\
        \ applicable period of time by reference to the enumerated category or categories\
        \ in subdivision (c) that most closely describes the personal information,\
        \ and provide the categories of persons to whom the consumer\u2019s personal\
        \ information was disclosed for a business purpose during the applicable period\
        \ of time by reference to the enumerated category or categories in subdivision\
        \ (c) that most closely describes the personal information disclosed. The\
        \ business shall disclose the information in a list that is separate from\
        \ a list generated for the purposes of subparagraph (B). "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a
      ref_id: 1798.130-a.5
      description: "Disclose the following information in its online privacy policy\
        \ or policies if the business has an online privacy policy or policies and\
        \ in any California-specific description of consumers\u2019 privacy rights,\
        \ or if the business does not maintain those policies, on its internet website,\
        \ and update that information at least once every 12 months: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      ref_id: 1798.130-a.5.A
      description: "A description of a consumer\u2019s rights pursuant to Sections\
        \ 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or\
        \ more designated methods for submitting requests, except as provided in subparagraph\
        \ (A) of paragraph (1) of subdivision (a). "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      ref_id: 1798.130-a.5.B
      description: 'For purposes of subdivision (c) of Section 1798.110: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b
      ref_id: 1798.130-a.5.B.i
      description: 'A list of the categories of personal information it has collected
        about consumers in the preceding 12 months by reference to the enumerated
        category or categories in subdivision (c) that most closely describe the personal
        information collected. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b
      ref_id: 1798.130-a.5.B.ii
      description: "The categories of sources from which consumers\u2019 personal\
        \ information is collected. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b
      ref_id: 1798.130-a.5.B.iii
      description: "The business or commercial purpose for collecting, selling, or\
        \ sharing consumers\u2019 personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b.iv
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.b
      ref_id: 1798.130-a.5.B.iv
      description: "The categories of third parties to whom the business discloses\
        \ consumers\u2019 personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      ref_id: 1798.130-a.5.C
      description: 'For purposes of paragraphs (1) and (2) of subdivision (c) of Section
        1798.115, two separate lists: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.c.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.c
      ref_id: 1798.130-a.5.C.i
      description: "A list of the categories of personal information it has sold or\
        \ shared about consumers in the preceding 12 months by reference to the enumerated\
        \ category or categories in subdivision (c) that most closely describe the\
        \ personal information sold or shared, or if the business has not sold or\
        \ shared consumers\u2019 personal information in the preceding 12 months,\
        \ the business shall prominently disclose that fact in its privacy policy. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.c.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5.c
      ref_id: 1798.130-a.5.C.ii
      description: "A list of the categories of personal information it has disclosed\
        \ about consumers for a business purpose in the preceding 12 months by reference\
        \ to the enumerated category in subdivision (c) that most closely describes\
        \ the personal information disclosed, or if the business has not disclosed\
        \ consumers\u2019 personal information for a business purpose in the preceding\
        \ 12 months, the business shall disclose that fact. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      ref_id: 1798.130-a.6
      description: "Ensure that all individuals responsible for handling consumer\
        \ inquiries about the business\u2019 privacy practices or the business\u2019\
        \ compliance with this title are informed of all requirements in Sections\
        \ 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section,\
        \ and how to direct consumers to exercise their rights under those sections. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-a.5
      ref_id: 1798.130-a.7
      description: "Use any personal information collected from the consumer in connection\
        \ with the business\u2019 verification of the consumer\u2019s request solely\
        \ for the purposes of verification and shall not further disclose the personal\
        \ information, retain it longer than necessary for purposes of verification,\
        \ or use it for unrelated purposes. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130
      ref_id: 1798.130-b
      description: 'A business is not obligated to provide the information required
        by Sections 1798.110 and 1798.115 to the same consumer more than twice in
        a 12-month period. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.130-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.130
      ref_id: 1798.130-c
      description: 'The categories of personal information required to be disclosed
        pursuant to Sections 1798.100, 1798.110, and 1798.115 shall follow the definitions
        of personal information and sensitive personal information in Section 1798.140
        by describing the categories of personal information using the specific terms
        set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision
        (v) of Section 1798.140 and by describing the categories of sensitive personal
        information using the specific terms set forth in paragraphs (1) to (9), inclusive,
        of subdivision (ae) of Section 1798.140. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      assessable: false
      depth: 1
      ref_id: '1798.135'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-a
      description: "A business that sells or shares consumers\u2019 personal information\
        \ or uses or discloses consumers\u2019 sensitive personal information for\
        \ purposes other than those authorized by subdivision (a) of Section 1798.121\
        \ shall, in a form that is reasonably accessible to consumers: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a
      ref_id: 1798.135-a.1
      description: "Provide a clear and conspicuous link on the business\u2019s internet\
        \ homepages, titled \u201CDo Not Sell or Share My Personal Information,\u201D\
        \ to an internet web page that enables a consumer, or a person authorized\
        \ by the consumer, to opt-out of the sale or sharing of the consumer\u2019\
        s personal information"
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a
      ref_id: 1798.135-a.2
      description: "Provide a clear and conspicuous link on the business\u2019 internet\
        \ homepages, titled \u201CLimit the Use of My Sensitive Personal Information,\u201D\
        \ that enables a consumer, or a person authorized by the consumer, to limit\
        \ the use or disclosure of the consumer\u2019s sensitive personal information\
        \ to those uses authorized by subdivision (a) of Section 1798.121. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a
      ref_id: 1798.135-a.3
      description: "At the business\u2019 discretion, utilize a single, clearly labeled\
        \ link on the business\u2019 internet homepages, in lieu of complying with\
        \ paragraphs (1) and (2), if that link easily allows a consumer to opt out\
        \ of the sale or sharing of the consumer\u2019s personal information and to\
        \ limit the use or disclosure of the consumer\u2019s sensitive personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-a
      ref_id: 1798.135-a.4
      description: "In the event that a business responds to opt-out requests received\
        \ pursuant to paragraph (1), (2), or (3) by informing the consumer of a charge\
        \ for the use of any product or service, present the terms of any financial\
        \ incentive offered pursuant to subdivision (b) of Section 1798.125 for the\
        \ retention, use, sale, or sharing of the consumer\u2019s personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-b.1
      description: "A business shall not be required to comply with subdivision (a)\
        \ if the business allows consumers to opt out of the sale or sharing of their\
        \ personal information and to limit the use of their sensitive personal information\
        \ through an opt-out preference signal sent with the consumer\u2019s consent\
        \ by a platform, technology, or mechanism, based on technical specifications\
        \ set forth in regulations adopted pursuant to paragraph (20) of subdivision\
        \ (a) of Section 1798.185, to the business indicating the consumer\u2019s\
        \ intent to opt out of the business\u2019 sale or sharing of the consumer\u2019\
        s personal information or to limit the use or disclosure of the consumer\u2019\
        s sensitive personal information, or both. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.1
      ref_id: 1798.135-b.2
      description: "A business that allows consumers to opt out of the sale or sharing\
        \ of their personal information and to limit the use of their sensitive personal\
        \ information pursuant to paragraph (1) may provide a link to a web page that\
        \ enables the consumer to consent to the business ignoring the opt-out preference\
        \ signal with respect to that business\u2019 sale or sharing of the consumer\u2019\
        s personal information or the use of the consumer\u2019s sensitive personal\
        \ information for additional purposes provided that: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2
      ref_id: 1798.135-b.2.A
      description: 'The consent web page also allows the consumer or a person authorized
        by the consumer to revoke the consent as easily as it is affirmatively provided. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2
      ref_id: 1798.135-b.2.B
      description: "The link to the web page does not degrade the consumer\u2019s\
        \ experience on the web page the consumer intends to visit and has a similar\
        \ look, feel, and size relative to other links on the same web page. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.2
      ref_id: 1798.135-b.2.C
      description: 'The consent web page complies with technical specifications set
        forth in regulations adopted pursuant to paragraph (20) of subdivision (a)
        of Section 1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-b.1
      ref_id: 1798.135-b.3
      description: 'A business that complies with subdivision (a) is not required
        to comply with subdivision (b). For the purposes of clarity, a business may
        elect whether to comply with subdivision (a) or subdivision (b). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-c
      description: 'A business that is subject to this section shall: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.1
      description: "Not require a consumer to create an account or provide additional\
        \ information beyond what is necessary in order to direct the business not\
        \ to sell or share the consumer\u2019s personal information or to limit use\
        \ or disclosure of the consumer\u2019s sensitive personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.2
      description: "Include a description of a consumer\u2019s rights pursuant to\
        \ Sections 1798.120 and  1798.121, along with a separate link to the \u201C\
        Do Not Sell or Share My Personal Information\u201D internet web page and a\
        \ separate link to the \u201CLimit the Use of My Sensitive Personal Information\u201D\
        \ internet web page, if applicable, or a single link to both choices, or a\
        \ statement that the business responds to and abides by opt-out preference\
        \ signals sent by a platform, technology, or mechanism in accordance with\
        \ subdivision (b), in: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.2
      ref_id: 1798.135-c.2.A
      description: 'Its online privacy policy or policies if the business has an online
        privacy policy or policies. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.2
      ref_id: 1798.135-c.2.B
      description: "Any California-specific description of consumers\u2019 privacy\
        \ rights. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.3
      description: "Ensure that all individuals responsible for handling consumer\
        \ inquiries about the business\u2019s privacy practices or the business\u2019\
        s compliance with this title are informed of all requirements in Sections\
        \ 1798.120, 1798.121, and this section and how to direct consumers to exercise\
        \ their rights under those sections. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.4
      description: "For consumers who exercise their right to opt-out of the sale\
        \ or sharing of their personal information or limit the use or disclosure\
        \ of their sensitive personal information, refrain from selling or sharing\
        \ the consumer\u2019s personal information or using or disclosing the consumer\u2019\
        s sensitive personal information and wait for at least 12 months before requesting\
        \ that the consumer authorize the sale or sharing of the consumer\u2019s personal\
        \ information or the use and disclosure of the consumer\u2019s sensitive personal\
        \ information for additional purposes, or as authorized by regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.5
      description: "For consumers under 16 years of age who do not consent to the\
        \ sale or sharing of their personal information, refrain from selling or sharing\
        \ the personal information of the consumer under 16 years of age and wait\
        \ for at least 12 months before requesting the consumer\u2019s consent again,\
        \ or as authorized by regulations or until the consumer attains 16 years of\
        \ age. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-c
      ref_id: 1798.135-c.6
      description: "Use any personal information collected from the consumer in connection\
        \ with the submission of the consumer\u2019s opt-out request solely for the\
        \ purposes of complying with the opt-out request. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-d
      description: 'Nothing in this title shall be construed to require a business
        to comply with the title by including the required links and text on the homepage
        that the business makes available to the public generally, if the business
        maintains a separate and additional homepage that is dedicated to California
        consumers and that includes the required links and text, and the business
        takes reasonable steps to ensure that California consumers are directed to
        the homepage for California consumers and not the homepage made available
        to the public generally. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-e
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-e
      description: "A consumer may authorize another person to opt-out of the sale\
        \ or sharing of the consumer\u2019s personal information and to limit the\
        \ use of the consumer\u2019s sensitive personal information on the consumer\u2019\
        s behalf, including through an opt-out preference signal, as defined in paragraph\
        \ (1) of subdivision (b), indicating the consumer\u2019s intent to opt out,\
        \ and a business shall comply with an opt-out request received from a person\
        \ authorized by the consumer to act on the consumer\u2019s behalf, pursuant\
        \ to regulations adopted by the Attorney General regardless of whether the\
        \ business has elected to comply with subdivision (a) or (b). For purposes\
        \ of clarity, a business that elects to comply with subdivision (a) may respond\
        \ to the consumer\u2019s opt-out consistent with Section 1798.125."
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-f
      description: "If a business communicates a consumer\u2019s opt-out request to\
        \ any person authorized by the business to collect personal information, the\
        \ person shall thereafter only use that consumer\u2019s personal information\
        \ for a business purpose specified by the business, or as otherwise permitted\
        \ by this title, and shall be prohibited from: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f
      ref_id: 1798.135-f.1
      description: 'Selling or sharing the personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f
      ref_id: 1798.135-f.2
      description: "Retaining, using, or disclosing that consumer\u2019s personal\
        \ information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2
      ref_id: 1798.135-f.2.A
      description: 'For any purpose other than for the specific purpose of performing
        the services offered to the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2
      ref_id: 1798.135-f.2.B
      description: 'Outside of the direct business relationship between the person
        and the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-f.2
      ref_id: 1798.135-f.2.C
      description: 'For a commercial purpose other than providing the services to
        the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.135-g
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.135
      ref_id: 1798.135-g
      description: "A business that communicates a consumer\u2019s opt-out request\
        \ to a person pursuant to subdivision (f) shall not be liable under this title\
        \ if the person receiving the opt-out request violates the restrictions set\
        \ forth in the title provided that, at the time of communicating the opt-out\
        \ request, the business does not have actual knowledge, or reason to believe,\
        \ that the person intends to commit such a violation. Any provision of a contract\
        \ or agreement of any kind that purports to waive or limit in any way this\
        \ subdivision shall be void and unenforceable. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140
      assessable: false
      depth: 1
      ref_id: '1798.140'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node143
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140
      description: 'For purposes of this title: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-a
      description: "\u201CAdvertising and marketing\u201D means a communication by\
        \ a business or a person acting on the business\u2019 behalf in any medium\
        \ intended to induce a consumer to obtain goods, services, or employment. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-b
      description: "\u201CAggregate consumer information\u201D means information that\
        \ relates to a group or category of consumers, from which individual consumer\
        \ identities have been removed, that is not linked or reasonably linkable\
        \ to any consumer or household, including via a device. \u201CAggregate consumer\
        \ information\u201D does not mean one or more individual consumer records\
        \ that have been deidentified. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-c
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-c
      description: "\u201CBiometric information\u201D means an individual\u2019s physiological,\
        \ biological, or behavioral characteristics, including information pertaining\
        \ to an individual\u2019s deoxyribonucleic acid (DNA), that is used or is\
        \ intended to be used singly or in combination with each other or with other\
        \ identifying data, to establish individual identity. Biometric information\
        \ includes, but is not limited to, imagery of the iris, retina, fingerprint,\
        \ face, hand, palm, vein patterns, and voice recordings, from which an identifier\
        \ template, such as a faceprint, a minutiae template, or a voiceprint, can\
        \ be extracted, and keystroke patterns or rhythms, gait patterns or rhythms,\
        \ and sleep, health, or exercise data that contain identifying information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-d
      description: "\u201CBusiness\u201D means: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d
      ref_id: 1798.140-d.1
      description: "A sole proprietorship, partnership, limited liability company,\
        \ corporation, association, or other legal entity that is organized or operated\
        \ for the profit or financial benefit of its shareholders or other owners,\
        \ that collects consumers\u2019 personal information, or on the behalf of\
        \ which such information is collected and that alone, or jointly with others,\
        \ determines the purposes and means of the processing of consumers\u2019 personal\
        \ information, that does business in the State of California, and that satisfies\
        \ one or more of the following thresholds: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1.a
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1
      ref_id: 1798.140-d.1.A
      description: 'As of January 1 of the calendar year, had annual gross revenues
        in excess of twenty-five million dollars ($25,000,000) in the preceding calendar
        year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section
        1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1.b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1
      ref_id: 1798.140-d.1.B
      description: 'Alone or in combination, annually buys, sells, or shares the personal
        information of 100,000 or more consumers or households. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1.c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.1
      ref_id: 1798.140-d.1.C
      description: "Derives 50 percent or more of its annual revenues from selling\
        \ or sharing consumers\u2019 personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d
      ref_id: 1798.140-d.2
      description: "Any entity that controls or is controlled by a business, as defined\
        \ in paragraph (1), and that shares common branding with the business and\
        \ with whom the business shares consumers\u2019 personal information. \u201C\
        Control\u201D or \u201Ccontrolled\u201D means ownership of, or the power to\
        \ vote, more than 50 percent of the outstanding shares of any class of voting\
        \ security of a business; control in any manner over the election of a majority\
        \ of the directors, or of individuals exercising similar functions; or the\
        \ power to exercise a controlling influence over the management of a company.\
        \ \u201CCommon branding\u201D means a shared name, servicemark, or trademark\
        \ that the average consumer would understand that two or more entities are\
        \ commonly owned. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d
      ref_id: 1798.140-d.3
      description: 'A joint venture or partnership composed of businesses in which
        each business has at least a 40 percent interest. For purposes of this title,
        the joint venture or partnership and each business that composes the joint
        venture or partnership shall separately be considered a single business, except
        that personal information in the possession of each business and disclosed
        to the joint venture or partnership shall not be shared with the other business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d.4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-d
      ref_id: 1798.140-d.4
      description: 'A person that does business in California, that is not covered
        by paragraph (1), (2), or (3), and that voluntarily certifies to the California
        Privacy Protection Agency that it is in compliance with, and agrees to be
        bound by, this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-e
      description: "\u201CBusiness purpose\u201D means the use of personal information\
        \ for the business\u2019 operational purposes, or other notified purposes,\
        \ or for the service provider or contractor\u2019s operational purposes, as\
        \ defined by regulations adopted pursuant to paragraph (11) of subdivision\
        \ (a) of Section 1798.185, provided that the use of personal information shall\
        \ be reasonably necessary and proportionate to achieve the purpose for which\
        \ the personal information was collected or processed or for another purpose\
        \ that is compatible with the context in which the personal information was\
        \ collected. Business purposes are: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.1
      description: 'Auditing related to counting ad impressions to unique visitors,
        verifying positioning and quality of ad impressions, and auditing compliance
        with this specification and other standards. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.2
      description: "Helping to ensure security and integrity to the extent the use\
        \ of the consumer\u2019s personal information is reasonably necessary and\
        \ proportionate for these purposes. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.3
      description: 'Debugging to identify and repair errors that impair existing intended
        functionality. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.4
      description: "Short-term, transient use, including, but not limited to, nonpersonalized\
        \ advertising shown as part of a consumer\u2019s current interaction with\
        \ the business, provided that the consumer\u2019s personal information is\
        \ not disclosed to another third party and is not used to build a profile\
        \ about the consumer or otherwise alter the consumer\u2019s experience outside\
        \ the current interaction with the business. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.5
      description: 'Performing services on behalf of the business, including maintaining
        or servicing accounts, providing customer service, processing or fulfilling
        orders and transactions, verifying customer information, processing payments,
        providing financing, providing analytic services, providing storage, or providing
        similar services on behalf of the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.6
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.6
      description: 'Providing advertising and marketing services, except for cross-context
        behavioral advertising, to the consumer provided that, for the purpose of
        advertising and marketing, a service provider or contractor shall not combine
        the personal information of opted-out consumers that the service provider
        or contractor receives from, or on behalf of, the business with personal information
        that the service provider or contractor receives from, or on behalf of, another
        person or persons or collects from its own interaction with consumers. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.7
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.7
      description: 'Undertaking internal research for technological development and
        demonstration. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e.8
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-e
      ref_id: 1798.140-e.8
      description: 'Undertaking activities to verify or maintain the quality or safety
        of a service or device that is owned, manufactured, manufactured for, or controlled
        by the business, and to improve, upgrade, or enhance the service or device
        that is owned, manufactured, manufactured for, or controlled by the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-f
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-f
      description: "\u201CCollects,\u201D \u201Ccollected,\u201D or \u201Ccollection\u201D\
        \ means buying, renting, gathering, obtaining, receiving, or accessing any\
        \ personal information pertaining to a consumer by any means. This includes\
        \ receiving information from the consumer, either actively or passively, or\
        \ by observing the consumer\u2019s behavior. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-g
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-g
      description: "\u201CCommercial purposes\u201D means to advance a person\u2019\
        s commercial or economic interests, such as by inducing another person to\
        \ buy, rent, lease, join, subscribe to, provide, or exchange products, goods,\
        \ property, information, or services, or enabling or effecting, directly or\
        \ indirectly, a commercial transaction. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-h
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-h
      description: "\u201CConsent\u201D means any freely given, specific, informed,\
        \ and unambiguous indication of the consumer\u2019s wishes by which the consumer,\
        \ or the consumer\u2019s legal guardian, a person who has power of attorney,\
        \ or a person acting as a conservator for the consumer, including by a statement\
        \ or by a clear affirmative action, signifies agreement to the processing\
        \ of personal information relating to the consumer for a narrowly defined\
        \ particular purpose. Acceptance of a general or broad terms of use, or similar\
        \ document, that contains descriptions of personal information processing\
        \ along with other, unrelated information, does not constitute consent. Hovering\
        \ over, muting, pausing, or closing a given piece of content does not constitute\
        \ consent. Likewise, agreement obtained through use of dark patterns does\
        \ not constitute consent. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-i
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-i
      description: "\u201CConsumer\u201D means a natural person who is a California\
        \ resident, as defined in Section 17014 of Title 18 of the California Code\
        \ of Regulations, as that section read on September 1, 2017, however identified,\
        \ including by any unique identifier. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-j.1
      description: "\u201CContractor\u201D means a person to whom the business makes\
        \ available a consumer\u2019s personal information for a business purpose,\
        \ pursuant to a written contract with the business, provided that the contract: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1
      ref_id: 1798.140-j.1.A
      description: 'Prohibits the contractor from: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a
      ref_id: 1798.140-j.1.A.i
      description: 'Selling or sharing the personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a
      ref_id: 1798.140-j.1.A.ii
      description: 'Retaining, using, or disclosing the personal information for any
        purpose other than for the business purposes specified in the contract, including
        retaining, using, or disclosing the personal information for a commercial
        purpose other than the business purposes specified in the contract, or as
        otherwise permitted by this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a
      ref_id: 1798.140-j.1.A.iii
      description: 'Retaining, using, or disclosing the information outside of the
        direct business relationship between the contractor and the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a.iv
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.a
      ref_id: 1798.140-j.1.A.iv
      description: 'Combining the personal information that the contractor receives
        pursuant to a written contract with the business with personal information
        that it receives from or on behalf of another person or persons, or collects
        from its own interaction with the consumer, provided that the contractor may
        combine personal information to perform any business purpose as defined in
        regulations adopted pursuant to paragraph (10) of subdivision (a) of Section
        1798.185, except as provided for in paragraph (6) of subdivision (e) and in
        regulations adopted by the California Privacy Protection Agency. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1
      ref_id: 1798.140-j.1.B
      description: 'Includes a certification made by the contractor that the contractor
        understands the restrictions in subparagraph (A) and will comply with them. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1
      ref_id: 1798.140-j.1.C
      description: "Permits, subject to agreement with the contractor, the business\
        \ to monitor the contractor\u2019s compliance with the contract through measures,\
        \ including, but not limited to, ongoing manual reviews and automated scans\
        \ and regular assessments, audits, or other technical and operational testing\
        \ at least once every 12 months. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-j.1
      ref_id: 1798.140-j.2
      description: 'If a contractor engages any other person to assist it in processing
        personal information for a business purpose on behalf of the business, or
        if any other person engaged by the contractor engages another person to assist
        in processing personal information for that business purpose, it shall notify
        the business of that engagement, and the engagement shall be pursuant to a
        written contract binding the other person to observe all the requirements
        set forth in paragraph (1). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-k
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-k
      description: "\u201CCross-context behavioral advertising\u201D means the targeting\
        \ of advertising to a consumer based on the consumer\u2019s personal information\
        \ obtained from the consumer\u2019s activity across businesses, distinctly-branded\
        \ websites, applications, or services, other than the business, distinctly-branded\
        \ website, application, or service with which the consumer intentionally interacts. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-l
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-l
      description: "\u201CDark pattern\u201D means a user interface designed or manipulated\
        \ with the substantial effect of subverting or impairing user autonomy, decisionmaking,\
        \ or choice, as further defined by regulation. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-m
      description: "\u201CDeidentified\u201D means information that cannot reasonably\
        \ be used to infer information about, or otherwise be linked to, a particular\
        \ consumer provided that the business that possesses the information: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m
      ref_id: 1798.140-m.1
      description: 'Takes reasonable measures to ensure that the information cannot
        be associated with a consumer or household. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m
      ref_id: 1798.140-m.2
      description: 'Publicly commits to maintain and use the information in deidentified
        form and not to attempt to reidentify the information, except that the business
        may attempt to reidentify the information solely for the purpose of determining
        whether its deidentification processes satisfy the requirements of this subdivision. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-m
      ref_id: 1798.140-m.3
      description: 'Contractually obligates any recipients of the information to comply
        with all provisions of this subdivision. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-n
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-n
      description: "\u201CDesignated methods for submitting requests\u201D means a\
        \ mailing address, email address, internet web page, internet web portal,\
        \ toll-free telephone number, or other applicable contact information, whereby\
        \ consumers may submit a request or direction under this title, and any new,\
        \ consumer-friendly means of contacting a business, as approved by the Attorney\
        \ General pursuant to Section 1798.185. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-o
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-o
      description: "\u201CDevice\u201D means any physical object that is capable of\
        \ connecting to the Internet, directly or indirectly, or to another device. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-p
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-p
      description: "\u201CHomepage\u201D means the introductory page of an internet\
        \ website and any internet web page where personal information is collected.\
        \ In the case of an online service, such as a mobile application, homepage\
        \ means the application\u2019s platform page or download page, a link within\
        \ the application, such as from the application configuration, \u201CAbout,\u201D\
        \ \u201CInformation,\u2019\u2019 or settings page, and any other location\
        \ that allows consumers to review the notices required by this title, including,\
        \ but not limited to, before downloading the application. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-q
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-q
      description: "\u201CHousehold\u201D means a group, however identified, of consumers\
        \ who cohabitate with one another at the same residential address and share\
        \ use of common devices or services. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-r
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-r
      description: "\u201CInfer\u201D or \u201Cinference\u201D means the derivation\
        \ of information, data, assumptions, or conclusions from facts, evidence,\
        \ or another source of information or data. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-s
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-s
      description: "\u201CIntentionally interacts\u201D means when the consumer intends\
        \ to interact with a person, or disclose personal information to a person,\
        \ via one or more deliberate interactions, including visiting the person\u2019\
        s website or purchasing a good or service from the person. Hovering over,\
        \ muting, pausing, or closing a given piece of content does not constitute\
        \ a consumer\u2019s intent to interact with a person. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-t
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-t
      description: "\u201CNonpersonalized advertising\u201D means advertising and\
        \ marketing that is based solely on a consumer\u2019s personal information\
        \ derived from the consumer\u2019s current interaction with the business with\
        \ the exception of the consumer\u2019s precise geolocation. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-u
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-u
      description: "\u201CPerson\u201D means an individual, proprietorship, firm,\
        \ partnership, joint venture, syndicate, business trust, company, corporation,\
        \ limited liability company, association, committee, and any other organization\
        \ or group of persons acting in concert. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-v.1
      description: "\u201CPersonal information\u201D means information that identifies,\
        \ relates to, describes, is reasonably capable of being associated with, or\
        \ could reasonably be linked, directly or indirectly, with a particular consumer\
        \ or household. Personal information includes, but is not limited to, the\
        \ following if it identifies, relates to, describes, is reasonably capable\
        \ of being associated with, or could be reasonably linked, directly or indirectly,\
        \ with a particular consumer or household: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.A
      description: "Identifiers such as a real name, alias, postal address, unique\
        \ personal identifier, online identifier, Internet Protocol address, email\
        \ address, account name, social security number, driver\u2019s license number,\
        \ passport number, or other similar identifiers. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.B
      description: 'Any personal information described in subdivision (e) of Section
        1798.80. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.C
      description: 'Characteristics of protected classifications under California
        or federal law. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.D
      description: 'Commercial information, including records of personal property,
        products or services purchased, obtained, or considered, or other purchasing
        or consuming histories or tendencies. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.E
      description: 'Biometric information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.f
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.F
      description: "Internet or other electronic network activity information, including,\
        \ but not limited to, browsing history, search history, and information regarding\
        \ a consumer\u2019s interaction with an internet website application, or advertisement. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.g
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.G
      description: 'Geolocation data. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.h
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.H
      description: 'Audio, electronic, visual, thermal, olfactory, or similar information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.i
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.I
      description: 'Professional or employment-related information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.j
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.J
      description: 'Education information, defined as information that is not publicly
        available personally identifiable information as defined in the Family Educational
        Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.k
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.K
      description: "Inferences drawn from any of the information identified in this\
        \ subdivision to create a profile about a consumer reflecting the consumer\u2019\
        s preferences, characteristics, psychological trends, predispositions, behavior,\
        \ attitudes, intelligence, abilities, and aptitudes. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1.l
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.1.L
      description: 'Sensitive personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.2
      description: "\u201CPersonal information\u201D does not include publicly available\
        \ information or lawfully obtained, truthful information that is a matter\
        \ of public concern. For purposes of this paragraph, \u201Cpublicly available\u201D\
        \ means: information that is lawfully made available from federal, state,\
        \ or local government records, or information that a business has a reasonable\
        \ basis to believe is lawfully made available to the general public by the\
        \ consumer or from widely distributed media; or information made available\
        \ by a person to whom the consumer has disclosed the information if the consumer\
        \ has not restricted the information to a specific audience. \u201CPublicly\
        \ available\u201D does not mean biometric information collected by a business\
        \ about a consumer without the consumer\u2019s knowledge. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-v.1
      ref_id: 1798.140-v.3
      description: "\u201CPersonal information\u201D does not include consumer information\
        \ that is deidentified or aggregate consumer information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-w
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-w
      description: "\u201CPrecise geolocation\u201D means any data that is derived\
        \ from a device and that is used or intended to be used to locate a consumer\
        \ within a geographic area that is equal to or less than the area of a circle\
        \ with a radius of 1,850 feet, except as prescribed by regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-x
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-x
      description: "\u201CProbabilistic identifier\u201D means the identification\
        \ of a consumer or a consumer\u2019s device to a degree of certainty of more\
        \ probable than not based on any categories of personal information included\
        \ in, or similar to, the categories enumerated in the definition of personal\
        \ information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-y
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-y
      description: "\u201CProcessing\u201D means any operation or set of operations\
        \ that are performed on personal information or on sets of personal information,\
        \ whether or not by automated means. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-z
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-z
      description: "\u201CProfiling\u201D means any form of automated processing of\
        \ personal information, as further defined by regulations pursuant to paragraph\
        \ (16) of subdivision (a) of Section 1798.185, to evaluate certain personal\
        \ aspects relating to a natural person and in particular to \nanalyze or predict\
        \ aspects concerning that natural person\u2019s performance at work, economic\
        \ situation, health, personal preferences, interests, reliability, behavior,\
        \ location, or movements. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-aa
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-aa
      description: "\u201CPseudonymize\u201D or \u201CPseudonymization\u201D means\
        \ the processing of personal information in a manner that renders the personal\
        \ information no longer attributable to a specific consumer without the use\
        \ of additional information, provided that the additional information is kept\
        \ separately and is subject to technical and organizational measures to ensure\
        \ that the personal information is not attributed to an identified or identifiable\
        \ consumer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ab
      description: "\u201CResearch\u201D means scientific analysis, systematic study,\
        \ and observation, including basic research or applied research that is designed\
        \ to develop or contribute to public or scientific knowledge and that adheres\
        \ or otherwise conforms to all other applicable ethics and privacy laws, including,\
        \ but not limited to, studies conducted in the public interest in the area\
        \ of public health. Research with personal information that may have been\
        \ collected from a consumer in the course of the consumer\u2019s interactions\
        \ with a business\u2019 service or device for other purposes shall be: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.1
      description: 'Compatible with the business purpose for which the personal information
        was collected. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.2
      description: 'Subsequently pseudonymized and deidentified, or deidentified and
        in the aggregate, such that the information cannot reasonably identify, relate
        to, describe, be capable of being associated with, or be linked, directly
        or indirectly, to a particular consumer, by a business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.3
      description: 'Made subject to technical safeguards that prohibit reidentification
        of the consumer to whom the information may pertain, other than as needed
        to support the research. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.4
      description: 'Subject to business processes that specifically prohibit reidentification
        of the information, other than as needed to support the research. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.5
      description: 'Made subject to business processes to prevent inadvertent release
        of deidentified information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.6
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.6
      description: 'Protected from any reidentification attempts. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.7
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.7
      description: 'Used solely for research purposes that are compatible with the
        context in which the personal information was collected. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab.8
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ab
      ref_id: 1798.140-ab.8
      description: 'Subjected by the business conducting the research to additional
        security controls that limit access to the research data to only those individuals
        as are necessary to carry out the research purpose. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ac
      description: "\u201CSecurity and integrity\u201D means the ability of: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac
      ref_id: 1798.140-ac.1
      description: 'Networks or information systems to detect security incidents that
        compromise the availability, authenticity, integrity, and confidentiality
        of stored or transmitted personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac
      ref_id: 1798.140-ac.2
      description: 'Businesses to detect security incidents, resist malicious, deceptive,
        fraudulent, or illegal actions and to help prosecute those responsible for
        those actions. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ac
      ref_id: 1798.140-ac.3
      description: 'Businesses to ensure the physical safety of natural persons. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ad.1
      description: "\u201CSell,\u201D \u201Cselling,\u201D \u201Csale,\u201D or \u201C\
        sold,\u2019\u2019 means selling, renting, releasing, disclosing, disseminating,\
        \ making available, transferring, or otherwise communicating orally, in writing,\
        \ or by electronic or other means, a consumer\u2019s personal information\
        \ by the business to a third party for monetary or other valuable consideration. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.1
      ref_id: 1798.140-ad.2
      description: 'For purposes of this title, a business does not sell personal
        information when: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.a
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.2
      ref_id: 1798.140-ad.A
      description: 'A consumer uses or directs the business to intentionally: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.a.i
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.a
      ref_id: 1798.140-ad.A.i
      description: 'Disclose personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.a.ii
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.a
      ref_id: 1798.140-ad.A.ii
      description: 'Interact with one or more third parties. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.2
      ref_id: 1798.140-ad.B
      description: "The business uses or shares an identifier for a consumer who has\
        \ opted out of the sale of the consumer\u2019s personal information or limited\
        \ the use of the consumer\u2019s sensitive personal information for the purposes\
        \ of alerting persons that the consumer has opted out of the sale of the consumer\u2019\
        s personal information or limited the use of the consumer\u2019s sensitive\
        \ personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ad.2
      ref_id: 1798.140-ad.C
      description: 'The business transfers to a third party the personal information
        of a consumer as an asset that is part of a merger, acquisition, bankruptcy,
        or other transaction in which the third party assumes control of all or part
        of the business, provided that information is used or shared consistently
        with this title. If a third party materially alters how it uses or shares
        the personal information of a consumer in a manner that is materially inconsistent
        with the promises made at the time of collection, it shall provide prior notice
        of the new or changed practice to the consumer. The notice shall be sufficiently
        prominent and robust to ensure that existing consumers can easily exercise
        their choices consistently with this title. This subparagraph does not authorize
        a business to make material, retroactive privacy policy changes or make other
        changes in their privacy policy in a manner that would violate the Unfair
        and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of
        Part 2 of Division 7 of the Business and Professions Code). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ae
      description: "\u201CSensitive personal information\u201D means: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae
      ref_id: 1798.140-ae.1
      description: 'Personal information that reveals: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.a
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.A
      description: "A consumer\u2019s social security, driver\u2019s license, state\
        \ identification card, or passport number. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.B
      description: "A consumer\u2019s account log-in, financial account, debit card,\
        \ or credit card number in combination with any required security or access\
        \ code, password, or credentials allowing access to an account. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.C
      description: "A consumer\u2019s precise geolocation. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.d
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.D
      description: "A consumer\u2019s racial or ethnic origin, citizenship or immigration\
        \ status, religious or philosophical beliefs, or union membership. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.e
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.E
      description: "The contents of a consumer\u2019s mail, email, and text messages\
        \ unless the business is the intended recipient of the communication. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1.f
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.1
      ref_id: 1798.140-ae.1.F
      description: "A consumer\u2019s genetic data. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.2.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae
      ref_id: 1798.140-ae.2.A
      description: 'The processing of biometric information for the purpose of uniquely
        identifying a consumer. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.2.b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.2.a
      ref_id: 1798.140-ae.2.B
      description: "Personal information collected and analyzed concerning a consumer\u2019\
        s health. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.2.c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.2.a
      ref_id: 1798.140-ae.2.C
      description: "Personal information collected and analyzed concerning a consumer\u2019\
        s sex life or sexual orientation. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ae
      ref_id: 1798.140-ae.3
      description: "Sensitive personal information that is \u201Cpublicly available\u201D\
        \ pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive\
        \ personal information or personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-af
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-af
      description: " \u201CService\u201D or \u201Cservices\u201D means work, labor,\
        \ and services, including services furnished in connection with the sale or\
        \ repair of goods. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ag.1
      description: "\u201CService provider\u201D means a person that processes personal\
        \ information on behalf of a business and that receives from or on behalf\
        \ of the business consumer\u2019s personal information for a business purpose\
        \ pursuant to a written contract, provided that the contract prohibits the\
        \ person from: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1
      ref_id: 1798.140-ag.1.A
      description: 'Selling or sharing the personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1
      ref_id: 1798.140-ag.1.B
      description: 'Retaining, using, or disclosing the personal information for any
        purpose other than for the business purposes specified in the contract for
        the business, including retaining, using, or disclosing the personal information
        for a commercial purpose other than the business purposes specified in the
        contract with the business, or as otherwise permitted by this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1
      ref_id: 1798.140-ag.1.C
      description: 'Retaining, using, or disclosing the information outside of the
        direct business relationship between the service provider and the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1.d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.1
      ref_id: 1798.140-ag.1.D
      description: "Combining the personal information that the service provider receives\
        \ from, or on behalf of, the business with personal information that it receives\
        \ from, or on behalf of, another person or persons, or collects from its own\
        \ interaction with the consumer, provided that the service provider may combine\
        \ personal information to perform any business purpose as defined in regulations\
        \ adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185,\
        \ except as provided for in paragraph (6) of subdivision (e) of this section\
        \ and in regulations adopted by the California Privacy Protection Agency.\
        \ The contract may, subject to agreement with the service provider, permit\
        \ the business to monitor the service provider\u2019s compliance with the\
        \ contract through measures, including, but not limited to, ongoing manual\
        \ reviews and automated scans and regular assessments, audits, or other technical\
        \ and operational testing at least once every 12 months. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ag.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ag.2
      description: 'If a service provider engages any other person to assist it in
        processing personal information for a business purpose on behalf of the business,
        or if any other person engaged by the service provider engages another person
        to assist in processing personal information for that business purpose, it
        shall notify the business of that engagement, and the engagement shall be
        pursuant to a written contract binding the other person to observe all the
        requirements set forth in paragraph (1). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ah.1
      description: "\u201CShare,\u201D \u201Cshared,\u201D or \u201Csharing\u201D\
        \ means sharing, renting, releasing, disclosing, disseminating, making available,\
        \ transferring, or otherwise communicating orally, in writing, or by electronic\
        \ or other means, a consumer\u2019s personal information by the business to\
        \ a third party for cross-context behavioral advertising, whether or not for\
        \ monetary or other valuable consideration, including transactions between\
        \ a business and a third party for cross-context behavioral advertising for\
        \ the benefit of a business in which no money is exchanged. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.1
      ref_id: 1798.140-ah.2
      description: 'For purposes of this title, a business does not share personal
        information when: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2.a
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2
      ref_id: 1798.140-ah.2.A
      description: 'A consumer uses or directs the business to intentionally disclose
        personal information or intentionally interact with one or more third parties. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2.b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2
      ref_id: 1798.140-ah.2.B
      description: "The business uses or shares an identifier for a consumer who has\
        \ opted out of the sharing of the consumer\u2019s personal information or\
        \ limited the use of the consumer\u2019s sensitive personal information for\
        \ the purposes of alerting persons that the consumer has opted out of the\
        \ sharing of the consumer\u2019s personal information or limited the use of\
        \ the consumer\u2019s sensitive personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2.c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ah.2
      ref_id: 1798.140-ah.2.C
      description: 'The business transfers to a third party the personal information
        of a consumer as an asset that is part of a merger, acquisition, bankruptcy,
        or other transaction in which the third party assumes control of all or part
        of the business, provided that information is used or shared consistently
        with this title. If a third party materially alters how it uses or shares
        the personal information of a consumer in a manner that is materially inconsistent
        with the promises made at the time of collection, it shall provide prior notice
        of the new or changed practice to the consumer. The notice shall be sufficiently
        prominent and robust to ensure that existing consumers can easily exercise
        their choices consistently with this title. This subparagraph does not authorize
        a business to make material, retroactive privacy policy changes or make other
        changes in their privacy policy in a manner that would violate the Unfair
        and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of
        Part 2 of Division 7 of the Business and Professions Code). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ai
      description: "\"Third party\u201D means a person who is not any of the following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai
      ref_id: 1798.140-ai.1
      description: "The business with whom the consumer intentionally interacts and\
        \ that collects personal information from the consumer as part of the consumer\u2019\
        s current interaction with the business under this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai
      ref_id: 1798.140-ai.2
      description: 'A service provider to the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ai
      ref_id: 1798.140-ai.3
      description: 'A contractor. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-aj
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-aj
      description: "\u201CUnique identifier\u201D or \u201Cunique personal identifier\u201D\
        \ means a persistent identifier that can be used to recognize a consumer,\
        \ a family, or a device that is linked to a consumer or family, over time\
        \ and across different services, including, but not limited to, a device identifier;\
        \ an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers,\
        \ or similar technology; customer number, unique pseudonym, or user alias;\
        \ telephone numbers, or other forms of persistent or probabilistic identifiers\
        \ that can be used to identify a particular consumer or device that is linked\
        \ to a consumer or family. For purposes of this subdivision, \u201Cfamily\u201D\
        \ means a custodial parent or guardian and any children under 18 years of\
        \ age over which the parent or guardian has custody. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.140-ak
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node143
      ref_id: 1798.140-ak
      description: "\u201CVerifiable consumer request\u201D means a request that is\
        \ made by a consumer, by a consumer on behalf of the consumer\u2019s minor\
        \ child, by a natural person or a person registered with the Secretary of\
        \ State, authorized by the consumer to act on the consumer\u2019s behalf,\
        \ or by a person who has power of attorney or is acting as a conservator for\
        \ the consumer, and that the business can verify, using commercially reasonable\
        \ methods, pursuant to regulations adopted by the Attorney General pursuant\
        \ to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer\
        \ about whom the business has collected personal information. A business is\
        \ not obligated to provide information to the consumer pursuant to Sections\
        \ 1798.110 and 1798.115, to delete personal information pursuant to Section\
        \ 1798.105, or to correct inaccurate personal information \npursuant to Section\
        \ 1798.106, if the business cannot verify, pursuant to this subdivision and\
        \ regulations adopted by the Attorney General pursuant to paragraph (7) of\
        \ subdivision (a) of Section 1798.185, that the consumer making the request\
        \ is the consumer about whom the business has collected information or is\
        \ a person authorized by the consumer to act on such consumer\u2019s behalf. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      assessable: false
      depth: 1
      ref_id: '1798.145'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-a.1
      description: "The obligations imposed on businesses by this title shall not\
        \ restrict a business\u2019s ability to: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1
      ref_id: 1798.145-a.1.A
      description: 'Comply with federal, state, or local laws or comply with a court
        order or subpoena to provide information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.B
      description: "Comply with a civil, criminal, or regulatory inquiry, investigation,\
        \ subpoena, or summons by federal, state, or local authorities. Law enforcement\
        \ agencies, including police and sheriff\u2019s departments, may direct a\
        \ business pursuant to a law enforcement agency-approved investigation with\
        \ an active case number not to delete a consumer\u2019s personal information,\
        \ and, upon receipt of that direction, a business shall not delete the personal\
        \ information for 90 days in order to allow the law enforcement agency to\
        \ obtain a court-issued subpoena, order, or warrant to obtain a consumer\u2019\
        s personal information. For good cause and only to the extent necessary for\
        \ investigatory purposes, a law enforcement agency may direct a business not\
        \ to delete the consumer\u2019s personal information for additional 90-day\
        \ periods. A business that has received direction from a law enforcement agency\
        \ not to delete the personal information of a consumer who has requested deletion\
        \ of the consumer\u2019s personal information shall not use the consumer\u2019\
        s personal information for any purpose other than retaining it to produce\
        \ to law enforcement in response to a court-issued subpoena, order, or warrant\
        \ unless the consumer\u2019s deletion request is subject to an exemption from\
        \ deletion under this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.C
      description: 'Cooperate with law enforcement agencies concerning conduct or
        activity that the business, service provider, or third party reasonably and
        in good faith believes may violate federal, state, or local law. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.D.i
      description: "Cooperate with a government agency request for emergency access\
        \ to a consumer\u2019s personal information if a natural person is at risk\
        \ or danger of death or serious physical injury provided that: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i
      ref_id: 1798.145-a.1.D.i.I
      description: "The request is approved by a high-ranking agency officer for emergency\
        \ access to a consumer\u2019s personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i
      ref_id: 1798.145-a.1.D.i.II
      description: "The request is based on the agency\u2019s good faith determination\
        \ that it has a lawful basis to access the information on a nonemergency basis. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.i
      ref_id: 1798.145-a.1.D.i.III
      description: 'The agency agrees to petition a court for an appropriate order
        within three days and to destroy the information if that order is not granted. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.d.ii
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.D.ii
      description: 'For purposes of this subparagraph, a consumer accessing, procuring,
        or searching for services regarding contraception, pregnancy care, and perinatal
        care, including, but not limited to, abortion services, shall not constitute
        a natural person being at risk or danger of death or serious physical injury. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.E
      description: 'Exercise or defend legal claims. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.F
      description: "Collect, use, retain, sell, share, or disclose consumers\u2019\
        \ personal information that is deidentified or aggregate consumer information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1.a
      ref_id: 1798.145-a.1.G
      description: "Collect, sell, or share a consumer\u2019s personal information\
        \ if every aspect of that commercial conduct takes place wholly outside of\
        \ California. For purposes of this title, commercial conduct takes place wholly\
        \ outside of California if the business collected that information while the\
        \ consumer was outside of California, no part of the sale of the consumer\u2019\
        s personal information occurred in California, and no personal information\
        \ collected while the consumer was in California is sold. This paragraph shall\
        \ not prohibit a business from storing, including on a device, personal information\
        \ about a consumer when the consumer is in California and then collecting\
        \ that personal information when the consumer and stored personal information\
        \ is outside of California. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.2.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.1
      ref_id: 1798.145-a.2.A
      description: "This subdivision shall not apply if the consumer\u2019s personal\
        \ information contains information related to accessing, procuring, or searching\
        \ for services regarding contraception, pregnancy care, and perinatal care,\
        \ including, but not limited to, abortion services. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.2.a
      ref_id: 1798.145-a.2.B
      description: 'This paragraph does not alter the use of aggregated or deidentified
        personal information consistent with a business purpose as defined in paragraphs
        (1), (2), (3), (4), (5), (7), or (8) of subdivision (e) of Section 1798.140,
        provided that the personal information is only retained in aggregated and
        deidentified form and is not sold or shared. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-a.2.a
      ref_id: 1798.145-a.2.C
      description: 'This paragraph does not alter the duty of a business to preserve
        or retain evidence pursuant to California or federal law in an ongoing civil
        proceeding. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-b
      description: 'The obligations imposed on businesses by Sections 1798.110, 1798.115,
        1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance
        by the business with the title would violate an evidentiary privilege under
        California law and shall not prevent a business from providing the personal
        information of a consumer to a person covered by an evidentiary privilege
        under California law as part of a privileged communication. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-c.1
      description: 'This title shall not apply to any of the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1
      ref_id: 1798.145-c.1.A
      description: 'Medical information governed by the Confidentiality of Medical
        Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected
        health information that is collected by a covered entity or business associate
        governed by the privacy, security, and breach notification rules issued by
        the United States Department of Health and Human Services, Parts 160 and 164
        of Title 45 of the Code of Federal Regulations, established pursuant to the
        Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
        and the Health Information Technology for Economic and Clinical Health Act
        (Public Law 111-5). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1
      ref_id: 1798.145-c.1.B
      description: 'A provider of health care governed by the Confidentiality of Medical
        Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a
        covered entity governed by the privacy, security, and breach notification
        rules issued by the United States Department of Health and Human Services,
        Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established
        pursuant to the Health Insurance Portability and Accountability Act of 1996
        (Public Law 104-191), to the extent the provider or covered entity maintains
        patient information in the same manner as medical information or protected
        health information as described in subparagraph (A) of this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1
      ref_id: 1798.145-c.1.C
      description: 'Personal information collected as part of a clinical trial or
        other biomedical research study subject to, or conducted in accordance with,
        the Federal Policy for the Protection of Human Subjects, also known as the
        Common Rule, pursuant to good clinical practice guidelines issued by the International
        Council for Harmonisation or pursuant to human subject protection requirements
        of the United States Food and Drug Administration, provided that the information
        is not sold or shared in a manner not permitted by this subparagraph, and,
        if it is inconsistent, that participants be informed of that use and provide
        consent. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-c.1
      ref_id: 1798.145-c.2
      description: "For purposes of this subdivision, the definitions of \u201Cmedical\
        \ information\u201D and \u201Cprovider of health care\u201D in Section 56.05\
        \ shall apply and the definitions of \u201Cbusiness associate,\u201D \u201C\
        covered entity,\u201D and \u201Cprotected health information\u201D in Section\
        \ 160.103 of Title 45 of the Code of Federal Regulations shall apply. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-d.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-d.1
      description: "This title shall not apply to an activity involving the collection,\
        \ maintenance, disclosure, sale, communication, or use of any personal information\
        \ bearing on a consumer\u2019s creditworthiness, credit standing, credit capacity,\
        \ character, general reputation, personal characteristics, or mode of living\
        \ by a consumer reporting agency, as defined in subdivision (f) of Section\
        \ 1681a of Title 15 of the United States Code, by a furnisher of information,\
        \ as set forth in Section 1681s-2 of Title 15 of the United States Code, who\
        \ provides information for use in a consumer report, as defined in subdivision\
        \ (d) of Section 1681a of Title 15 of the United States Code, and by a user\
        \ of a consumer report as set forth in Section 1681b of Title 15 of the United\
        \ States Code. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-d.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-d.1
      ref_id: 1798.145-d.2
      description: 'Paragraph (1) shall apply only to the extent that such activity
        involving the collection, maintenance, disclosure, sale, communication, or
        use of such information by that agency, furnisher, or user is subject to regulation
        under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the
        United States Code and the information is not collected, maintained, used,
        communicated, disclosed, or sold except as authorized by the Fair Credit Reporting
        Act. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-d.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-d.1
      ref_id: 1798.145-d.3
      description: 'This subdivision shall not apply to Section 1798.150. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-e
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-e
      description: 'This title shall not apply to personal information collected,
        processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act
        (Public Law 106-102), and implementing regulations, or the California Financial
        Information Privacy Act (Division 1.4 (commencing with Section 4050) of the
        Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12
        U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.).
        This subdivision shall not apply to Section 1798.150. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-f
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-f
      description: "This title shall not apply to personal information collected,\
        \ processed, sold, or disclosed pursuant to the Driver\u2019s Privacy Protection\
        \ Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply\
        \ to Section 1798.150. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-g.1
      description: "Section 1798.120 shall not apply to vehicle information or ownership\
        \ information retained or shared between a new motor vehicle dealer, as defined\
        \ in Section 426 of the Vehicle Code, and the vehicle\u2019s manufacturer,\
        \ as defined in Section 672 of the Vehicle Code, if the vehicle information\
        \ or ownership information is shared for the purpose of effectuating, or in\
        \ anticipation of effectuating, a vehicle repair covered by a vehicle warranty\
        \ or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of\
        \ Title 49 of the United States Code, provided that the new motor vehicle\
        \ dealer or vehicle manufacturer with which that vehicle information or ownership\
        \ information is shared does not sell, share, or use that information for\
        \ any other purpose. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.1
      ref_id: 1798.145-g.2
      description: "Section 1798.120 shall not apply to vessel information or ownership\
        \ information retained or shared between a vessel dealer and the vessel\u2019\
        s manufacturer, as defined in Section 651 of the Harbors and Navigation Code,\
        \ if the vessel information or ownership information is shared for the purpose\
        \ of effectuating, or in anticipation of effectuating, a vessel repair covered\
        \ by a vessel warranty or a recall conducted pursuant to Section 4310 of Title\
        \ 46 of the United States Code, provided that the \nvessel dealer or vessel\
        \ manufacturer with which that vessel information or ownership information\
        \ is shared does not sell, share, or use that information for any other purpose. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.1
      ref_id: 1798.145-g.3
      description: 'For purposes of this subdivision: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3
      ref_id: 1798.145-g.3.A
      description: "\u201COwnership information\u201D means the name or names of the\
        \ registered owner or owners and the contact information for the owner or\
        \ owners. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3
      ref_id: 1798.145-g.3.B
      description: "\u201CVehicle information\u201D means the vehicle information\
        \ number, make, model, year, and odometer reading. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3
      ref_id: 1798.145-g.3.C
      description: "\u201CVessel dealer\u201D means a person who is engaged, wholly\
        \ or in part, in the business of selling or offering for sale, buying or taking\
        \ in trade for the purpose of resale, or exchanging, any vessel or vessels,\
        \ as defined in Section 651 of the Harbors and Navigation Code, and receives\
        \ or expects to receive money, profit, or any other thing of value. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3
      ref_id: 1798.145-g.3.D
      description: "\u201CVessel information\u201D means the hull identification number,\
        \ model, year, month and year of production, and information describing any\
        \ of the following equipment as shipped, transferred, or sold from the place\
        \ of manufacture, including all attached parts and accessories: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d
      ref_id: 1798.145-g.3.D.i
      description: 'An inboard engine. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d
      ref_id: 1798.145-g.3.D.ii
      description: 'An outboard engine. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d
      ref_id: 1798.145-g.3.D.iii
      description: 'A stern drive unit. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d.iv
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-g.3.d
      ref_id: 1798.145-g.3.D.iv
      description: 'An inflatable personal floatation device approved under Section
        160.076 of Title 46 of the Code of Federal Regulations. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-h
      description: "Notwithstanding a business\u2019s obligations to respond to and\
        \ honor consumer rights requests pursuant to this title: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h
      ref_id: 1798.145-h.1
      description: 'A time period for a business to respond to a consumer for any
        verifiable consumer request may be extended by up to a total of 90 days where
        necessary, taking into account the complexity and number of the requests.
        The business shall inform the consumer of any such extension within 45 days
        of receipt of the request, together with the reasons for the delay. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h
      ref_id: 1798.145-h.2
      description: 'If the business does not take action on the request of the consumer,
        the business shall inform the consumer, without delay and at the latest within
        the time period permitted of response by this section, of the reasons for
        not taking action and any rights the consumer may have to appeal the decision
        to the business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-h
      ref_id: 1798.145-h.3
      description: 'If requests from a consumer are manifestly unfounded or excessive,
        in particular because of their repetitive character, a business may either
        charge a reasonable fee, taking into account the administrative costs of providing
        the information or communication or taking the action requested, or refuse
        to act on the request and notify the consumer of the reason for refusing the
        request. The business shall bear the burden of demonstrating that any verifiable
        consumer request is manifestly unfounded or excessive. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-i.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-i.1
      description: 'A business that discloses personal information to a service provider
        or contractor in compliance with this title shall not be liable under this
        title if the service provider or contractor receiving the personal information
        uses it in violation of the restrictions set forth in the title, provided
        that, at the time of disclosing the personal information, the business does
        not have actual knowledge, or reason to believe, that the service provider
        or contractor intends to commit such a violation. A service provider or contractor
        shall likewise not be liable under this title for the obligations of a business
        for which it provides services as set forth in this title provided that the
        service provider or contractor shall be liable for its own violations of this
        title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-i.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-i.1
      ref_id: 1798.145-i.2
      description: "A business that discloses personal information of a consumer,\
        \ with the exception of consumers who have exercised their right to opt out\
        \ of the sale or sharing of their personal information, consumers who have\
        \ limited the use or disclosure of their sensitive personal information, and\
        \ minor consumers who have not opted in to the collection or sale of their\
        \ personal information, to a third party pursuant to a written contract that\
        \ requires the third party to provide the same level of protection of the\
        \ consumer\u2019s rights under this title as provided by the business shall\
        \ not be liable under this title if the third party receiving the personal\
        \ information uses it in violation of the restrictions set forth in this title\
        \ provided that, at the time of disclosing the personal information, the business\
        \ does not have actual knowledge, or reason to believe, that the third party\
        \ intends to commit such a violation. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-j
      description: 'This title shall not be construed to require a business, service
        provider, or contractor to: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j
      ref_id: 1798.145-j.1
      description: 'Reidentify or otherwise link information that, in the ordinary
        course of business, is not maintained in a manner that would be considered
        personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j
      ref_id: 1798.145-j.2
      description: 'Retain any personal information about a consumer if, in the ordinary
        course of business, that information about the consumer would not be retained. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-j
      ref_id: 1798.145-j.3
      description: 'Maintain information in identifiable, linkable, or associable
        form, or collect, obtain, retain, or access any data or technology, in order
        to be capable of linking or associating a verifiable consumer request with
        personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-k
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-k
      description: "The rights afforded to consumers and the obligations imposed on\
        \ the business in this title shall not adversely affect the rights and freedoms\
        \ of other natural persons. A verifiable consumer request for specific pieces\
        \ of personal information pursuant to Section \n1798.110, to delete a consumer\u2019\
        s personal information pursuant to Section 1798.105, or to correct inaccurate\
        \ personal information pursuant to Section 1798.106, shall not extend to personal\
        \ information about the consumer that belongs to, or the business maintains\
        \ on behalf of, another natural person. A business may rely on representations\
        \ made in a verifiable consumer request as to rights with respect to personal\
        \ information and is under no legal requirement to seek out other persons\
        \ that may have or claim to have rights to personal information, and a business\
        \ is under no legal obligation under this title or any other provision of\
        \ law to take any action under this title in the event of a dispute between\
        \ or among persons claiming rights to personal information in the business\u2019\
        s possession. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-l
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-l
      description: 'The rights afforded to consumers and the obligations imposed on
        any business under this title shall not apply to the extent that they infringe
        on the noncommercial activities of a person or entity described in subdivision
        (b) of Section 2 of Article I of the California Constitution. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-m.1
      description: 'This title shall not apply to any of the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.1.A
      description: "Personal information that is collected by a business about a natural\
        \ person in the course of the natural person acting as a job applicant to,\
        \ an employee of, owner of, director of, officer of, medical staff member\
        \ of, or independent contractor of, that business to the extent that the natural\
        \ person\u2019s personal information is collected and used by the business\
        \ solely within the context of the natural person\u2019s role or former role\
        \ as a job applicant to, an employee of, owner of, director of, officer of,\
        \ medical staff member of, or an independent contractor of, that business. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.1.B
      description: 'Personal information that is collected by a business that is emergency
        contact information of the natural person acting as a job applicant to, an
        employee of, owner of, director of, officer of, medical staff member of, or
        independent contractor of, that business to the extent that the personal information
        is collected and used solely within the context of having an emergency contact
        on file. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.1.C
      description: 'Personal information that is necessary for the business to retain
        to administer benefits for another natural person relating to the natural
        person acting as a job applicant to, an employee of, owner of, director of,
        officer of, medical staff member of, or independent contractor of, that business
        to the extent that the personal information is collected and used solely within
        the context of administering those benefits. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.2
      description: 'For purposes of this subdivision: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      ref_id: 1798.145-m.2.A
      description: "\u201CIndependent contractor\u201D means a natural person who\
        \ provides any service to a business pursuant to a written contract. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      ref_id: 1798.145-m.2.B
      description: "\u201CDirector\u201D means a natural person designated in the\
        \ articles of incorporation as director, or elected by the incorporators and\
        \ natural persons designated, elected, or appointed by any other name or title\
        \ to act as directors, and their successors. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      ref_id: 1798.145-m.2.C
      description: "\u201CMedical staff member\u201D means a licensed physician and\
        \ surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing\
        \ with Section 500) of the Business and Professions Code and a clinical psychologist\
        \ as defined in Section 1316.5 of the Health and Safety Code. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      ref_id: 1798.145-m.2.D
      description: "\u201COfficer\u201D means a natural person elected or appointed\
        \ by the board of directors to manage the daily operations of a corporation,\
        \ including a chief executive officer, president, secretary, or treasurer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2
      ref_id: 1798.145-m.2.E
      description: "\u201COwner\u201D means a natural person who meets one of the\
        \ following criteria: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e
      ref_id: 1798.145-m.2.E.i
      description: 'Has ownership of, or the power to vote, more than 50 percent of
        the outstanding shares of any class of voting security of a business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e
      ref_id: 1798.145-m.2.E.ii
      description: 'Has control in any manner over the election of a majority of the
        directors or of individuals exercising similar functions. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.2.e
      ref_id: 1798.145-m.2.E.iii
      description: 'Has the power to exercise a controlling influence over the management
        of a company. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.3
      description: 'This subdivision shall not apply to subdivision (a) of Section
        1798.100 or Section 1798.150. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-m.1
      ref_id: 1798.145-m.4
      description: 'This subdivision shall become inoperative on January 1, 2023. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-n.1
      description: 'The obligations imposed on businesses by Sections 1798.100, 1798.105,
        1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply
        to personal information reflecting a written or verbal communication or a
        transaction between the business and the consumer, where the consumer is a
        natural person who acted or is acting as an employee, owner, director, officer,
        or independent contractor of a company, partnership, sole proprietorship,
        nonprofit, or government agency and whose communications or transaction with
        the business occur solely within the context of the business conducting due
        diligence regarding, or providing or receiving a product or service to or
        from such company, partnership, sole proprietorship, nonprofit, or government
        agency. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.1
      ref_id: 1798.145-n.2
      description: 'For purposes of this subdivision: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2
      ref_id: 1798.145-n.2.A
      description: "\u201CIndependent contractor\u201D means a natural person who\
        \ provides any service to a business pursuant to a written contract. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2
      ref_id: 1798.145-n.2.B
      description: "\u201CDirector\u201D means a natural person designated in the\
        \ articles of incorporation as such or elected by the incorporators and natural\
        \ persons designated, elected, or appointed by any other name or title to\
        \ act as directors, and their successors. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2
      ref_id: 1798.145-n.2.C
      description: "\u201COfficer\u201D means a natural person elected or appointed\
        \ by the board of directors to manage the daily operations of a corporation,\
        \ such as a chief executive officer, president, secretary, or treasurer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2
      ref_id: 1798.145-n.2.D
      description: "\u201COwner\u201D means a natural person who meets one of the\
        \ following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d
      ref_id: 1798.145-n.2.D.i
      description: 'Has ownership of, or the power to vote, more than 50 percent of
        the outstanding shares of any class of voting security of a business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d
      ref_id: 1798.145-n.2.D.ii
      description: 'Has control in any manner over the election of a majority of the
        directors or of individuals exercising similar functions. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.2.d
      ref_id: 1798.145-n.2.D.iii
      description: 'Has the power to exercise a controlling influence over the management
        of a company. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-n.1
      ref_id: 1798.145-n.3
      description: 'This subdivision shall become inoperative on January 1, 2023. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-o.1
      description: "Sections 1798.105 and 1798.120 shall not apply to a commercial\
        \ credit reporting agency\u2019s collection, processing, sale, or disclosure\
        \ of business controller information to the extent the commercial credit reporting\
        \ agency uses the business controller information solely to identify the relationship\
        \ of a consumer to a business that the consumer owns or contact the consumer\
        \ only in the consumer\u2019s role as the owner, director, officer, or management\
        \ employee of the business. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.1
      ref_id: 1798.145-o.2
      description: 'For the purposes of this subdivision: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.A
      description: "\u201CBusiness controller information\u201D means the name or\
        \ names of the owner or owners, director, officer, or management employee\
        \ of a business and the contact information, including a business title, for\
        \ the owner or owners, director, officer, or management employee. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.B
      description: "\u201CCommercial credit reporting agency\u201D has the meaning\
        \ set forth in subdivision (b) of Section 1785.42. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.C
      description: "\u201COwner\u201D means a natural person that meets one of the\
        \ following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c.i
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c
      ref_id: 1798.145-o.2.C.i
      description: 'Has ownership of, or the power to vote, more than 50 percent of
        the outstanding shares of any class of voting security of a business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c.ii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c
      ref_id: 1798.145-o.2.C.ii
      description: 'Has control in any manner over the election of a majority of the
        directors or of individuals exercising similar functions. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c.iii
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.c
      ref_id: 1798.145-o.2.C.iii
      description: 'Has the power to exercise a controlling influence over the management
        of a company. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.D
      description: "\u201CDirector\u201D means a natural person designated in the\
        \ articles of incorporation of a business as director, or elected by the incorporators\
        \ and natural persons designated, elected, or appointed by any other name\
        \ or title to act as directors, and their successors. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.E
      description: "\u201COfficer\u201D means a natural person elected or appointed\
        \ by the board of directors of a business to manage the daily operations of\
        \ a corporation, including a chief executive officer, president, secretary,\
        \ or treasurer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2.f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-o.2
      ref_id: 1798.145-o.2.F
      description: "\u201CManagement employee\u201D means a natural person whose name\
        \ and contact information is reported to or collected by a commercial credit\
        \ reporting agency as the primary manager of a business and used solely within\
        \ the context of the natural person\u2019s role as the primary manager of\
        \ the business. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-p
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-p
      description: 'The obligations imposed on businesses in Sections 1798.105, 1798.106,
        1798.110, and 1798.115 shall not apply to household data. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-q.1
      description: "This title does not require a business to comply with a verifiable\
        \ consumer request to delete a consumer\u2019s personal information under\
        \ Section 1798.105 to the extent the verifiable consumer request applies to\
        \ a student\u2019s grades, educational scores, or educational test results\
        \ that the business holds on behalf of a local educational agency, as defined\
        \ in subdivision (d) of Section 49073.1 of the Education Code, at which the\
        \ student is currently enrolled. If a business does not comply with a request\
        \ pursuant to this section, it shall notify the consumer that it is acting\
        \ pursuant to this exception. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.1
      ref_id: 1798.145-q.2
      description: "This title does not require, in response to a request pursuant\
        \ to Section 1798.110, that a business disclose on educational standardized\
        \ assessment or educational assessment or a consumer\u2019s specific responses\
        \ to the educational standardized assessment or educational assessment if\
        \ consumer access, possession, or control would jeopardize the validity and\
        \ reliability of that educational standardized assessment or educational assessment.\
        \ If a business does not comply with a request pursuant to this section, it\
        \ shall notify the consumer that it is acting pursuant to this exception. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.1
      ref_id: 1798.145-q.3
      description: 'For purposes of this subdivision: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.3.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.3
      ref_id: 1798.145-q.3.A
      description: "\u201CEducational standardized assessment or educational assessment\u201D\
        \ means a standardized or nonstandardized quiz, test, or other assessment\
        \ used to evaluate students in or for entry to kindergarten and grades 1 to\
        \ 12, inclusive, schools, postsecondary institutions, vocational programs,\
        \ and postgraduate programs that are accredited by an accrediting agency or\
        \ organization recognized by the State of California or the United States\
        \ Department of Education, as well as certification and licensure examinations\
        \ used to determine competency and eligibility to receive certification or\
        \ licensure from a government agency or government certification body. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.3.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-q.3
      ref_id: 1798.145-q.3.B
      description: "\u201CJeopardize the validity and reliability of that educational\
        \ standardized assessment or educational assessment\u201D means releasing\
        \ information that would provide an advantage to the consumer who has submitted\
        \ a verifiable consumer request or to another natural person. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145
      ref_id: 1798.145-r
      description: "Sections 1798.105 and 1798.120 shall not apply to a business\u2019\
        s use, disclosure, or sale of particular pieces of a consumer\u2019s personal\
        \ information if the consumer has consented to the business\u2019s use, disclosure,\
        \ or sale of that information to produce a physical item, including a school\
        \ yearbook containing the consumer\u2019s photograph if: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r
      ref_id: 1798.145-r.1
      description: "The business has incurred significant expense in reliance on the\
        \ consumer\u2019s consent. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r
      ref_id: 1798.145-r.2
      description: "Compliance with the consumer\u2019s request to opt out of the\
        \ sale of the consumer\u2019s personal information or to delete the consumer\u2019\
        s personal information would not be commercially reasonable. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.145-r
      ref_id: 1798.145-r.3
      description: "The business complies with the consumer\u2019s request as soon\
        \ as it is commercially reasonable to do so. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146
      assessable: false
      depth: 1
      ref_id: '1798.146'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146
      ref_id: 1798.146-a
      description: 'This title shall not apply to any of the following:  '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      ref_id: 1798.146-a.1
      description: 'Medical information governed by the Confidentiality of Medical
        Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected
        health information that is collected by a covered entity or business associate
        governed by the privacy, security, and breach notification rules issued by
        the United States Department of Health and Human Services, Parts 160 and 164
        of Title 45 of the Code of Federal Regulations, established pursuant to the
        federal Health Insurance Portability and Accountability Act of 1996 (Public
        Law 104-191) and the federal Health Information Technology for Economic and
        Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment
        Act of 2009 (Public Law 111-5). '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      ref_id: 1798.146-a.2
      description: "A provider of health care governed by the Confidentiality of Medical\
        \ Information Act (Part 2.6 (commencing with Section 56) of Division 1) or\
        \ a covered entity governed by the privacy, security, and breach notification\
        \ rules issued by the United States Department of Health and Human Services,\
        \ Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established\
        \ pursuant to the federal Health Insurance Portability and Accountability\
        \ Act of 1996 (Public Law 104-191), to the extent the provider or covered\
        \ entity maintains, uses, and discloses patient information in the \nsame\
        \ manner as medical information or protected health information as described\
        \ in paragraph (1). "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      ref_id: 1798.146-a.3
      description: "A business associate of a covered entity governed by the privacy,\
        \ security, and data breach notification rules issued by the United States\
        \ Department of Health and Human Services, Parts 160 and 164 of Title 45 of\
        \ the Code of Federal Regulations, established pursuant to the federal Health\
        \ Insurance Portability and Accountability Act of 1996 (Public Law 104-191)\
        \ and the federal Health Information Technology for \nEconomic and Clinical\
        \ Health Act, Title XIII of the federal American Recovery and Reinvestment\
        \ Act of 2009 (Public Law 111-5), to the extent that the business associate\
        \ maintains, uses, and discloses patient information in the same manner as\
        \ medical information or protected health information as described in paragraph\
        \ (1). "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      ref_id: 1798.146-a.4.A
      description: 'Information that meets both of the following conditions: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a.i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a
      ref_id: 1798.146-a.4.A.i
      description: 'It is deidentified in accordance with the requirements for deidentification
        set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal
        Regulations. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a.ii
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a
      ref_id: 1798.146-a.4.A.ii
      description: "It is derived from patient information that was originally collected,\
        \ created, transmitted, or maintained by an entity regulated by the Health\
        \ \nInsurance Portability and Accountability Act, the Confidentiality Of Medical\
        \ Information Act, or the Federal Policy for the Protection of Human Subjects,\
        \ also known as the Common Rule. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.4.a
      ref_id: 1798.146-a.4.B
      description: 'Information that met the requirements of subparagraph (A) but
        is subsequently reidentified shall no longer be eligible for the exemption
        in this paragraph, and shall be subject to applicable federal and state data
        privacy and security laws, including, but not limited to, the Health Insurance
        Portability and Accountability Act, the Confidentiality Of Medical Information
        Act, and this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-a
      ref_id: 1798.146-a.5
      description: 'Information that is collected, used, or disclosed in research,
        as defined in Section 164.501 of Title 45 of the Code of Federal Regulations,
        including, but not limited to, a clinical trial, and that is conducted in
        accordance with applicable ethics, confidentiality, privacy, and security
        rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal
        Policy for the Protection of Human Subjects, also known as the Common Rule,
        good clinical practice guidelines issued by the International Council for
        Harmonisation, or human subject protection requirements of the United States
        Food and Drug Administration. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146
      ref_id: 1798.146-b
      description: 'For purposes of this section, all of the following shall apply: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.1
      description: " \u201CBusiness associate\u201D has the same meaning as defined\
        \ in Section 160.103 of Title 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.2
      description: " \u201CCovered entity\u201D has the same meaning as defined in\
        \ Section 160.103 of Title 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.3
      description: "\u201CIdentifiable private information\u201D has the same meaning\
        \ as defined in Section \n46.102 of Title 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.4
      description: "\_ \u201CIndividually identifiable health information\u201D has\
        \ the same meaning as defined in Section 160.103 of Title 45 of the Code of\
        \ Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.5
      description: "\u201CMedical information\u201D has the same meaning as defined\
        \ in Section 56.05. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.6
      description: "\u201CPatient information\u201D shall mean identifiable private\
        \ information, protected health information, individually identifiable health\
        \ information, or medical information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.7
      description: "\u201CProtected health information\u201D has the same meaning\
        \ as defined in Section 160.103 of Title 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.146-b
      ref_id: 1798.146-b.8
      description: "\u201CProvider of health care\u201D has the same meaning as defined\
        \ in Section 56.05. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148
      assessable: false
      depth: 1
      ref_id: '1798.148'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148
      ref_id: 1798.148-a
      description: 'A business or other person shall not reidentify, or attempt to
        reidentify, information that has met the requirements of paragraph (4) of
        subdivision (a) of Section 1798.146, except for one or more of the following
        purposes:  '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      ref_id: 1798.148-a.1
      description: "Treatment, payment, or health care operations conducted by a covered\
        \ entity or business associate acting on behalf of, and at the written direction\
        \ of, the covered entity. For purposes of this paragraph, \u201Ctreatment,\u201D\
        \ \u201Cpayment,\u201D \u201Chealth care operations,\u201D \u201Ccovered entity,\u201D\
        \ and \u201Cbusiness associate\u201D have the same meaning as defined in Section\
        \ 164.501 of Title 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      ref_id: 1798.148-a.2
      description: 'Public health activities or purposes as described in Section 164.512
        of Title 45 of the Code of Federal Regulations. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      ref_id: 1798.148-a.3
      description: "Research, as defined in Section 164.501 of Title 45 of the Code\
        \ of Federal \nRegulations, that is conducted in accordance with Part 46 of\
        \ Title 45 of the Code of Federal Regulations, the Federal Policy for the\
        \ Protection of Human Subjects, also known as the Common Rule. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      ref_id: 1798.148-a.4
      description: 'Pursuant to a contract where the lawful holder of the deidentified
        information that met the requirements of paragraph (4) of subdivision (a)
        of Section 1798.146 expressly engages a person or entity to attempt to reidentify
        the deidentified information in order to conduct testing, analysis, or validation
        of deidentification, or related statistical techniques, if the contract bans
        any other use or disclosure of the reidentified information and requires the
        return or destruction of the information that was reidentified upon completion
        of the contract. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-a
      ref_id: 1798.148-a.5
      description: 'If otherwise required by law. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148
      ref_id: 1798.148-b
      description: 'In accordance with paragraph (4) of subdivision (a) of Section
        1798.146, information reidentified pursuant this section shall be subject
        to applicable federal and state data privacy and security laws including,
        but not limited to, the Health Insurance Portability and Accountability Act,
        the Confidentiality of Medical Information Act, and this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148
      ref_id: 1798.148-c
      description: 'Beginning January 1, 2021, any contract for the sale or license
        of deidentified information that has met the requirements of paragraph (4)
        of subdivision (a) of Section 1798.146, where one of the parties is a person
        residing or doing business in the state, shall include the following, or substantially
        similar, provisions: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c
      ref_id: 1798.148-c.1
      description: 'A statement that the deidentified information being sold or licensed
        includes deidentified patient information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c
      ref_id: 1798.148-c.2
      description: 'A statement that reidentification, and attempted reidentification,
        of the deidentified information by the purchaser or licensee of the information
        is prohibited pursuant to this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-c
      ref_id: 1798.148-c.3
      description: 'A requirement that, unless otherwise required by law, the purchaser
        or licensee of the deidentified information may not further disclose the deidentified
        information to any third party unless the third party is contractually bound
        by the same or stricter restrictions and conditions. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.148-d
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.148
      ref_id: 1798.148-d
      description: "For purposes of this section, \u201Creidentify\u201D means the\
        \ process of reversal of deidentification techniques, including, but not limited\
        \ to, the addition of specific pieces of information or data elements that\
        \ can, individually or in combination, be used to uniquely identify an individual\
        \ or usage of any statistical method, contrivance, computer software, or other\
        \ means that have the effect of associating deidentified information with\
        \ a specific identifiable individual. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150
      assessable: false
      depth: 1
      ref_id: '1798.150'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150
      ref_id: 1798.150-a.1
      description: "Any consumer whose nonencrypted and nonredacted personal information,\
        \ as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section\
        \ 1798.81.5, or whose email address in combination with a password or security\
        \ question and answer that would permit access to the account is subject to\
        \ an unauthorized access and exfiltration, theft, or disclosure as a result\
        \ of the business\u2019s violation of the duty to implement and maintain reasonable\
        \ security procedures and practices appropriate to the nature of the information\
        \ to protect the personal information may institute a civil action for any\
        \ of the following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1.a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1
      ref_id: 1798.150-a.1.A
      description: 'To recover damages in an amount not less than one hundred dollars
        ($100) and not greater than seven hundred and fifty ($750) per consumer per
        incident or actual damages, whichever is greater. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1.b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1
      ref_id: 1798.150-a.1.B
      description: 'Injunctive or declaratory relief. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1.c
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1
      ref_id: 1798.150-a.1.C
      description: 'Any other relief the court deems proper. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-a.1
      ref_id: 1798.150-a.2
      description: "In assessing the amount of statutory damages, the court shall\
        \ consider any one or more of the relevant circumstances presented by any\
        \ of the parties to the case, including, but not limited to, the nature and\
        \ seriousness of the misconduct, the number of violations, the persistence\
        \ of the misconduct, the length of time over which the misconduct occurred,\
        \ the willfulness of the defendant\u2019s misconduct, and the defendant\u2019\
        s assets, liabilities, and net worth. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150
      ref_id: 1798.150-b
      description: "Actions pursuant to this section may be brought by a consumer\
        \ if, prior to initiating any action against a business for statutory damages\
        \ on an individual or class-wide basis, a consumer provides a business 30\
        \ days\u2019 written notice identifying the specific provisions of this title\
        \ the consumer alleges have been or are being violated. In the event a cure\
        \ is possible, if within the 30 days the business actually cures the noticed\
        \ violation and provides the consumer an express written statement that the\
        \ violations have been cured and that no further violations shall occur, no\
        \ action for individual statutory damages or class-wide statutory damages\
        \ may be initiated against the business. The implementation and maintenance\
        \ of reasonable security procedures and practices pursuant to Section 1798.81.5\
        \ following a breach does not constitute a cure with respect to that breach.\
        \ No notice shall be required prior to an individual consumer initiating an\
        \ action solely for actual pecuniary damages suffered as a result of the alleged\
        \ violations of this title. If a business continues to violate this title\
        \ in breach of the express written statement provided to the consumer under\
        \ this section, the consumer may initiate an action against the business to\
        \ enforce the written statement and may pursue statutory damages for each\
        \ breach of the express written statement, as well as any other violation\
        \ of the title that postdates the written statement. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.150-c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.150
      ref_id: 1798.150-c
      description: 'The cause of action established by this section shall apply only
        to violations as defined in subdivision (a) and shall not be based on violations
        of any other section of this title. Nothing in this title shall be interpreted
        to serve as the basis for a private right of action under any other law. This
        shall not be construed to relieve any party from any duties or obligations
        imposed under other law or the United States or California Constitution. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.155
      assessable: false
      depth: 1
      ref_id: '1798.155'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.155-a
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.155
      ref_id: 1798.155-a
      description: 'Any business, service provider, contractor, or other person that
        violates this title shall be liable for an administrative fine of not more
        than two thousand five hundred dollars ($2,500) for each violation or seven
        thousand five hundred dollars ($7,500) for each intentional violation or violations
        involving the personal information of consumers whom the business, service
        provider, contractor, or other person has actual knowledge are under 16 years
        of age, as adjusted pursuant to paragraph (5) of subdivision (a) of Section
        1798.185, in an administrative enforcement action brought by the California
        Privacy Protection Agency. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.155-b
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.155
      ref_id: 1798.155-b
      description: 'Any administrative fine assessed for a violation of this title,
        and the proceeds of any settlement of an action brought pursuant to subdivision
        (a), shall be deposited in the Consumer Privacy Fund, created within the General
        Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully
        offset any costs incurred by the state courts, the Attorney General, and the
        California Privacy Protection Agency in connection with this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160
      assessable: false
      depth: 1
      ref_id: '1798.160'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160
      ref_id: 1798.160-a
      description: "A special fund to be known as the \u201CConsumer Privacy Fund\u201D\
        \ is hereby created within the General Fund in the State Treasury, and is\
        \ available upon appropriation by the Legislature first to offset any costs\
        \ incurred by the state courts in connection with actions brought to enforce\
        \ this title, the costs incurred by the Attorney General in carrying out the\
        \ Attorney General\u2019s duties under this title, and then for the purposes\
        \ of establishing an investment fund in the State Treasury, with any earnings\
        \ or interest from the fund to be deposited in the General Fund, and making\
        \ grants to promote and protect consumer privacy, educate children in the\
        \ area of online privacy, and fund cooperative programs with international\
        \ law enforcement organizations to combat fraudulent activities with respect\
        \ to consumer data breaches. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160
      ref_id: 1798.160-b
      description: 'Funds transferred to the Consumer Privacy Fund shall be used exclusively
        as follows: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b
      ref_id: 1798.160-b.1
      description: 'To offset any costs incurred by the state courts and the Attorney
        General in connection with this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b
      ref_id: 1798.160-b.2
      description: 'After satisfying the obligations under paragraph (1), the remaining
        funds shall be allocated each fiscal year as follows: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2
      ref_id: 1798.160-b.2.A
      description: 'Ninety-one percent shall be invested by the Treasurer in financial
        assets with the goal of maximizing long term yields consistent with a prudent
        level of risk. The principal shall not be subject to transfer or appropriation,
        provided that any interest and earnings shall be transferred on an annual
        basis to the General Fund for appropriation by the Legislature for General
        Fund purposes. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2
      ref_id: 1798.160-b.2.B
      description: 'Nine percent shall be made available to the California Privacy
        Protection Agency for the purposes of making grants in California, with 3
        percent allocated to each of the following grant recipients: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b
      ref_id: 1798.160-b.2.B.i
      description: 'Nonprofit organizations to promote and protect consumer privacy. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b
      ref_id: 1798.160-b.2.B.ii
      description: 'Nonprofit organizations and public agencies, including school
        districts, to educate children in the area of online privacy. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2.b
      ref_id: 1798.160-b.2.B.iii
      description: 'State and local law enforcement agencies to fund cooperative programs
        with international law enforcement organizations to combat fraudulent activities
        with respect to consumer data breaches. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.160-b.2
      ref_id: 1798.160-c
      description: 'Funds in the Consumer Privacy Fund shall not be subject to appropriation
        or transfer by the Legislature for any other purpose. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.175
      assessable: false
      depth: 1
      ref_id: '1798.175'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node412
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.175
      description: "This title is intended to further the constitutional right of\
        \ privacy and to supplement existing laws relating to consumers\u2019 personal\
        \ information, including, but not limited to, Chapter 22 (commencing with\
        \ Section 22575) of Division 8 of the Business and Professions Code and Title\
        \ 1.81 (commencing with Section 1798.80). The provisions of this title are\
        \ not limited to information collected electronically or over the Internet,\
        \ but apply to the collection and sale of all personal information collected\
        \ by a business from consumers. Wherever possible, law relating to consumers\u2019\
        \ personal information should be construed to harmonize with the provisions\
        \ of this title, but in the event of a conflict between other laws and the\
        \ provisions of this title, the provisions of the law that afford the greatest\
        \ protection for the right of privacy for consumers shall control. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.180
      assessable: false
      depth: 1
      ref_id: '1798.180'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node414
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.180
      description: "This title is a matter of statewide concern and supersedes and\
        \ preempts all rules, regulations, codes, ordinances, and other laws adopted\
        \ by a city, county, city and county, municipality, or local agency regarding\
        \ the collection and sale of consumers\u2019 personal information by a business. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185
      assessable: false
      depth: 1
      ref_id: '1798.185'
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185
      ref_id: 1798.185-a
      description: 'On or before July 1, 2020, the Attorney General shall solicit
        broad public participation and adopt regulations to further the purposes of
        this title, including, but not limited to, the following areas: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.1
      description: 'Updating or adding categories of personal information to those
        enumerated in subdivision (c) of Section 1798.130 and subdivision (v) of Section
        1798.140, and updating or adding categories of sensitive personal information
        to those enumerated in subdivision (ae) of Section 1798.140 in order to address
        changes in technology, data collection practices, obstacles to implementation,
        and privacy concerns. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.2
      description: "Updating as needed the definitions of \u201Cdeidentified\u201D\
        \ and \u201Cunique identifier\u201D to address changes in technology, data\
        \ collection, obstacles to implementation, and privacy concerns, and adding,\
        \ modifying, or deleting categories to the definition of designated methods\
        \ for submitting requests to facilitate a consumer\u2019s ability to obtain\
        \ information from a business pursuant to Section 1798.130. The authority\
        \ to update the definition of \u201Cdeidentified\u201D shall not apply to\
        \ deidentification standards set forth in Section 164.514 of Title 45 of the\
        \ Code of Federal Regulations, where such information previously was \u201C\
        protected health information\u201D as defined in Section 160.103 of Title\
        \ 45 of the Code of Federal Regulations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.3
      description: 'Establishing any exceptions necessary to comply with state or
        federal law, including, but not limited to, those relating to trade secrets
        and intellectual property rights, within one year of passage of this title
        and as needed thereafter, with the intention that trade secrets should not
        be disclosed in response to a verifiable consumer request. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.4
      description: 'Establishing rules and procedures for the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4
      ref_id: 1798.185-a.4.A
      description: "To facilitate and govern the submission of a request by a consumer\
        \ to opt out of the sale or sharing of personal information pursuant to Section\
        \ 1798.120 and to limit the use of a consumer\u2019s sensitive personal information\
        \ pursuant to Section 1798.121 to ensure that consumers have the ability to\
        \ exercise their choices without undue burden and to prevent business from\
        \ engaging in deceptive or harassing conduct, including in retaliation against\
        \ consumers for exercising their rights, while allowing businesses to inform\
        \ consumers of the consequences of their decision to opt out of the sale or\
        \ sharing of their personal information or to limit the use of their sensitive\
        \ personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4
      ref_id: 1798.185-a.4.B
      description: "To govern business compliance with a consumer\u2019s opt-out request. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.4
      ref_id: 1798.185-a.4.C
      description: 'For the development and use of a recognizable and uniform opt
        out logo or button by all businesses to promote consumer awareness of the
        opportunity to opt-out of the sale of personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.5
      description: 'Adjusting the monetary thresholds, in January of every odd-numbered
        year to reflect any increase in the Consumer Price Index, in: subparagraph
        (A) of paragraph (1) of subdivision (d) of Section 1798.140; subparagraph
        (A) of paragraph (1) of subdivision (a) of Section 1798.150; subdivision (a)
        of Section 1798.155; Section 1798.199.25; and subdivision (a) of Section 1798.199.90. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.6
      description: 'Establishing rules, procedures, and any exceptions necessary to
        ensure that the notices and information that businesses are required to provide
        pursuant to this title are provided in a manner that may be easily understood
        by the average consumer, are accessible to consumers with disabilities, and
        are available in the language primarily used to interact with the consumer,
        including establishing rules and guidelines regarding financial incentives
        within one year of passage of this title and as needed thereafter. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.7
      description: "Establishing rules and procedures to further the purposes of Sections\
        \ 1798.105, 1798.106, 1798.110, and 1798.115 and to facilitate a consumer\u2019\
        s or the consumer\u2019s authorized agent\u2019s ability to delete personal\
        \ information, correct inaccurate personal information pursuant to Section\
        \ 1798.106, or obtain information pursuant to Section 1798.130, with the goal\
        \ of minimizing the administrative burden on consumers, taking into account\
        \ available technology, security concerns, and the burden on the business,\
        \ to govern a business\u2019s determination that a request for information\
        \ received from a consumer is a verifiable consumer request, including treating\
        \ a request submitted through a password-protected account maintained by the\
        \ consumer with the business while the consumer is logged into the account\
        \ as a verifiable consumer request and providing a mechanism for a consumer\
        \ who does not maintain an account with the business to request information\
        \ through the business\u2019s authentication of the consumer\u2019s identity,\
        \ within one year of passage of this title and as needed thereafter. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.8
      description: 'Establishing how often, and under what circumstances, a consumer
        may request a correction pursuant to Section 1798.106, including standards
        governing the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8
      ref_id: 1798.185-a.8.A
      description: 'How a business responds to a request for correction, including
        exceptions for requests to which a response is impossible or would involve
        disproportionate effort, and requests for correction of accurate information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8
      ref_id: 1798.185-a.8.B
      description: 'How concerns regarding the accuracy of the information may be
        resolved. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8
      ref_id: 1798.185-a.8.C
      description: 'The steps a business may take to prevent fraud. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8.d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.8
      ref_id: 1798.185-a.8.D
      description: "If a business rejects a request to correct personal information\
        \ collected and analyzed concerning a consumer\u2019s health, the right of\
        \ a consumer to provide a written addendum to the business with respect to\
        \ any item or statement regarding any such personal information that the consumer\
        \ believes to be incomplete or incorrect. The addendum shall be limited to\
        \ 250 words per alleged incomplete or incorrect item and shall clearly indicate\
        \ in writing that the consumer requests the addendum to be made a part of\
        \ the consumer\u2019s record. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.9
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.9
      description: "Establishing the standard to govern a business\u2019s determination,\
        \ pursuant to subparagraph (B) of paragraph (2) of subdivision (a) of Section\
        \ 1798.130, that providing information beyond the 12-month period in a response\
        \ to a verifiable consumer request is impossible or would involve a disproportionate\
        \ effort. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.10
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.10
      description: "Issuing regulations further defining and adding to the business\
        \ purposes, including other notified purposes, for which businesses, service\
        \ providers, and contractors may use consumers\u2019 personal information\
        \ consistent with consumers\u2019 expectations, and further defining the business\
        \ purposes for which service providers and contractors may combine consumers\u2019\
        \ personal information obtained from different sources, except as provided\
        \ for in paragraph (6) of subdivision (e) of Section 1798.140. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.11
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.11
      description: "Issuing regulations identifying those business purposes, including\
        \ other notified purposes, for which service providers and contractors may\
        \ use consumers\u2019 personal information received pursuant to a written\
        \ contract with a business, for the service provider or contractor\u2019s\
        \ own business purposes, with the goal of maximizing consumer privacy. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.12
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.12
      description: "Issuing regulations to further define \u201Cintentionally interacts,\u201D\
        \ with the goal of maximizing consumer privacy. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.13
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.13
      description: "Issuing regulations to further define \u201Cprecise geolocation,\u201D\
        \ including if the size defined is not sufficient to protect consumer privacy\
        \ in sparsely populated areas or when the personal information is used for\
        \ normal operational purposes, including billing. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.14
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.14
      description: "Issuing regulations to define the term \u201Cspecific pieces of\
        \ information obtained from the consumer\u201D with the goal of maximizing\
        \ a consumer\u2019s right to access relevant personal information while minimizing\
        \ the delivery of information to a consumer that would not be useful to the\
        \ consumer, including system log information and other technical data. For\
        \ delivery of the most sensitive personal information, the regulations may\
        \ require a higher standard of authentication provided that the agency shall\
        \ monitor the impact of the higher standard on the right of consumers to obtain\
        \ their personal information to ensure that the requirements of verification\
        \ do not result in the unreasonable denial of verifiable consumer requests. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.15
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.15
      description: "Issuing regulations requiring businesses whose processing of consumers\u2019\
        \ personal information presents significant risk to consumers\u2019 privacy\
        \ or security, to: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.15.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.15
      ref_id: 1798.185-a.15.A
      description: 'Perform a cybersecurity audit on an annual basis, including defining
        the scope of the audit and establishing a process to ensure that audits are
        thorough and independent. The factors to be considered in determining when
        processing may result in significant risk to the security of personal information
        shall include the size and complexity of the business and the nature and scope
        of processing activities. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.15.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.15
      ref_id: 1798.185-a.15.B
      description: 'Submit to the California Privacy Protection Agency on a regular
        basis a risk assessment with respect to their processing of personal information,
        including whether the processing involves sensitive personal information,
        and identifying and weighing the benefits resulting from the processing to
        the business, the consumer, other stakeholders, and the public, against the
        potential risks to the rights of the consumer associated with that processing,
        with the goal of restricting or prohibiting the processing if the risks to
        privacy of the consumer outweigh the benefits resulting from processing to
        the consumer, the business, other stakeholders, and the public. Nothing in
        this section shall require a business to divulge trade secrets. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.16
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.16
      description: "Issuing regulations governing access and opt-out rights with respect\
        \ to businesses\u2019 use of automated decisionmaking technology, including\
        \ profiling and requiring businesses\u2019 response to access requests to\
        \ include meaningful information about the logic involved in those decisionmaking\
        \ processes, as well as a description of the likely outcome of the process\
        \ with respect to the consumer. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.17
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.17
      description: "Issuing regulations to further define a \u201Claw enforcement\
        \ agency-approved investigation\u201D for purposes of the exception in subparagraph\
        \ (B) of paragraph (1) of subdivision (a) of Section 1798.145. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.18
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.18
      description: "Issuing regulations to define the scope and process for the exercise\
        \ of the agency\u2019s audit authority, to establish criteria for selection\
        \ of persons to audit, and to protect consumers\u2019 personal information\
        \ from disclosure to an auditor in the absence of a court order, warrant,\
        \ or subpoena. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.19.A
      description: "Issuing regulations to define the requirements and technical specifications\
        \ for an opt-out preference signal sent by a platform, technology, or mechanism,\
        \ to indicate a consumer\u2019s intent to opt out of the sale or sharing of\
        \ the consumer\u2019s personal information and to limit the use or disclosure\
        \ of the consumer\u2019s sensitive personal information. The requirements\
        \ and specifications for the opt-out preference signal should be updated from\
        \ time to time to reflect the means by which consumers interact with businesses,\
        \ and should: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.i
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.i
      description: 'Ensure that the manufacturer of a platform or browser or device
        that sends the opt-out preference signal cannot unfairly disadvantage another
        business. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.ii
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.ii
      description: 'Ensure that the opt-out preference signal is consumer-friendly,
        clearly described, and easy to use by an average consumer and does not require
        that the consumer provide additional information beyond what is necessary. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.iii
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.iii
      description: "Clearly represent a consumer\u2019s intent and be free of defaults\
        \ constraining or presupposing that intent. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.iv
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.iv
      description: 'Ensure that the opt-out preference signal does not conflict with
        other commonly used privacy settings or tools that consumers may employ. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.v
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.v
      description: "Provide a mechanism for the consumer to selectively consent to\
        \ a business\u2019s sale of the consumer\u2019s personal information, or the\
        \ use or disclosure of the consumer\u2019s sensitive personal information,\
        \ without affecting the consumer\u2019s preferences with respect to other\
        \ businesses or disabling the opt-out preference signal globally. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.A.vi
      description: 'State that in the case of a page or setting view that the consumer
        accesses to set the opt-out preference signal, the consumer should see up
        to three choices, including: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi
      ref_id: 1798.185-a.19.A.vi.I
      description: 'Global opt out from sale and sharing of personal information,
        including a direction to limit the use of sensitive personal information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi
      ref_id: 1798.185-a.19.A.vi.II
      description: "Choice to \u201CLimit the Use of My Sensitive Personal Information.\u201D\
        \ "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a.vi
      ref_id: 1798.185-a.19.A.vi.III
      description: "Choice titled \u201CDo Not Sell/Do Not Share My Personal Information\
        \ for Cross-Context Behavioral Advertising.\u201D "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.B
      description: "Issuing regulations to establish technical specifications for\
        \ an opt-out preference signal that allows the consumer, or the consumer\u2019\
        s parent or guardian, to specify that the consumer is less than 13 years of\
        \ age or at least 13 years of age and less than 16 years of age. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.a
      ref_id: 1798.185-a.19.C
      description: "Issuing regulations, with the goal of strengthening consumer privacy\
        \ while considering the legitimate operational interests of businesses, to\
        \ govern the use or disclosure of a consumer\u2019s sensitive personal information,\
        \ notwithstanding the consumer\u2019s direction to limit the use or disclosure\
        \ of the consumer\u2019s sensitive personal information, including: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c
      ref_id: 1798.185-a.19.C.i
      description: "Determining any additional purposes for which a business may use\
        \ or disclose a consumer\u2019s sensitive personal information. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c
      ref_id: 1798.185-a.19.C.ii
      description: 'Determining the scope of activities permitted under paragraph
        (8) of subdivision (e) of Section 1798.140, as authorized by subdivision (a)
        of Section 1798.121, to ensure that the activities do not involve health-related
        research. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c
      ref_id: 1798.185-a.19.C.iii
      description: "Ensuring the functionality of the business\u2019s operations. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c.iv
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.19.c
      ref_id: 1798.185-a.19.C.iv
      description: "Ensuring that the exemption in subdivision (d) of Section 1798.121\
        \ for sensitive personal information applies to information that is collected\
        \ or processed incidentally, or without the purpose of inferring characteristics\
        \ about a consumer, while ensuring that businesses do not use the exemption\
        \ for the purpose of evading consumers\u2019 rights to limit the use and disclosure\
        \ of their sensitive personal information under Section 1798.121. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.20
      description: 'Issuing regulations to govern how a business that has elected
        to comply with subdivision (b) of Section 1798.135 responds to the opt-out
        preference signal and provides consumers with the opportunity subsequently
        to consent to the sale or sharing of their personal information or the use
        and disclosure of their sensitive personal information for purposes in addition
        to those authorized by subdivision (a) of Section 1798.121. The regulations
        should: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20
      ref_id: 1798.185-a.20.A
      description: 'Strive to promote competition and consumer choice and be technology
        neutral. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20
      ref_id: 1798.185-a.20.B
      description: 'Ensure that the business does not respond to an opt-out preference
        signal by: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      ref_id: 1798.185-a.20.B.i
      description: 'Intentionally degrading the functionality of the consumer experience. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      ref_id: 1798.185-a.20.B.ii
      description: "Charging the consumer a fee in response to the consumer\u2019\
        s opt-out preferences. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      ref_id: 1798.185-a.20.B.iii
      description: 'Making any products or services not function properly or fully
        for the consumer, as compared to consumers who do not use the opt-out preference
        signal. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b.iv
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      ref_id: 1798.185-a.20.B.iv
      description: "Attempting to coerce the consumer to opt in to the sale or sharing\
        \ of the consumer\u2019s personal information, or the use or disclosure of\
        \ the consumer\u2019s sensitive personal information, by stating or implying\
        \ that the use of the optout preference signal will adversely affect the consumer\
        \ as compared to consumers who do not use the opt-out preference signal, including\
        \ stating or implying that the consumer will not be able to use the business\u2019\
        s products or services or that those products or services may not function\
        \ properly or fully. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b.v
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.b
      ref_id: 1798.185-a.20.B.v
      description: "Displaying any notification or pop-up in response to the consumer\u2019\
        s opt-out preference signal. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20
      ref_id: 1798.185-a.20.C
      description: 'Ensure that any link to a web page or its supporting content that
        allows the consumer to consent to opt in: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c.i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c
      ref_id: 1798.185-a.20.C.i
      description: "Is not part of a popup, notice, banner, or other intrusive design\
        \ that obscures any part of the web page the consumer intended to visit from\
        \ full view or that interferes with or impedes in any way the consumer\u2019\
        s experience visiting or browsing the web page or website the consumer intended\
        \ to visit. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c.ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c
      ref_id: 1798.185-a.20.C.ii
      description: 'Does not require or imply that the consumer must click the link
        to receive full functionality of any products or services, including the website. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c.iii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c
      ref_id: 1798.185-a.20.C.iii
      description: 'Does not make use of any dark patterns. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c.iv
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.c
      ref_id: 1798.185-a.20.C.iv
      description: 'Applies only to the business with which the consumer intends to
        interact. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20.d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.20
      ref_id: 1798.185-a.20.D
      description: 'Strive to curb coercive or deceptive practices in response to
        an opt-out preference signal but should not unduly restrict businesses that
        are trying in good faith to comply with Section 1798.135. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.21
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.21
      description: 'Review existing Insurance Code provisions and regulations relating
        to consumer privacy, except those relating to insurance rates or pricing,
        to determine whether any provisions of the Insurance Code provide greater
        protection to consumers than the provisions of this title. Upon completing
        its review, the agency shall adopt a regulation that applies only the more
        protective provisions of this title to insurance companies. For the purpose
        of clarity, the Insurance Commissioner shall have jurisdiction over insurance
        rates and pricing. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a.22
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-a
      ref_id: 1798.185-a.22
      description: 'Harmonizing the regulations governing opt-out mechanisms, notices
        to consumers, and other operational mechanisms in this title to promote clarity
        and the functionality of this title for consumers. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185
      ref_id: 1798.185-b
      description: 'The Attorney General may adopt additional regulations as necessary
        to further the purposes of this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185
      ref_id: 1798.185-c
      description: 'The Attorney General shall not bring an enforcement action under
        this title until six months after the publication of the final regulations
        issued pursuant to this section or July 1, 2020, whichever is sooner. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.185-d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.185
      ref_id: 1798.185-d
      description: 'Notwithstanding subdivision (a), the timeline for adopting final
        regulations required by the act adding this subdivision shall be July 1, 2022.
        Beginning the later of July 1, 2021, or six months after the agency provides
        notice to the Attorney General that it is prepared to begin rulemaking under
        this title, the authority assigned to the Attorney General to adopt regulations
        under this section shall be exercised by the California Privacy Protection
        Agency. Notwithstanding any other law, civil and administrative enforcement
        of the provisions of law added or amended by this act shall not commence until
        July 1, 2023, and shall only apply to violations occurring on or after that
        date. Enforcement of provisions of law contained in the California Consumer
        Privacy Act of 2018 amended by this act shall remain in effect and shall be
        enforceable until the same provisions of this act become enforceable. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.190
      assessable: false
      depth: 1
      ref_id: '1798.190'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node480
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.190
      description: 'A court or the agency shall disregard the intermediate steps or
        transactions for purposes of effectuating the purposes of this title: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.190-a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node480
      ref_id: 1798.190-a
      description: 'If a series of steps or transactions were component parts of a
        single transaction intended from the beginning to be taken with the intention
        of avoiding the reach of this title, including the disclosure of information
        by a business to a third party in order to avoid the definition of sell or
        share. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.190-b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node480
      ref_id: 1798.190-b
      description: 'If steps or transactions were taken to purposely avoid the definition
        of sell or share by eliminating any monetary or other valuable consideration,
        including by entering into contracts that do not include an exchange for monetary
        or other valuable consideration, but where a party is obtaining something
        of value or use. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.192
      assessable: false
      depth: 1
      ref_id: '1798.192'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node484
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.192
      description: "Any provision of a contract or agreement of any kind, including\
        \ a representative action waiver, that purports to waive or limit in any way\
        \ rights under this title, including, but not limited to, any right to a remedy\
        \ or means of enforcement, shall be deemed contrary to public policy and shall\
        \ be void and unenforceable. This section shall not prevent a consumer from\
        \ declining to request information from a business, declining to opt out of\
        \ a business\u2019s sale of the consumer\u2019s personal information, or authorizing\
        \ a business to sell or share the consumer\u2019s personal information after\
        \ previously opting out. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.194
      assessable: false
      depth: 1
      ref_id: '1798.194'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node486
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.194
      description: This title shall be liberally construed to effectuate its purposes
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.196.
      assessable: false
      depth: 1
      ref_id: 1798.196.
    - urn: urn:intuitem:risk:req_node:ccpa_act:node488
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.196.
      description: 'This title is intended to supplement federal and state law, if
        permissible, but shall not apply if such application is preempted by, or in
        conflict with, federal law or the United States or California Constitution. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.198.
      assessable: false
      depth: 1
      ref_id: 1798.198.
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.198-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.198.
      ref_id: 1798.198-a
      description: 'Subject to limitation provided in subdivision (b), and in Section
        1798.199, this title shall be operative January 1, 2020. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.198-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.198.
      ref_id: 1798.198-b
      description: 'This title shall become operative only if initiative measure No.
        17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the
        ballot pursuant to Section 9604 of the Elections Code. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199
      assessable: false
      depth: 1
      ref_id: '1798.199'
    - urn: urn:intuitem:risk:req_node:ccpa_act:node493
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199
      description: 'Notwithstanding Section 1798.198, Section 1798.180 shall be operative
        on the effective date of the act adding this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.10
      assessable: false
      depth: 1
      ref_id: 1798.199.10
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.10-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.10
      ref_id: 1798.199.10-a
      description: 'There is hereby established in state government the California
        Privacy Protection Agency, which is vested with full administrative power,
        authority, and jurisdiction to implement and enforce the California Consumer
        Privacy Act of 2018. The agency shall be governed by a five-member board,
        including the chairperson. The chairperson and one member of the board shall
        be appointed by the Governor. The Attorney General, Senate Rules Committee,
        and Speaker of the Assembly shall each appoint one member. These appointments
        should be made from among Californians with expertise in the areas of privacy,
        technology, and consumer rights. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.10-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.10
      ref_id: 1798.199.10-b
      description: 'The initial appointments to the agency shall be made within 90
        days of the effective date of the act adding this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15
      assessable: false
      depth: 1
      ref_id: 1798.199.15
    - urn: urn:intuitem:risk:req_node:ccpa_act:node498
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15
      description: 'Members of the agency board shall: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-a
      description: ' Have qualifications, experience, and skills, in particular in
        the areas of privacy and technology, required to perform the duties of the
        agency and exercise its powers. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-b
      description: 'Maintain the confidentiality of information which has come to
        their knowledge in the course of the performance of their tasks or exercise
        of their powers, except to the extent that disclosure is required by the Public
        Records Act. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-c
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-c
      description: 'Remain free from external influence, whether direct or indirect,
        and shall neither seek nor take instructions from another. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-d
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-d
      description: ' Refrain from any action incompatible with their duties and engaging
        in any incompatible occupation, whether gainful or not, during their term. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-e
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-e
      description: ' Have the right of access to all information made available by
        the agency to the chairperson. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-f
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-f
      description: "Be precluded, for a period of one year after leaving office, from\
        \ accepting employment with a business that was subject to an enforcement\
        \ action or civil action under this title during the member\u2019s tenure\
        \ or during the five-year period preceding the member\u2019s appointment. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.15-g
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node498
      ref_id: 1798.199.15-g
      description: ' Be precluded for a period of two years after leaving office from
        acting, for compensation, as an agent or attorney for, or otherwise representing,
        any other person in a matter pending before the agency if the purpose is to
        influence an action of the agency. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.20
      assessable: false
      depth: 1
      ref_id: 1798.199.20
    - urn: urn:intuitem:risk:req_node:ccpa_act:node507
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.20
      description: 'Members of the agency board, including the chairperson, shall
        serve at the pleasure of their appointing authority but shall serve for no
        longer than eight consecutive years. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.25
      assessable: false
      depth: 1
      ref_id: 1798.199.25
    - urn: urn:intuitem:risk:req_node:ccpa_act:node509
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.25
      description: 'For each day on which they engage in official duties, members
        of the agency board shall be compensated at the rate of one hundred dollars
        ($100), adjusted biennially to reflect changes in the cost of living, and
        shall be reimbursed for expenses incurred in performance of their official
        duties. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.30
      assessable: false
      depth: 1
      ref_id: 1798.199.30
    - urn: urn:intuitem:risk:req_node:ccpa_act:node511
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.30
      description: 'The agency board shall appoint an executive director who shall
        act in accordance with agency policies and regulations and with applicable
        law. The agency shall appoint and discharge officers, counsel, and employees,
        consistent with applicable civil service laws, and shall fix the compensation
        of employees and prescribe their duties. The agency may contract for services
        that cannot be provided by its employees. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.35
      assessable: false
      depth: 1
      ref_id: 1798.199.35
    - urn: urn:intuitem:risk:req_node:ccpa_act:node513
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.35
      description: 'The agency board may delegate authority to the chairperson or
        the executive director to act in the name of the agency between meetings of
        the agency, except with respect to resolution of enforcement actions and rulemaking
        authority. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40
      assessable: false
      depth: 1
      ref_id: 1798.199.40
    - urn: urn:intuitem:risk:req_node:ccpa_act:node515
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40
      description: 'The agency shall perform the following functions: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-a
      description: 'Administer, implement, and enforce through administrative actions
        this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-b
      description: 'On and after the later of July 1, 2021, or within six months of
        the agency providing the Attorney General with notice that it is prepared
        to assume rulemaking responsibilities under this title, adopt, amend, and
        rescind regulations pursuant to Section 1798.185 to carry out the purposes
        and provisions of the California Consumer Privacy Act of 2018, including regulations
        specifying recordkeeping requirements for businesses to ensure compliance
        with this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-c
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-c
      description: 'Through the implementation of this title, protect the fundamental
        privacy rights of natural persons with respect to the use of their personal
        information. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-d
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-d
      description: 'Promote public awareness and understanding of the risks, rules,
        responsibilities, safeguards, and rights in relation to the collection, use,
        sale, and disclosure of personal information, including the rights of minors
        with respect to their own information, and provide a public report summarizing
        the risk assessments filed with the agency pursuant to paragraph (15) of subdivision
        (a) of Section 1798.185 while ensuring that data security is not compromised. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-e
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-e
      description: 'Provide guidance to consumers regarding their rights under this
        title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-f
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-f
      description: 'Provide guidance to businesses regarding their duties and responsibilities
        under this title and appoint a Chief Privacy Auditor to conduct audits of
        businesses to ensure compliance with this title pursuant to regulations adopted
        pursuant to paragraph (18) of subdivision (a) of Section 1798.185. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-g
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-g
      description: 'Provide technical assistance and advice to the Legislature, upon
        request, with respect to privacy-related legislation. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-h
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-h
      description: 'Monitor relevant developments relating to the protection of personal
        information and, in particular, the development of information and communication
        technologies and commercial practices. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-i
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-i
      description: 'Cooperate with other agencies with jurisdiction over privacy laws
        and with data processing authorities in California, other states, territories,
        and countries to ensure consistent application of privacy protections. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-j
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-j
      description: 'Establish a mechanism pursuant to which persons doing business
        in California that do not meet the definition of business set forth in paragraph
        (1), (2), or (3) of subdivision (d) of Section 1798.140 may voluntarily certify
        that they are in compliance with this title, as set forth in paragraph (4)
        of subdivision (d) of Section 1798.140, and make a list of those entities
        available to the public. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-k
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-k
      description: 'Solicit, review, and approve applications for grants to the extent
        funds are available pursuant to paragraph (2) of subdivision (b) of Section
        1798.160. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.40-l
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node515
      ref_id: 1798.199.40-l
      description: 'Perform all other acts necessary or appropriate in the exercise
        of its power, authority, and jurisdiction and seek to balance the goals of
        strengthening consumer privacy while giving attention to the impact on businesses. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45
      assessable: false
      depth: 1
      ref_id: 1798.199.45
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45
      ref_id: 1798.199.45-a
      description: 'Upon the sworn complaint of any person or on its own initiative,
        the agency may investigate possible violations of this title relating to any
        business, service provider, contractor, or person. The agency may decide not
        to investigate a complaint or decide to provide a business with a time period
        to cure the alleged violation. In making a decision not to investigate or
        provide more time to cure, the agency may consider the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-a
      ref_id: 1798.199.45-a.1
      description: 'Lack of intent to violate this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-a
      ref_id: 1798.199.45-a.2
      description: 'Voluntary efforts undertaken by the business, service provider,
        contractor, or person to cure the alleged violation prior to being notified
        by the agency of the complaint. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.45
      ref_id: 1798.199.45-b
      description: 'The agency shall notify in writing the person who made the complaint
        of the action, if any, the agency has taken or plans to take on the complaint,
        together with the reasons for that action or nonaction. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.50
      assessable: false
      depth: 1
      ref_id: 1798.199.50
    - urn: urn:intuitem:risk:req_node:ccpa_act:node534
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.50
      description: "No finding of probable cause to believe this title has been violated\
        \ shall be made by the agency unless, at least 30 days prior to the agency\u2019\
        s consideration of the alleged violation, the business, service provider,\
        \ contractor, or person alleged to have violated this title is notified of\
        \ the violation by service of process or registered mail with return receipt\
        \ requested, provided with a summary of the evidence, and informed of their\
        \ right to be present in person and represented by counsel at any proceeding\
        \ of the agency held for the purpose of considering whether probable cause\
        \ exists for believing the person violated this title. Notice to the alleged\
        \ violator shall be deemed made on the date of service, the date the registered\
        \ mail receipt is signed, or if the registered mail receipt is not signed,\
        \ the date returned by the post office. A proceeding held for the purpose\
        \ of considering probable cause shall be private unless the alleged violator\
        \ files with the agency a written request that the proceeding be public. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55
      assessable: false
      depth: 1
      ref_id: 1798.199.55
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55
      ref_id: 1798.199.55-a
      description: 'When the agency determines there is probable cause for believing
        this title has been violated, it shall hold a hearing to determine if a violation
        has or violations have occurred. Notice shall be given and the hearing conducted
        in accordance with the Administrative Procedure Act (Chapter 5 (commencing
        with Section 11500), Part 1, Division 3, Title 2, Government Code). The agency
        shall have all the powers granted by that chapter. If the agency determines
        on the basis of the hearing conducted pursuant to this subdivision that a
        violation or violations have occurred, it shall issue an order that may require
        the violator to do all or any of the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-a
      ref_id: 1798.199.55-a.1
      description: 'Cease and desist violation of this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-a
      ref_id: 1798.199.55-a.2
      description: 'Subject to Section 1798.155, pay an administrative fine of up
        to two thousand five hundred dollars ($2,500) for each violation, or up to
        seven thousand five hundred dollars ($7,500) for each intentional violation
        and each violation involving the personal information of minor consumers to
        the Consumer Privacy Fund within the General Fund of the state. When the agency
        determines that no violation has occurred, it shall publish a declaration
        so stating. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.55
      ref_id: 1798.199.55-b
      description: 'If two or more persons are responsible for any violation or violations,
        they shall be jointly and severally liable. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.60
      assessable: false
      depth: 1
      ref_id: 1798.199.60
    - urn: urn:intuitem:risk:req_node:ccpa_act:node541
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.60
      description: 'Whenever the agency rejects the decision of an administrative
        law judge made pursuant to Section 11517 of the Government Code, the agency
        shall state the reasons in writing for rejecting the decision. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.65
      assessable: false
      depth: 1
      ref_id: 1798.199.65
    - urn: urn:intuitem:risk:req_node:ccpa_act:node543
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.65
      description: "The agency may subpoena witnesses, compel their attendance and\
        \ testimony, administer oaths and affirmations, take evidence and require\
        \ by subpoena the production of any books, papers, records, or other items\
        \ material to the performance of the agency\u2019s duties or exercise of its\
        \ powers, including, but not limited to, its power to audit a business\u2019\
        \ compliance with this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.70
      assessable: false
      depth: 1
      ref_id: 1798.199.70
    - urn: urn:intuitem:risk:req_node:ccpa_act:node545
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.70
      description: 'No administrative action brought pursuant to this title alleging
        a violation of any of the provisions of this title shall be commenced more
        than five years after the date on which the violation occurred. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.70-a
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node545
      ref_id: 1798.199.70-a
      description: 'The service of the probable cause hearing notice, as required
        by Section 1798.199.50, upon the person alleged to have violated this title
        shall constitute the commencement of the administrative action. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.70-b
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node545
      ref_id: 1798.199.70-b
      description: "If the person alleged to have violated this title engages in the\
        \ fraudulent concealment of the person\u2019s acts or identity, the five-year\
        \ period shall be tolled for the period of the concealment. For purposes of\
        \ this subdivision, \u201Cfraudulent concealment\u201D means the person knows\
        \ of material facts related to the person\u2019s duties under this title and\
        \ knowingly conceals them in performing or omitting to perform those duties\
        \ for the purpose of defrauding the public of information to which it is entitled\
        \ under this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.70-c
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:node545
      ref_id: 1798.199.70-c
      description: 'If, upon being ordered by a superior court to produce any documents
        sought by a subpoena in any administrative proceeding under this title, the
        person alleged to have violated this title fails to produce documents in response
        to the order by the date ordered to comply therewith, the five-year period
        shall be tolled for the period of the delay from the date of filing of the
        motion to compel until the date the documents are produced. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75
      assessable: false
      depth: 1
      ref_id: 1798.199.75
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75
      ref_id: 1798.199.75-a
      description: "In addition to any other available remedies, the agency may bring\
        \ a civil action and obtain a judgment in superior court for the purpose of\
        \ collecting any unpaid administrative fines imposed pursuant to this title\
        \ after exhaustion of judicial review of the agency\u2019s action. The action\
        \ may be filed as a small claims, limited civil, or unlimited civil case depending\
        \ on the jurisdictional amount. The venue for this action shall be in the\
        \ county where the administrative fines were imposed by the agency. In order\
        \ to obtain a judgment in a proceeding under this section, the agency shall\
        \ show, following the procedures and rules of evidence as applied in ordinary\
        \ civil actions, all of the following: "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a
      ref_id: 1798.199.75-a.1
      description: 'That the administrative fines were imposed following the procedures
        set forth in this title and implementing regulations. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a
      ref_id: 1798.199.75-a.2
      description: 'That the defendant or defendants in the action were notified,
        by actual or constructive notice, of the imposition of the administrative
        fines. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-a
      ref_id: 1798.199.75-a.3
      description: 'That a demand for payment has been made by the agency and full
        payment has not been received. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.75
      ref_id: 1798.199.75-b
      description: 'A civil action brought pursuant to subdivision (a) shall be commenced
        within four years after the date on which the administrative fines were imposed. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      assessable: false
      depth: 1
      ref_id: 1798.199.80
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.a
      description: 'If the time for judicial review of a final agency order or decision
        has lapsed, or if all means of judicial review of the order or decision have
        been exhausted, the agency may apply to the clerk of the court for a judgment
        to collect the administrative fines imposed by the order or decision, or the
        order as modified in accordance with a decision on judicial review. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.b
      description: 'The application, which shall include a certified copy of the order
        or decision, or the order as modified in accordance with a decision on judicial
        review, and proof of service of the order or decision, constitutes a sufficient
        showing to warrant issuance of the judgment to collect the administrative
        fines. The clerk of the court shall enter the judgment immediately in conformity
        with the application. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.c
      description: 'An application made pursuant to this section shall be made to
        the clerk of the superior court in the county where the administrative fines
        were imposed by the agency. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.d
      description: 'A judgment entered in accordance with this section has the same
        force and effect as, and is subject to all the provisions of law relating
        to, a judgment in a civil action and may be enforced in the same manner as
        any other judgment of the court in which it is entered. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.e
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.e
      description: 'The agency may bring an application pursuant to this section only
        within four years after the date on which all means of judicial review of
        the order or decision have been exhausted. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80.f
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.80
      ref_id: 1798.199.80.f
      description: 'The remedy available under this section is in addition to those
        available under any other law. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.85
      assessable: false
      depth: 1
      ref_id: 1798.199.85
    - urn: urn:intuitem:risk:req_node:ccpa_act:node563
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.85
      description: 'Any decision of the agency with respect to a complaint or administrative
        fine shall be subject to judicial review in an action brought by an interested
        party to the complaint or administrative fine and shall be subject to an abuse
        of discretion standard. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      assessable: false
      depth: 1
      ref_id: 1798.199.90
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      ref_id: 1798.199.90-a
      description: 'Any business, service provider, contractor, or other person that
        violates this title shall be subject to an injunction and liable for a civil
        penalty of not more than two thousand five hundred dollars ($2,500) for each
        violation or seven thousand five hundred dollars ($7,500) for each intentional
        violation and each violation involving the personal information of minor consumers,
        as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185,
        which shall be assessed and recovered in a civil action brought in the name
        of the people of the State of California by the Attorney General. The court
        may consider the good faith cooperation of the business, service provider,
        contractor, or other person in determining the amount of the civil penalty. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      ref_id: 1798.199.90-b
      description: 'Any civil penalty recovered by an action brought by the Attorney
        General for a violation of this title, and the proceeds of any settlement
        of any said action, shall be deposited in the Consumer Privacy Fund. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90-c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      ref_id: 1798.199.90-c
      description: 'The agency shall, upon request by the Attorney General, stay an
        administrative action or investigation under this title to permit the Attorney
        General to proceed with an investigation or civil action and shall not pursue
        an administrative action or investigation, unless the Attorney General subsequently
        determines not to pursue an investigation or civil action. The agency may
        not limit the authority of the Attorney General to enforce this title. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90-d
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      ref_id: 1798.199.90-d
      description: 'No civil action may be filed by the Attorney General under this
        section for any violation of this title after the agency has issued a decision
        pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55
        against that person for the same violation. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90-e
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.90
      ref_id: 1798.199.90-e
      description: 'This section shall not affect the private right of action provided
        for in Section 1798.150. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95
      assessable: false
      depth: 1
      ref_id: 1798.199.95
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95
      ref_id: 1798.199.95-a
      description: "There is hereby appropriated from the General Fund of the state\
        \ to the agency the sum of five million dollars ($5,000,000) during the fiscal\
        \ year 2020\u20132021, and the sum of ten million dollars ($10,000,000) adjusted\
        \ for cost-of-living changes, during each fiscal year thereafter, for expenditure\
        \ to support the operations of the agency pursuant to this title. The expenditure\
        \ of funds under this appropriation shall be subject to the normal administrative\
        \ review given to other state appropriations. The Legislature shall appropriate\
        \ those additional amounts to the commission and other agencies as may be\
        \ necessary to carry out the provisions of this title. "
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95
      ref_id: 1798.199.95-b
      description: 'The Department of Finance, in preparing the state budget and the
        Budget Act bill submitted to the Legislature, shall include an item for the
        support of this title that shall indicate all of the following: '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b.1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b
      ref_id: 1798.199.95-b.1
      description: 'The amounts to be appropriated to other agencies to carry out
        their duties under this title, which amounts shall be in augmentation of the
        support items of those agencies. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b
      ref_id: 1798.199.95-b.2
      description: 'The additional amounts required to be appropriated by the Legislature
        to the agency to carry out the purposes of this title, as provided for in
        this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-b
      ref_id: 1798.199.95-b.3
      description: 'In parentheses, for informational purposes, the continuing appropriation
        during each fiscal year of ten million dollars ($10,000,000), adjusted for
        cost-of-living changes made pursuant to this section. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95-c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.95
      ref_id: 1798.199.95-c
      description: 'The Attorney General shall provide staff support to the agency
        until the agency has hired its own staff. The Attorney General shall be reimbursed
        by the agency for these services. '
    - urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.100
      assessable: false
      depth: 1
      ref_id: 1798.199.100
    - urn: urn:intuitem:risk:req_node:ccpa_act:node578
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_act:1798.199.100
      description: 'The agency and any court, as applicable, shall consider the good
        faith cooperation of the business, service provider, contractor, or other
        person in determining the amount of any administrative fine or civil penalty
        for a violation of this title. A business shall not be required by the agency,
        a court, or otherwise to pay both an administrative fine and a civil penalty
        for the same violation. '