ccpa_regulations.yaml

urn: urn:intuitem:risk:library:ccpa_regulations
locale: en
ref_id: CCPA Regulations
name: California Consumer Privacy Act Regulations (CCPA)
description: "The California Consumer Privacy Act of 2018 (CCPA) gives consumers more\
  \ control over the personal information that businesses collect about them and the\
  \ CCPA regulations provide guidance on how to implement the law. Effective 1/1/2024\
  \ \u2013 AB 947 and AB 1194 updates\nhttps://cppa.ca.gov/regulations/pdf/cppa_regs.pdf"
copyright: State of California
version: 1
provider: State of California
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:ccpa_regulations
    ref_id: CCPA Regulations
    name: California Consumer Privacy Act Regulations (CCPA)
    description: "The California Consumer Privacy Act of 2018 (CCPA) gives consumers\
      \ more control over the personal information that businesses collect about them\
      \ and the CCPA regulations provide guidance on how to implement the law. Effective\
      \ 1/1/2024 \u2013 AB 947 and AB 1194 updates\nhttps://cppa.ca.gov/regulations/pdf/cppa_regs.pdf"
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      assessable: false
      depth: 1
      ref_id: CHAPTER 1
      name: ' CALIFORNIA CONSUMER PRIVACY ACT REGULATIONS'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 1
      name: GENERAL PROVISIONS
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7000
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      ref_id: '7000'
      name: Title and Scope.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7000-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7000
      ref_id: 7000-a
      description: "This Chapter shall be known as the California Consumer Privacy\
        \ Act Regulations. It may be  cited as such and will be referred to in this\
        \ Chapter as \u201Cthese regulations.\u201D These  regulations govern compliance\
        \ with the California Consumer Privacy Act and do not limit  any other rights\
        \ that consumers may have."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7000-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7000
      ref_id: 7000-b
      description: A violation of these regulations shall constitute a violation of
        the CCPA and be subject to  the remedies provided for therein.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      ref_id: '7001'
      name: Definitions.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001
      description: 'In addition to the definitions set forth in Civil Code section
        1798.140, for purposes of these  regulations:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-a
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-a
      description: " \u201CAgency\u201D means the California Privacy Protection Agency\
        \ established by Civil Code section  1798.199.10 et seq."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-b
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-b
      description: "\u201CAlternative Opt-out Link\u201D means the alternative opt-out\
        \ link that a business may provide  instead of posting the two separate \u201C\
        Do Not Sell or Share My Personal Information\u201D and  \u201CLimit the Use\
        \ of My Sensitive Personal Information\u201D links as set forth in Civil Code\
        \ section  1798.135, subdivision (a)(3), and specified in section 7015."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-c
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-c
      description: "\u201CAttorney General\u201D means the California Attorney General\
        \ or any officer or employee of  the California Department of Justice acting\
        \ under the authority of the California Attorney  General."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-d
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-d
      description: "\u201CAuthorized agent\u201D means a natural person or a business\
        \ entity that a consumer has  authorized to act on their behalf subject to\
        \ the requirements set forth in section 7063."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-e
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-e
      description: "\u201CCategories of sources\u201D means types or groupings of\
        \ persons or entities from which a  business collects personal information\
        \ about consumers, described with enough  particularity to provide consumers\
        \ with a meaningful understanding of the type of person  or entity. They may\
        \ include the consumer directly, advertising networks, internet service  providers,\
        \ data analytics providers, government entities, operating systems and platforms,\
        \  social networks, and data brokers."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-f
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-f
      description: "\u201CCategories of third parties\u201D means types or groupings\
        \ of third parties with whom the  business shares personal information, described\
        \ with enough particularity to provide  CPPA  Page 4 of 67  consumers with\
        \ a meaningful understanding of the type of third party. They may include\
        \  advertising networks, internet service providers, data analytics providers,\
        \ government  entities, operating systems and platforms, social networks,\
        \ and data brokers."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-g
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-g
      description: "\u201CCCPA\u201D means the California Consumer Privacy Act of\
        \ 2018, Civil Code section 1798.100 et  seq."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-h
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-h
      description: "\u201CCOPPA\u201D means the Children\u2019s Online Privacy Protection\
        \ Act, 15 U.S.C. sections 6501 to  6506 and 16 Code of Federal Regulations\
        \ part 312."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-i
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-i
      description: " \u201CDisproportionate effort\u201D within the context of a business,\
        \ service provider, contractor, or  third party responding to a consumer request\
        \ means the time and/or resources expended  by the business, service provider,\
        \ contractor, or third party to respond to the individualized  request significantly\
        \ outweighs the reasonably foreseeable impact to the consumer by not  responding,\
        \ taking into account applicable circumstances, such as the size of the business,\
        \  service provider, contractor, or third party, the nature of the request,\
        \ and the technical  limitations impacting their ability to respond. For example,\
        \ responding to a consumer  request to know may require disproportionate effort\
        \ when the personal information that is  the subject of the request is not\
        \ in a searchable or readily-accessible format, is maintained  only for legal\
        \ or compliance purposes, is not sold or used for any commercial purpose,\
        \ and  there is no reasonably foreseeable material impact to the consumer\
        \ by not responding. By  contrast, the impact to the consumer of denying a\
        \ request to correct inaccurate  information that the business uses and/or\
        \ sells may outweigh the burden on the business,  service provider, contractor,\
        \ or third party in honoring the request when the reasonably  foreseeable\
        \ consequence of denying the request would be the denial of services or  opportunities\
        \ to the consumer. A business, service provider, contractor, or third party\
        \ that  has failed to put in place adequate processes and procedures to receive\
        \ and process  consumer requests in accordance with the CCPA and these regulations\
        \ cannot claim that  responding to a consumer\u2019s request requires disproportionate\
        \ effort."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-j
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-j
      description: "\u201CEmployment benefits\u201D means retirement, health, and\
        \ other benefit programs, services, or  products to which consumers and their\
        \ dependents or their beneficiaries receive access  through the consumer\u2019\
        s employer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-k
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-k
      description: "\u201CEmployment-related information\u201D means personal information\
        \ that is collected by the  business about a natural person for the reasons\
        \ identified in Civil Code section 1798.145,  subdivision (m)(1). The collection\
        \ of employment-related information, including for the  purpose of administering\
        \ employment benefits, shall be considered a business purpose."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-l
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-l
      description: "\u201CFinancial incentive\u201D means a program, benefit, or other\
        \ offering, including payments to  consumers, for the collection, retention,\
        \ sale, or sharing of personal information. Price or  service differences\
        \ are types of financial incentives."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-m
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-m
      description: "\u201CFirst party\u201D means a consumer-facing business with\
        \ which the consumer intends and  expects to interact."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-n
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-n
      description: "\u201CFrictionless manner\u201D means a business\u2019s processing\
        \ of an opt-out preference signal that  complies with the requirements set\
        \ forth in section 7025, subsection (f)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-o
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-o
      description: "\u201CInformation practices\u201D means practices regarding the\
        \ collection, use, disclosure, sale,  sharing, and retention of personal information"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-p
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-p
      description: "\u201CNonbusiness\u201D means a person or entity that does not\
        \ meet the definition of a \u201Cbusiness\u201D  as defined in Civil Code\
        \ section 1798.140, subdivision (d). For example, non-profits and  government\
        \ entities are nonbusinesses because \u201Cbusiness\u201D is defined, among\
        \ other things,  to include only entities \u201Corganized or operated for\
        \ the profit or financial benefit of its  shareholders or other owners.\u201D"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-q
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-q
      description: "\u201CNotice at Collection\u201D means the notice given by a business\
        \ to a consumer at or before the  point at which a business collects personal\
        \ information from the consumer as required by  Civil Code section 1798.100,\
        \ subdivisions (a) and (b), and specified in these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-r
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-r
      description: "\u201CNotice of Right to Limit\u201D means the notice given by\
        \ a business informing consumers of  their right to limit the use or disclosure\
        \ of the consumer\u2019s sensitive personal information as  required by Civil\
        \ Code sections 1798.121 and 1798.135 and specified in these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-s
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-s
      description: " \u201CNotice of Right to Opt-out of Sale/Sharing\u201D means\
        \ the notice given by a business  informing consumers of their right to opt-out\
        \ of the sale or sharing of their personal  information as required by Civil\
        \ Code sections 1798.120 and 1798.135 and specified in  these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-t
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-t
      description: "\u201CNotice of Financial Incentive\u201D means the notice given\
        \ by a business explaining each  financial incentive or price or service difference\
        \ as required by Civil Code section 1798.125,  subdivision (b), and specified\
        \ in these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-u
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-u
      description: "\u201COpt-out preference signal\u201D means a signal that is sent\
        \ by a platform, technology, or  mechanism, on behalf of the consumer, that\
        \ communicates the consumer choice to opt-  out of the sale and sharing of\
        \ personal information and that complies with the  requirements set forth\
        \ in section 7025, subsection (b)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-v
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-v
      description: "\u201CPrice or service difference\u201D means (1) any difference\
        \ in the price or rate charged for any goods or services to any consumer related\
        \ to the collection, retention, sale, or sharing of personal information,\
        \ or (2) any difference in the level or quality of any goods or services offered\
        \ to any consumer related to the collection, retention, sale, or sharing of\
        \ personal information, including the denial of goods or services to the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-w
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-w
      description: "\u201CPrivacy policy,\u201D as referred to in Civil Code sections\
        \ 1798.130, subdivision (a)(5), and  1798.135, subdivision (c)(2), means the\
        \ statement that a business shall make available to  consumers describing\
        \ the business\u2019s online and offline information practices, and the  rights\
        \ of consumers regarding their own personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-x
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-x
      description: "\u201CRequest to correct\u201D means a consumer request that a\
        \ business correct inaccurate  personal information that it maintains about\
        \ the consumer, pursuant to Civil Code section  1798.106."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-y
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-y
      description: "\u201CRequest to delete\u201D means a consumer request that a\
        \ business delete personal information  about the consumer that the business\
        \ has collected from the consumer, pursuant to Civil  Code section 1798.105."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-z
      description: "\u201CRequest to know\u201D means a consumer request that a business\
        \ disclose personal  information that it has collected about the consumer\
        \ pursuant to Civil Code sections  1798.110 or 1798.115. It includes a request\
        \ for any or all of the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.1
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.1
      description: Specific pieces of personal information that a business has collected
        about the  consumer;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.2
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.2
      description: Categories of personal information it has collected about the consumer;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.3
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.3
      description: Categories of sources from which the personal information is collected;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.4
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.4
      description: Categories of personal information that the business sold or disclosed
        for a business purpose about the consumer;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.5
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.5
      description: Categories of third parties to whom the personal information was
        sold or disclosed for a business purpose; and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z.6
      assessable: false
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-z
      ref_id: 7001-z.6
      description: The business or commercial purpose for collecting or selling personal
        information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-aa
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-aa
      description: "\u201CRequest to limit\u201D means a consumer request that a business\
        \ limit the use and  disclosure of the consumer\u2019s sensitive personal\
        \ information, pursuant to Civil Code  section 1798.121, subdivision (a)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-bb
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-bb
      description: "\u201CRequest to opt-in to sale/sharing\u201D means an action\
        \ demonstrating that the  consumer has consented to the business\u2019s sale\
        \ or sharing of personal information  about the consumer by a parent or guardian\
        \ of a consumer less than 13 years of  age or by a consumer at least 13 years\
        \ of age."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-cc
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-cc
      description: "\u201CRequest to opt-out of sale/sharing\u201D means a consumer\
        \ request that a business  neither sell nor share the consumer\u2019s personal\
        \ information to third parties,  pursuant to Civil Code section 1798.120,\
        \ subdivision (a)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-dd
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-dd
      description: "\u201CRight to correct\u201D means the consumer\u2019s right to\
        \ request that a business correct  inaccurate personal information that it\
        \ maintains about the consumer as set forth  in Civil Code section 1798.106."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-ee
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-ee
      description: "\u201CRight to delete\u201D means the consumer\u2019s right to\
        \ request that a business delete any  personal information about the consumer\
        \ that the business has collected from the  consumer as set forth in Civil\
        \ Code section 1798.105."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-ff
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-ff
      description: "\u201CRight to know\u201D means the consumer\u2019s right to request\
        \ that a business disclose  personal information that it has collected, sold,\
        \ or shared about the consumer as  set forth in Civil Code sections 1798.110\
        \ and 1798.115."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-gg
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-gg
      description: "\u201CRight to limit\u201D means the consumer\u2019s right to\
        \ request that a business limit the use  and disclosure of a consumer\u2019\
        s sensitive personal information as set forth in Civil  Code section 1798.121."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-hh
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-hh
      description: "\u201CRight to opt-out of sale/sharing\u201D means the consumer\u2019\
        s right to direct a business  that sells or shares personal information about\
        \ the consumer to third parties to  stop doing so as set forth in Civil Code\
        \ section 1798.120."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-ii
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-ii
      description: "\u201CSigned\u201D means that the written attestation, declaration,\
        \ or permission has either  been physically signed or provided electronically\
        \ in accordance with the Uniform  Electronic Transactions Act, Civil Code\
        \ section 1633.1 et seq."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-jj
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-jj
      description: "\u201CThird-party identity verification service\u201D means a\
        \ security process offered by an  independent third party that verifies the\
        \ identity of the consumer making a request  to the business. Third-party\
        \ identity verification services are subject to the  requirements set forth\
        \ in Article 5 regarding requests to delete, requests to correct,  or requests\
        \ to know."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-kk
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-kk
      description: "\u201CUnstructured\u201D as it relates to personal information\
        \ means personal information  that is not organized in a pre-defined manner\
        \ and could not be retrieved or  organized in a pre-defined manner without\
        \ disproportionate effort on behalf of the  business, service provider, contractor,\
        \ or third party."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-ll
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-ll
      description: "\u201CValue of the consumer\u2019s data\u201D means the value\
        \ provided to the business by the  consumer\u2019s data as calculated under\
        \ section 7081."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7001-mm
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node8
      ref_id: 7001-mm
      description: "\u201CVerify\u201D means to determine that the consumer making\
        \ a request to delete,  request to correct, or request to know is the consumer\
        \ about whom the business  has collected information, or if that consumer\
        \ is less than 13 years of age, the  consumer\u2019s parent or legal guardian."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      ref_id: '7002'
      name: Restrictions on the Collection and Use of Personal Information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-a
      description: "In accordance with Civil Code section 1798.100, subdivision (c),\
        \ a business\u2019s collection, use,  retention, and/or sharing of a consumer\u2019\
        s personal information shall be reasonably  necessary and proportionate to\
        \ achieve:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-a
      ref_id: 7002-a.1
      description: The purpose(s) for which the personal information was collected
        or processed, which  shall comply with the requirements set forth in subsection
        (b); or
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-a
      ref_id: 7002-a.2
      description: Another disclosed purpose that is compatible with the context in
        which the personal  information was collected, which shall comply with the
        requirements set forth in  subsection (c).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-b
      description: "The purpose(s) for which the personal information was collected\
        \ or processed shall be  consistent with the reasonable expectations of the\
        \ consumer(s) whose personal  information is collected or processed. The consumer\u2019\
        s (or consumers\u2019) reasonable  expectations concerning the purpose for\
        \ which their personal information will be collected  or processed shall be\
        \ based on the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      ref_id: 7002-b.1
      description: "The relationship between the consumer(s) and the business. For\
        \ example, if the  consumer is intentionally interacting with the business\
        \ on its website to purchase a  good or service, the consumer likely expects\
        \ that the purpose for collecting or  processing the personal information\
        \ is to provide that good or service. By contrast,  for example, the consumer\
        \ of a business\u2019s mobile flashlight application would not  expect the\
        \ business to collect the consumer\u2019s geolocation information to provide\
        \ the  flashlight service."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      ref_id: 7002-b.2
      description: "The type, nature, and amount of personal information that the\
        \ business seeks to  collect or process. For example, if a business\u2019\
        s mobile communication application  requests access to the consumer\u2019\
        s contact list in order to call a specific individual, the  consumer who is\
        \ providing their contact list likely expects that the purpose of the  business\u2019\
        s use of that contact list will be to connect the consumer with the specific\
        \  contact they selected. Similarly, if a business collects the consumer\u2019\
        s fingerprint in  connection with setting up the security feature of unlocking\
        \ the device using the  fingerprint, the consumer likely expects that the\
        \ business\u2019s use of the consumer\u2019s  fingerprint is only for the\
        \ purpose of unlocking their mobile device."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      ref_id: 7002-b.3
      description: "The source of the personal information and the business\u2019\
        s method for collecting or  processing it. For example, if the consumer is\
        \ providing their personal information  directly to the business while using\
        \ the business\u2019s product or service, the consumer  likely expects that\
        \ the business will use the personal information to provide that  product\
        \ or service. However, the consumer may not expect that the business will\
        \ use  that same personal information for a different product or service offered\
        \ by the  business or the business\u2019s subsidiary."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      ref_id: 7002-b.4
      description: "The specificity, explicitness, prominence, and clarity of disclosures\
        \ to the consumer(s)  about the purpose for collecting or processing their\
        \ personal information, such as in  the Notice at Collection and in the marketing\
        \ materials to the consumer(s) about the  business\u2019s good or service.\
        \ For example, the consumer who receives a pop-up notice  that the business\
        \ wants to collect the consumer\u2019s phone number to verify their  identity\
        \ when they log in likely expects that the business will use their phone number\
        \  for the purpose of verifying the consumer\u2019s identity and not for marketing\
        \ purposes.  Similarly, the consumer may expect that a mobile application\
        \ that markets itself as a  service that finds gas prices near the consumer\u2019\
        s location will collect and use the  consumer\u2019s geolocation information\
        \ for that specific purpose when they are using  the service"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-b
      ref_id: 7002-b.5
      description: "The degree to which the involvement of service providers, contractors,\
        \ third parties,  or other entities in the collecting or processing of personal\
        \ information is apparent to  CPPA  Page 9 of 67  the consumer(s). For example,\
        \ the consumer likely expects an online retailer\u2019s  disclosure of the\
        \ consumer\u2019s name and address to a delivery service provider in order\
        \  for that service provider to deliver a purchased product, because that\
        \ service  provider\u2019s involvement is apparent to the consumer. By contrast,\
        \ the consumer may  not expect the disclosure of personal information to a\
        \ service provider if the  consumer is not directly interacting with the service\
        \ provider or the service provider\u2019s  role in the processing is not apparent\
        \ to the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-c
      description: 'Whether another disclosed purpose is compatible with the context
        in which the personal  information was collected shall be based on the following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c
      ref_id: 7002-c.1
      description: At the time of collection of the personal information, the reasonable
        expectations of  the consumer(s) whose personal information is collected or
        processed concerning the  purpose for which their personal information will
        be collected or processed, based on  the factors set forth in subsection (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c
      ref_id: 7002-c.2
      description: "The other disclosed purpose for which the business seeks to further\
        \ collect or process  the consumer\u2019s personal information, including\
        \ whether it is a business purpose  listed in Civil Code section 1798.140,\
        \ subdivisions (e)(1) through (e)(8)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-c
      ref_id: 7002-c.3
      description: "The strength of the link between subsection (c)(1) and subsection\
        \ (c)(2). For example,  a strong link exists between the consumer\u2019s reasonable\
        \ expectations that the  personal information will be used to provide them\
        \ with a requested service at the  time of collection, and the use of the\
        \ information to repair errors that impair the  intended functionality of\
        \ that requested service. This would weigh in favor of  compatibility. By\
        \ contrast, for example, a weak link exists between the consumer\u2019s  reasonable\
        \ expectations that the personal information will be collected to provide\
        \ a  requested cloud storage service at the time of collection, and the use\
        \ of the  information to research and develop an unrelated facial recognition\
        \ service."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-d
      description: "For each purpose identified in compliance with subsection (a)(1)\
        \ or (a)(2), the collection,  use, retention, and/or sharing of a consumer\u2019\
        s personal information to achieve that  purpose shall be reasonably necessary\
        \ and proportionate. The business\u2019s collection, use,  retention, and/or\
        \ sharing of a consumer\u2019s personal information shall also be reasonably\
        \  necessary and proportionate to achieve any purpose for which the business\
        \ obtains the  consumer\u2019s consent in compliance with subsection (e).\
        \ Whether a business\u2019s collection,  use, retention, and/or sharing of\
        \ a consumer\u2019s personal information is reasonably  necessary and proportionate\
        \ to achieve the purpose identified in compliance with  subsection (a)(1)\
        \ or (a)(2), or any purpose for which the business obtains consent, shall\
        \ be  based on the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d
      ref_id: 7002-d.1
      description: "The minimum personal information that is necessary to achieve\
        \ the purpose  identified in compliance with subsection (a)(1) or (a)(2),\
        \ or any purpose for which the  business obtains consent. For example, to\
        \ complete an online purchase and send an  email confirmation of the purchase\
        \ to the consumer, an online retailer may need the  consumer\u2019s order\
        \ information, payment and shipping information, and email address."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d
      ref_id: 7002-d.2
      description: "The possible negative impacts on consumers posed by the business\u2019\
        s collection or  processing of the personal information. For example, a possible\
        \ negative impact of  collecting precise geolocation information is that it\
        \ may reveal other sensitive  personal information about the consumer, such\
        \ as health information based on visits  to healthcare providers."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-d
      ref_id: 7002-d.3
      description: The existence of additional safeguards for the personal information
        to specifically  address the possible negative impacts on consumers considered
        by the business in  subsection (d)(2). For example, a business may consider
        encryption or automatic  deletion of personal information within a specific
        window of time as potential  safeguards
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-e
      description: "A business shall obtain the consumer\u2019s consent in accordance\
        \ with section 7004 before  collecting or processing personal information\
        \ for any purpose that does not meet the  requirements set forth in subsection\
        \ (a)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7002-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7002
      ref_id: 7002-f
      description: A business shall not collect categories of personal information
        other than those disclosed  in its Notice at Collection in accordance with
        the CCPA and section 7012. If the business  intends to collect additional
        categories of personal information or intends to use the  personal information
        for additional purposes that are incompatible with the disclosed  purpose
        for which the personal information was collected, the business shall provide
        a new  Notice at Collection. However, any additional collecting or processing
        of personal  information shall comply with subsection (a).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      ref_id: '7003'
      name: Requirements for Disclosures and Communications to Consumers
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003
      ref_id: 7003-a
      description: Disclosures and communications to consumers shall be easy to read
        and understandable to  consumers. For example, they shall use plain, straightforward
        language and avoid technical  or legal jargon.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003
      ref_id: 7003-b
      description: 'Disclosures required under Article 2 shall also:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b
      ref_id: 7003-b.1
      description: Use a format that makes the disclosure readable, including on smaller
        screens, if  applicable.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b
      ref_id: 7003-b.2
      description: Be available in the languages in which the business in its ordinary
        course provides  contracts, disclaimers, sale announcements, and other information
        to consumers in  California.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-b
      ref_id: 7003-b.3
      description: Be reasonably accessible to consumers with disabilities. For notices
        provided online,  the business shall follow generally recognized industry
        standards, such as the Web  Content Accessibility Guidelines, version 2.1
        of June 5, 2018, from the World Wide  Web Consortium, incorporated herein
        by reference. In other contexts, the business  shall provide information on
        how a consumer with a disability may access the policy in  an alternative
        format.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003
      ref_id: 7003-c
      description: For websites, a conspicuous link required under the CCPA or these
        regulations shall appear  in a similar manner as other similarly-posted links
        used by the business on its homepage(s).  For example, the business shall
        use a font size and color that is at least the approximate  size or color
        as other links next to it that are used by the business on its homepage(s).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7003-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7003
      ref_id: 7003-d
      description: "For mobile applications, a conspicuous link shall be included\
        \ in the business\u2019s privacy  policy, which must be accessible through\
        \ the mobile application\u2019s platform page or  download page. It may also\
        \ be accessible through a link within the application, such as  through the\
        \ application\u2019s settings menu."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1
      ref_id: '7004'
      name: Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer  Consent
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004
      ref_id: 7004-a
      description: Except as expressly allowed by the CCPA and these regulations,
        businesses shall design and  implement methods for submitting CCPA requests
        and obtaining consumer consent that  incorporate the following principles.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      ref_id: 7004-a.1
      description: Easy to understand. The methods shall use language that is easy
        for consumers to  read and understand. When applicable, they shall comply
        with the requirements for  disclosures to consumers set forth in section 7003.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      ref_id: 7004-a.2
      description: "Symmetry in choice. The path for a consumer to exercise a more\
        \ privacy-protective  option shall not be longer or more difficult or time-consuming\
        \ than the path to  exercise a less privacy-protective option because that\
        \ would impair or interfere with  the consumer\u2019s ability to make a choice.\
        \ Illustrative examples follow."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2
      ref_id: 7004-a.2.A
      description: "It is not symmetrical when a business\u2019s process for submitting\
        \ a request to opt-  out of sale/sharing requires more steps than that business\u2019\
        s process for a  consumer to opt-in to the sale of personal information after\
        \ having previously  opted out. The number of steps for submitting a request\
        \ to opt-out of  sale/sharing is measured from when the consumer clicks on\
        \ the \u201CDo Not Sell or  Share My Personal Information\u201D link to completion\
        \ of the request. The number  of steps for submitting a request to opt-in\
        \ to the sale of personal information is  measured from the first indication\
        \ by the consumer to the business of their  interest to opt-in to completion\
        \ of the request."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2
      ref_id: 7004-a.2.B
      description: "A choice to opt-in to the sale of personal information that provides\
        \ only the two  options, \u201CYes\u201D and \u201CAsk me later,\u201D is\
        \ not equal or symmetrical because there is  no option to decline the opt-in.\
        \ \u201CAsk me later\u201D implies that the consumer has not  declined but\
        \ delayed the decision and that the business will continue to ask the  consumer\
        \ to opt-in. Framing the consumer\u2019s options in this manner impairs the\
        \  CPPA  Page 12 of 67  consumer\u2019s ability to make a choice. An equal\
        \ or symmetrical choice could be  between \u201CYes\u201D and \u201CNo.\u201D"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.2
      ref_id: 7004-a.2.C
      description: "A website banner that provides only the two options, \u201CAccept\
        \ All\u201D and \u201CMore  Information,\u201D or, \u201CAccept All\u201D\
        \ and \u201CPreferences,\u201D when seeking the consumer\u2019s  consent to\
        \ use their personal information is not equal or symmetrical because  the\
        \ method allows the consumer to \u201CAccept All\u201D in one step, but requires\
        \ the  consumer to take additional steps to exercise their rights over their\
        \ personal  information. Framing the consumer\u2019s options in this manner\
        \ impairs the  consumer\u2019s ability to make a choice. An equal or symmetrical\
        \ choice could be  between \u201CAccept All\u201D and \u201CDecline All.\u201D"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      ref_id: 7004-a.3
      description: "Avoid language or interactive elements that are confusing to the\
        \ consumer. The  methods should not use double negatives. Toggles or buttons\
        \ must clearly indicate the  consumer\u2019s choice. Illustrative examples\
        \ follow."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3
      ref_id: 7004-a.3.A
      description: "Giving the choice of \u201CYes\u201D or \u201CNo\u201D next to\
        \ the statement \u201CDo Not Sell or Share  My Personal Information\u201D\
        \ is a double negative and a confusing choice for a  consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3
      ref_id: 7004-a.3.B
      description: "Toggles or buttons that state \u201Con\u201D or \u201Coff\u201D\
        \ may be confusing to a consumer and  may require further clarifying language."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.3
      ref_id: 7004-a.3.C
      description: "Unintuitive placement of buttons to confirm a consumer\u2019s\
        \ choice may be  confusing to the consumer. For example, it is confusing to\
        \ the consumer when a  business at first consistently offers choices in the\
        \ order of \u201CYes,\u201D then \u201CNo,\u201D but  then offers choices\
        \ in the opposite order\u2014  \u201CNo,\u201D then \u201CYes\u201D  \u2014\
        when asking the  consumer something that would contravene the consumer\u2019\
        s expectation."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      ref_id: 7004-a.4
      description: "Avoid choice architecture that impairs or interferes with the\
        \ consumer\u2019s ability to  make a choice. Businesses should also not design\
        \ their methods in a manner that  would impair the consumer\u2019s ability\
        \ to exercise their choice because consent must be  freely given, specific,\
        \ informed, and unambiguous. Illustrative examples follow."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.4.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.4
      ref_id: 7004-a.4.A
      description: "Requiring the consumer to click through disruptive screens before\
        \ they are able  to submit a request to opt-out of sale/sharing is a choice\
        \ architecture that  impairs or interferes with the consumer\u2019s ability\
        \ to exercise their choice"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.4.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.4
      ref_id: 7004-a.4.B
      description: "Bundling choices so that the consumer is only offered the option\
        \ to consent to  using personal information for purposes that meet the requirements\
        \ set forth in  section 7002, subsection (a), together with purposes that\
        \ are incompatible with  the context in which the personal information was\
        \ collected is a choice  architecture that impairs or interferes with the\
        \ consumer\u2019s ability to make a  choice. For example, a business that\
        \ provides a location-based service, such as a  mobile application that finds\
        \ gas prices near the consumer\u2019s location, shall not  CPPA  Page 13 of\
        \ 67  require the consumer to consent to incompatible uses (e.g., sale of\
        \ the  consumer\u2019s geolocation to data brokers) together with a reasonably\
        \ necessary  and proportionate use of geolocation information for providing\
        \ the location-  based services, which does not require consent. This type\
        \ of choice architecture  does not allow consent to be freely given, specific,\
        \ informed, or unambiguous  because it requires the consumer to consent to\
        \ incompatible uses in order to  obtain the expected service. The business\
        \ should provide the consumer a  separate option to consent to the business\u2019\
        s use of personal information that  does not meet the requirements set forth\
        \ in section 7002, subsection (a)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a
      ref_id: 7004-a.5
      description: "Easy to execute. The business shall not add unnecessary burden\
        \ or friction to the  process by which the consumer submits a CCPA request.\
        \ Methods should be tested to  ensure that they are functional and do not\
        \ undermine the consumer\u2019s choice to  submit the request. Illustrative\
        \ examples follow."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5
      ref_id: 7004-a.5.A
      description: "Upon clicking the \u201CDo Not Sell or Share My Personal Information\u201D\
        \ link, the  business shall not require the consumer to search or scroll through\
        \ the text of a  privacy policy or similar document or webpage to locate the\
        \ mechanism for  submitting a request to opt-out of sale/sharing."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5
      ref_id: 7004-a.5.B
      description: A business that knows of, but does not remedy, circular or broken
        links, or  nonfunctional email addresses, such as inboxes that are not monitored
        or have  aggressive filters that screen emails from the public, may be in
        violation of this  regulation.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-a.5
      ref_id: 7004-a.5.C
      description: Businesses that require the consumer to unnecessarily wait on a
        webpage as the  business processes the request may be in violation of this
        regulation.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004
      ref_id: 7004-b
      description: "A method that does not comply with subsection (a) may be considered\
        \ a dark pattern. Any  agreement obtained through the use of dark patterns\
        \ shall not constitute consumer  consent. For example, a business that uses\
        \ dark patterns to obtain consent from a  consumer to sell their personal\
        \ information shall be in the position of never having  obtained the consumer\u2019\
        s consent to do so."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7004-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7004
      ref_id: 7004-c
      description: "A user interface is a dark pattern if the interface has the effect\
        \ of substantially subverting  or impairing user autonomy, decisionmaking,\
        \ or choice. A business\u2019s intent in designing the  interface is not determinative\
        \ in whether the user interface is a dark pattern, but a factor  to be considered.\
        \ If a business did not intend to design the user interface to subvert or\
        \  impair user choice, but the business knows of and does not remedy a user\
        \ interface that  has that effect, the user interface may still be a dark\
        \ pattern. Similarly, a business\u2019s  deliberate ignorance of the effect\
        \ of its user interface may also weigh in favor of  establishing a dark pattern."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 2
      name: REQUIRED DISCLOSURES TO CONSUMERS
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7010'
      name: Overview of Required Disclosures.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      ref_id: 7010-a
      description: Every business that must comply with the CCPA and these regulations
        shall provide a  privacy policy in accordance with the CCPA and section 7011.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      ref_id: 7010-b
      description: "A business that controls the collection of a consumer\u2019s personal\
        \ information from a  consumer shall provide a Notice at Collection in accordance\
        \ with the CCPA and section  7012."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      ref_id: 7010-c
      description: Except as set forth in section 7025, subsection (g), a business
        that sells or shares personal  information shall provide a Notice of Right
        to Opt-out of Sale/Sharing or the Alternative  Opt-out Link in accordance
        with the CCPA and sections 7013 and 7015.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      ref_id: 7010-d
      description: "A business that uses or discloses a consumer\u2019s sensitive\
        \ personal information for purposes  other than those specified in section\
        \ 7027, subsection (m), shall provide a Notice of Right  to Limit or the Alternative\
        \ Opt-out Link in accordance with the CCPA and sections 7014 and  7015."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7010-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7010
      ref_id: 7010-e
      description: A business that offers a financial incentive or price or service
        difference shall provide a  Notice of Financial Incentive in accordance with
        the CCPA and section 7016.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7011'
      name: Privacy Policy.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      ref_id: 7011-a
      description: "The purpose of the privacy policy is to provide consumers with\
        \ a comprehensive  description of a business\u2019s online and offline information\
        \ practices. It shall also inform  consumers about the rights they have regarding\
        \ their personal information and provide  any information necessary for them\
        \ to exercise those rights."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      ref_id: 7011-b
      description: The privacy policy shall comply with section 7003, subsections
        (a) and (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      ref_id: 7011-c
      description: The privacy policy shall be available in a format that allows a
        consumer to print it out as a  document.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      ref_id: 7011-d
      description: "The privacy policy shall be posted online and accessible through\
        \ a conspicuous link that  complies with section 7003, subsections (c) and\
        \ (d), using the word \u201Cprivacy\u201D on the  business\u2019s website\
        \ homepage(s) or on the download or landing page of a mobile  application.\
        \ If the business has a California-specific description of consumers\u2019\
        \ privacy rights  on its website, then the privacy policy shall be included\
        \ in that description. A business that  CPPA  Page 15 of 67  does not operate\
        \ a website shall make the privacy policy conspicuously available to  consumers.\
        \ A mobile application may include a link to the privacy policy in the application\u2019\
        s  settings menu."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011
      ref_id: 7011-e
      description: 'The privacy policy shall include the following information:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      ref_id: 7011-e.1
      description: "A comprehensive description of the business\u2019s online and\
        \ offline information  practices, which includes the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.A
      description: Identification of the categories of personal information the business
        has  collected about consumers in the preceding 12 months. The categories
        shall be  described using the specific terms set forth in Civil Code section
        1798.140,  subdivisions (v)(1)(A) to (K) and (ae)(1) to (2). To the extent
        that the business  has discretion in its description, the business shall describe
        the category in a  manner that provides consumers a meaningful understanding
        of the  information being collected
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.B
      description: Identification of the categories of sources from which the personal
        information  is collected.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.C
      description: ' Identification of the specific business or commercial purpose
        for collecting  personal information from consumers. The purpose shall be
        described in a  manner that provides consumers a meaningful understanding
        of why the  information is collected.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.D
      description: "Identification of the categories of personal information, if any,\
        \ that the business  has sold or shared to third parties in the preceding\
        \ 12 months. If the business  has not sold or shared consumers\u2019 personal\
        \ information in the preceding 12  months, the business shall disclose that\
        \ fact."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.E
      description: For each category of personal information identified in subsection
        (e)(1)(D), the  categories of third parties to whom the information was sold
        or shared.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.F
      description: "Identification of the specific business or commercial purpose\
        \ for selling or  sharing consumers\u2019 personal information. The purpose\
        \ shall be described in a  manner that provides consumers a meaningful understanding\
        \ of why the  information is sold or shared."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.g
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.G
      description: A statement regarding whether the business has actual knowledge
        that it sells  or shares the personal information of consumers under 16 years
        of age.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.h
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.H
      description: "Identification of the categories of personal information, if any,\
        \ that the business  has disclosed for a business purpose to third parties\
        \ in the preceding 12  months. If the business has not disclosed consumers\u2019\
        \ personal information for a  business purpose in the preceding 12 months,\
        \ the business shall disclose that  fact."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.i
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.I
      description: For each category of personal information identified in subsection
        (e)(1)(H), the  categories of third parties to whom the information was disclosed.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.j
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.J
      description: "Identification of the specific business or commercial purpose\
        \ for disclosing the  consumer\u2019s personal information. The purpose shall\
        \ be described in a manner  that provides consumers a meaningful understanding\
        \ of why the information is  disclosed."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1.k
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.1
      ref_id: 7011-e.1.K
      description: A statement regarding whether the business uses or discloses sensitive
        personal  information for purposes other than those specified in section 7027,
        subsection  (m).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      ref_id: 7011-e.2
      description: 'An explanation of the rights that the CCPA confers on consumers
        regarding their  personal information, which includes all of the following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.A
      description: The right to know what personal information the business has collected
        about  the consumer, including the categories of personal information, the
        categories  of sources from which the personal information is collected, the
        business or  commercial purpose for collecting, selling, or sharing personal
        information, the  categories of third parties to whom the business discloses
        personal information,  and the specific pieces of personal information the
        business has collected about  the consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.B
      description: The right to delete personal information that the business has
        collected from  the consumer, subject to certain exceptions.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.C
      description: The right to correct inaccurate personal information that a business
        maintains  about a consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.D
      description: If the business sells or shares personal information, the right
        to opt-out of the  sale or sharing of their personal information by the business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.E
      description: If the business uses or discloses sensitive personal information
        for reasons  other than those set forth in section 7027, subsection (m), the
        right to limit the  use or disclosure of sensitive personal information by
        the business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.2
      ref_id: 7011-e.2.F
      description: "The right not to receive discriminatory treatment by the business\
        \ for the  exercise of privacy rights conferred by the CCPA, including an\
        \ employee\u2019s,  applicant\u2019s, or independent contractor\u2019s right\
        \ not to be retaliated against for  the exercise of their CCPA rights."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      ref_id: 7011-e.3
      description: 'An explanation of how consumers can exercise their CCPA rights
        and what consumers  can expect from that process, which includes all of the
        following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.A
      description: An explanation of the methods by which the consumer can exercise
        their CCPA  rights.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.B
      description: Instructions for submitting a request under the CCPA, including
        any links to an  online request form or portal for making such a request,
        if offered by the  business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.C
      description: If the business sells or shares personal information, and is required
        to provide a  Notice of Right to Opt-out of Sale/Sharing, the contents of
        the Notice of Right to  Opt-out of Sale/Sharing or a link to that notice in
        accordance with section 7013,  subsection (f).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.D
      description: If the business uses or discloses sensitive personal information
        for purposes  other than those specified in section 7027, subsection (m),
        and is required to  provide a Notice of Right to Limit, the contents of the
        Notice of Right to Limit or  a link to that notice in accordance with section
        7014, subsection (f).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.E
      description: A general description of the process the business uses to verify
        a consumer  request to know, request to delete, and request to correct, when
        applicable,  including any information the consumer must provide.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.F
      description: Explanation of how an opt-out preference signal will be processed
        for the  consumer (i.e., whether the signal applies to the device, browser,
        consumer  account, and/or offline sales, and in what circumstances) and how
        the  consumer can use an opt-out preference signal.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.g
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.G
      description: If the business processes opt-out preference signals in a frictionless
        manner,  information on how consumers can implement opt-out preference signals
        for  the business to process in a frictionless manner.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.h
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.H
      description: "Instructions on how an authorized agent can make a request under\
        \ the CCPA on  the consumer\u2019s behalf."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.i
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.I
      description: If the business has actual knowledge that it sells the personal
        information of  consumers under 16 years of age, a description of the processes
        required by  sections 7070 and 7071.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3.j
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.3
      ref_id: 7011-e.3.J
      description: "A contact for questions or concerns about the business\u2019s\
        \ privacy policies and  information practices using a method reflecting the\
        \ manner in which the  business primarily interacts with the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      ref_id: 7011-e.4
      description: Date the privacy policy was last updated.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7011-e
      ref_id: 7011-e.5
      description: ' If subject to the data reporting requirements set forth in section
        7102, the  information required under section 7102, or a link to that information.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7012'
      name: Notice at Collection of Personal Information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-a
      description: "The purpose of the Notice at Collection is to provide consumers\
        \ with timely notice, at or  before the point of collection, about the categories\
        \ of personal information to be collected  from them, the purposes for which\
        \ the personal information is collected or used, and  whether that information\
        \ is sold or shared, so that consumers have a tool to exercise  CPPA  Page\
        \ 18 of 67  meaningful control over the business\u2019s use of their personal\
        \ information. For example,  upon receiving the Notice at Collection, the\
        \ consumer can use the information in the  notice as a tool to choose whether\
        \ to engage with the business, or to direct the business  not to sell or share\
        \ their personal information and to limit the use and disclosure of their\
        \  sensitive personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-b
      description: The Notice at Collection shall comply with section 7003, subsections
        (a) and (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-c
      description: The Notice at Collection shall be made readily available where
        consumers will encounter it  at or before the point of collection of any personal
        information. Illustrative examples  follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      ref_id: 7012-c.1
      description: "When a business collects consumers\u2019 personal information\
        \ online, it may post a  conspicuous link to the notice on the introductory\
        \ page of the business\u2019s website and  on all webpages where personal\
        \ information is collected."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      ref_id: 7012-c.2
      description: "When a business collects consumers\u2019 personal information\
        \ through a webform, it may  post a conspicuous link to the notice in close\
        \ proximity to the fields in which the  consumer inputs their personal information,\
        \ or in close proximity to the button by  which the consumer submits their\
        \ personal information to the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      ref_id: 7012-c.3
      description: "When a business collects personal information through a mobile\
        \ application, it may  provide a link to the notice on the mobile application\u2019\
        s download page and within the  application, such as through the application\u2019\
        s settings menu."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      ref_id: 7012-c.4
      description: "When a business collects consumers\u2019 personal information\
        \ offline, it may include the  notice on printed forms that collect personal\
        \ information, provide the consumer with  a paper version of the notice, or\
        \ post prominent signage directing consumers to where  the notice can be found\
        \ online."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-c
      ref_id: 7012-c.5
      description: When a business collects personal information over the telephone
        or in person, it may  provide the notice orally.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-d
      description: If a business does not give the Notice at Collection to the consumer
        at or before the point  of collection of their personal information, the business
        shall not collect personal  information from the consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-e
      description: 'A business shall include the following in its Notice at Collection:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.1
      description: A list of the categories of personal information about consumers,
        including categories  of sensitive personal information, to be collected.
        Each category of personal  information shall be written in a manner that provides
        consumers a meaningful  understanding of the information being collected.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.2
      description: The purpose(s) for which the categories of personal information,
        including categories  of sensitive personal information, are collected and
        used.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.3
      description: Whether each category of personal information identified in subsection
        (e)(1) is sold  or shared.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.4
      description: The length of time the business intends to retain each category
        of personal  information identified in subsection (e)(1), or if that is not
        possible, the criteria used to  determine the period of time it will be retained.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.5
      description: If the business sells or shares personal information, the link
        to the Notice of Right to  Opt-out of Sale/Sharing, or in the case of offline
        notices, where the webpage can be  found online.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-e
      ref_id: 7012-e.6
      description: "A link to the business\u2019s privacy policy, or in the case of\
        \ offline notices, where the  privacy policy can be found online."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-f
      description: "If a business collects personal information from a consumer online,\
        \ the Notice at Collection  may be given to the consumer by providing a link\
        \ that takes the consumer directly to the  specific section of the business\u2019\
        s privacy policy that contains the information required in  subsection (e)(1)\
        \ through (6). Directing the consumer to the beginning of the privacy  policy,\
        \ or to another section of the privacy policy that does not contain the required\
        \  information, so that the consumer is required to scroll through other information\
        \ in order  to determine the categories of personal information to be collected\
        \ and/or whether the  business sells or shares the personal information collected,\
        \ does not satisfy this standard."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-g
      description: "Third Parties that Control the Collection of Personal Information.\
        \ This subsection shall not  affect the first party\u2019s obligations under\
        \ the CCPA to comply with a consumer\u2019s request to  opt-out of sale/sharing."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g
      ref_id: 7012-g.1
      description: "For purposes of giving Notice at Collection, more than one business\
        \ may control the  collection of a consumer\u2019s personal information, and\
        \ thus, have an obligation to  provide a Notice at Collection in accordance\
        \ with the CCPA and these regulations. For  example, a first party may allow\
        \ another business, acting as a third party, to control  the collection of\
        \ personal information from consumers browsing the first party\u2019s  website.\
        \ Both the first party that allows the third parties to collect personal \
        \ information via its website, as well as the third party controlling the\
        \ collection of  personal information, shall provide a Notice at Collection.\
        \ The first party and third  parties may provide a single Notice at Collection\
        \ that includes the required  information about their collective information\
        \ practices."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g
      ref_id: 7012-g.2
      description: "A business that, acting as a third party, controls the collection\
        \ of personal  information on another business\u2019s physical premises, such\
        \ as in a retail store or in a  vehicle, shall provide a Notice at Collection\
        \ in a conspicuous manner at the physical  location(s) where it is collecting\
        \ the personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g
      ref_id: 7012-g.3
      description: Illustrative examples follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3
      ref_id: 7012-g.3.A
      description: "Business F allows Business G, a third party ad network, to collect\
        \ consumers\u2019  personal information through Business F\u2019s website.\
        \ Business F may post a  conspicuous link to its Notice at Collection on its\
        \ homepage(s). Business G shall  provide a Notice at Collection on its homepage(s)\
        \ or include the required  information about its information practices in\
        \ Business F\u2019s Notice at Collection."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3
      ref_id: 7012-g.3.B
      description: "Business H, a coffee shop, allows Business I, a business providing\
        \ Wi-Fi services,  to collect personal information from consumers using Business\
        \ I\u2019s services on  Business H\u2019s premises. Business H may post conspicuous\
        \ signage at the  entrance of the store or at the point-of-sale directing\
        \ consumers to where the  Notice at Collection for Business H can be found\
        \ online. In addition, Business I  shall post its own Notice at Collection\
        \ on the first webpage or other interface  consumers see before connecting\
        \ to the Wi-Fi services offered."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-g.3
      ref_id: 7012-g.3.C
      description: "Business J, a car rental business, allows Business K to collect\
        \ personal  information from consumers within the vehicles Business J rents\
        \ to consumers.  Business J may give its Notice at Collection to the consumer\
        \ at the point of sale  (i.e., at the rental counter) either in writing or\
        \ orally. Business K may provide its  own Notice at Collection within the\
        \ vehicle, such as through signage on the  vehicle\u2019s dashboard directing\
        \ consumers to where the notice can be found  online."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-h
      description: "A business that neither collects nor controls the collection of\
        \ personal information directly  from the consumer does not need to provide\
        \ a Notice at Collection to the consumer if it  neither sells nor shares the\
        \ consumer\u2019s personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7012-i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7012
      ref_id: 7012-i
      description: A data broker registered with the Attorney General pursuant to
        Civil Code section  1798.99.80 et seq. that collects personal information
        from a source other than directly  from the consumer does not need to provide
        a Notice at Collection to the consumer if it  has included in its registration
        submission a link to its online privacy policy that includes  instructions
        on how a consumer can submit a request to opt-out of sale/sharing.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7013'
      name: "Notice of Right to Opt-out of Sale/Sharing and the \u201CDo Not Sell\
        \ or Share My Personal  Information\u201D Link."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-a
      description: "The purpose of the Notice of Right to Opt-out of Sale/Sharing\
        \ is to inform consumers of  their right to direct a business that sells or\
        \ shares their personal information to stop selling  or sharing their personal\
        \ information and to provide them with the opportunity to exercise  that right.\
        \ The purpose of the \u201CDo Not Sell or Share My Personal Information\u201D\
        \ link is to  immediately effectuate the consumer\u2019s right to opt-out\
        \ of sale/sharing, or in the  alternative, direct the consumer to the Notice\
        \ of Right to Opt-out of Sale/Sharing.  Accordingly, clicking the business\u2019\
        s \u201CDo Not Sell or Share My Personal Information\u201D link will  either\
        \ have the immediate effect of opting the consumer out of the sale or sharing\
        \ of  personal information or lead the consumer to a webpage where the consumer\
        \ can learn  about and make that choice."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-b
      description: The Notice of Right to Opt-out of Sale/Sharing shall comply with
        section 7003, subsections  (a) and (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-c
      description: "The \u201CDo Not Sell or Share My Personal Information\u201D link\
        \ shall be a conspicuous link that  complies with section 7003, subsections\
        \ (c) and (d) and is located at either the header or  footer of the business\u2019\
        s internet homepage(s)"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-d
      description: "In lieu of posting the \u201CDo Not Sell or Share My Personal\
        \ Information\u201D link, a business may  provide the Alternative Opt-out\
        \ Link in accordance with section 7015 or process opt-out  preference signals\
        \ in a frictionless manner in accordance with section 7025, subsections (f)\
        \  and (g). The business must still post a Notice of Right to Opt-out of Sale/Sharing\
        \ in  accordance with these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-e
      description: 'A business that sells or shares the personal information of consumers
        shall provide the  Notice of Right to Opt-out of Sale/Sharing to consumers
        as follows:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e
      ref_id: 7013-e.1
      description: "A business shall post the Notice of Right to Opt-out of Sale/Sharing\
        \ on the internet  webpage to which the consumer is directed after clicking\
        \ on the \u201CDo Not Sell or Share  My Personal Information\u201D link. The\
        \ notice shall include the information specified in  subsection (f) or be\
        \ a link that takes the consumer directly to the specific section of  the\
        \ business\u2019s privacy policy that contains the same information. If clicking\
        \ on the  \u201CDo Not Sell or Share My Personal Information\u201D link immediately\
        \ effectuates the  consumer\u2019s right to opt-out of sale/sharing or if\
        \ the business processes opt-out  preference signals in a frictionless manner\
        \ and chooses not to post a link, the  business shall provide the notice within\
        \ its privacy policy."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e
      ref_id: 7013-e.2
      description: A business that does not operate a website shall establish, document,
        and comply  with another method by which it informs consumers of their right
        to opt-out of  sale/sharing. That method shall comply with the requirements
        set forth in section  7003.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e
      ref_id: 7013-e.3
      description: A business shall also provide the notice to opt-out of sale/sharing
        in the same  manner in which it collects the personal information that it
        sells or shares. Illustrative  examples follow
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.3
      ref_id: 7013-e.3.A
      description: A business that sells or shares personal information that it collects
        in the course  of interacting with consumers offline, such as in a brick-and-mortar
        store, shall  provide notice through an offline method, e.g., on the paper
        forms that collect  the personal information or by posting signage in the
        area where the personal  information is collected directing consumers to where
        the notice can be found  online.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-e.3
      ref_id: 7013-e.3.B
      description: A business that sells or shares personal information that it collects
        over the  phone shall provide notice orally during the call when the information
        is  collected.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-f
      description: 'A business shall include the following in its Notice of Right
        to Opt-out of Sale/Sharing:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-f
      ref_id: 7013-f.1
      description: "A description of the consumer\u2019s right to opt-out of the sale\
        \ or sharing of their  personal information by the business; and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-f
      ref_id: 7013-f.2
      description: Instructions on how the consumer can submit a request to opt-out
        of sale/sharing. If  notice is provided online, the notice shall include the
        interactive form by which the  consumer can submit their request to opt-out
        of sale/sharing online, as required by  section 7026, subsection (a)(1). If
        the business does not operate a website, the notice  shall explain the offline
        method by which the consumer can submit their request to  opt-out of sale/sharing.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-g
      description: "A business does not need to provide a Notice of Right to Opt-out\
        \ of Sale/Sharing or the \u201CDo  Not Sell or Share My Personal Information\u201D\
        \ link if:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-g.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-g
      ref_id: 7013-g.1
      description: It does not sell or share personal information; and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-g.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-g
      ref_id: 7013-g.2
      description: It states in its privacy policy that it does not sell or share
        personal information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7013-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7013
      ref_id: 7013-h
      description: A business shall not sell or share the personal information it
        collected during the time the  business did not have a Notice of Right to
        Opt-out of Sale/Sharing posted unless it obtains  the consent of the consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7014'
      name: "Notice of Right to Limit and the \u201CLimit the Use of My Sensitive\
        \ Personal Information\u201D  Link."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-a
      description: "The purpose of the Notice of Right to Limit is to inform consumers\
        \ of their right to limit a  business\u2019s use and disclosure of their sensitive\
        \ personal information and to provide them  with the opportunity to exercise\
        \ that right. The purpose of the \u201CLimit the Use of My  Sensitive Personal\
        \ Information\u201D link is to immediately effectuate the consumer\u2019s\
        \ right to  limit, or in the alternative, direct the consumer to the Notice\
        \ of Right to Limit. Accordingly,  clicking the business\u2019s \u201CLimit\
        \ the Use of My Sensitive Personal Information\u201D link will either  have\
        \ the immediate effect of limiting the use and disclosure of the consumer\u2019\
        s sensitive  personal information or lead the consumer to a webpage where\
        \ the consumer can learn  about and make that choice."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-b
      description: The Notice of Right to Limit shall comply with section 7003, subsections
        (a) and (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-c
      description: "The \u201CLimit the Use of My Sensitive Personal Information\u201D\
        \ link shall be a conspicuous link  that complies with section 7003, subsections\
        \ (c) and (d), and is located at either the header  or footer of the business\u2019\
        s internet homepage(s)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-d
      description: "In lieu of posting the \u201CLimit the Use of My Sensitive Personal\
        \ Information\u201D link, a business  may provide the Alternative Opt-out\
        \ Link in accordance with section 7015. The business  shall still post a Notice\
        \ of Right to Limit in accordance with these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-e
      description: "A business that uses or discloses a consumer\u2019s sensitive\
        \ personal information for purposes  other than those specified in section\
        \ 7027, subsection (m), shall provide the Notice of Right  to Limit to consumers\
        \ as follows:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-e
      ref_id: 7014-e.1
      description: "A business shall post the Notice of Right to Limit on the internet\
        \ webpage to which  the consumer is directed after clicking on the \u201C\
        Limit the Use of My Sensitive Personal  Information\u201D link. The notice\
        \ shall include the information specified in subsection (f)  or be a link\
        \ that takes the consumer directly to the specific section of the business\u2019\
        s  privacy policy that contains the same information. If clicking on the \u201C\
        Limit the Use of  My Sensitive Personal Information\u201D link immediately\
        \ effectuates the consumer\u2019s right  to limit, the business shall provide\
        \ the notice within its privacy policy."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-e
      ref_id: 7014-e.2
      description: A business that does not operate a website shall establish, document,
        and comply  with another method by which it informs consumers of their right
        to limit. That  method shall comply with the requirements set forth in section
        7003.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-f
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-f
      description: 'A business shall include the following in its Notice of Right
        to Limit:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-f
      ref_id: 7014-f.1
      description: "A description of the consumer\u2019s right to limit; and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-f
      ref_id: 7014-f.2
      description: Instructions on how the consumer can submit a request to limit.
        If notice is provided  online, the notice shall include the interactive form
        by which the consumer can  submit their request to limit online, as required
        by section 7027, subsection (b)(1). If  the business does not operate a website,
        the notice shall explain the offline method  by which the consumer can submit
        their request to limit.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-g
      description: "A business does not need to provide a Notice of Right to Limit\
        \ or the \u201CLimit the Use of My  Sensitive Personal Information\u201D link\
        \ if:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-g.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-g
      ref_id: 7014-g.1
      description: It only uses and discloses sensitive personal information that
        it collected about the  consumer for the purposes specified in section 7027,
        subsection (m), and states so in  its privacy policy; or
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-g.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-g
      ref_id: 7014-g.2
      description: It only collects or processes sensitive personal information without
        the purpose of  inferring characteristics about a consumer, and states so
        in its privacy policy.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7014-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7014
      ref_id: 7014-h
      description: A business shall not use or disclose sensitive personal information
        it collected during the  time the business did not have a Notice of Right
        to Limit posted for purposes other than  those specified in section 7027,
        subsection (m), unless it obtains the consent of the  consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7015'
      name: Alternative Opt-out Link.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7015
      ref_id: 7015-a
      description: "The purpose of the Alternative Opt-out Link is to provide businesses\
        \ the option of  providing consumers with a single, clearly-labeled link that\
        \ allows consumers to easily  exercise both their right to opt-out of sale/sharing\
        \ and right to limit, instead of posting the  two separate \u201CDo Not Sell\
        \ or Share My Personal Information\u201D and \u201CLimit the Use of My  Sensitive\
        \ Personal Information\u201D links. The Alternative Opt-out Link shall direct\
        \ the  CPPA  Page 24 of 67  consumer to a webpage that informs them of both\
        \ their right to opt-out of sale/sharing  and right to limit and provides\
        \ them with the opportunity to exercise both rights."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7015
      ref_id: 7015-b
      description: "A business that chooses to use an Alternative Opt-out Link shall\
        \ title the link, \u201CYour Privacy  Choices,\u201D or,  \u201CYour California\
        \ Privacy Choices,\u201D and shall include the following opt-out icon  adjacent\
        \ to the title. The link shall be a conspicuous link that complies with section\
        \ 7003,  subsections (c) and (d), and is located at either the header or footer\
        \ of the business\u2019s  internet homepage(s). The icon shall be approximately\
        \ the same size as other icons used  by the business in the header or footer\
        \ of its webpage"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7015
      ref_id: 7015-c
      description: 'The Alternative Opt-out Link shall direct the consumer to a webpage
        that includes the  following information:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-c
      ref_id: 7015-c.1
      description: "A description of the consumer\u2019s right to opt-out of sale/sharing\
        \ and right to limit,  which shall comply with section 7003, subsections (a)\
        \ and (b); and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7015-c
      ref_id: 7015-c.2
      description: The interactive form or mechanism by which the consumer can submit
        their request to  opt-out of sale/sharing and their right to limit online.
        The method shall be easy for  consumers to execute, shall require minimal
        steps, and shall comply with section  7004.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-2
      ref_id: '7016'
      name: Notice of Financial Incentive.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016
      ref_id: 7016-a
      description: The purpose of the Notice of Financial Incentive is to explain
        to the consumer the material  terms of a financial incentive or price or service
        difference the business is offering so that  the consumer may make an informed
        decision about whether to participate. A business  that does not offer a financial
        incentive or price or service difference is not required to  provide a Notice
        of Financial Incentive.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016
      ref_id: 7016-b
      description: The Notice of Financial Incentive shall comply with section 7003,
        subsections (a) and (b).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016
      ref_id: 7016-c
      description: "The Notice of Financial Incentive shall be readily available where\
        \ consumers will encounter  it before opting-in to the financial incentive\
        \ or price or service difference. If the business  offers the financial incentive\
        \ or price or service difference online, the notice may be given  by providing\
        \ a link that takes the consumer directly to the specific section of a business\u2019\
        s  privacy policy that contains the information required in subsection (d)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016
      ref_id: 7016-d
      description: 'A business shall include the following in its Notice of Financial
        Incentive:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      ref_id: 7016-d.1
      description: A succinct summary of the financial incentive or price or service
        difference offered;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      ref_id: 7016-d.2
      description: "A description of the material terms of the financial incentive\
        \ or price or service  difference, including the categories of personal information\
        \ that are implicated by  the financial incentive or price or service difference\
        \ and the value of the consumer\u2019s  data;"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      ref_id: 7016-d.3
      description: How the consumer can opt-in to the financial incentive or price
        or service difference;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      ref_id: 7016-d.4
      description: "A statement of the consumer\u2019s right to withdraw from the\
        \ financial incentive at any  time and how the consumer may exercise that\
        \ right; and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d
      ref_id: 7016-d.5
      description: " An explanation of how the price or service difference is reasonably\
        \ related to the  value of the consumer\u2019s data, including:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.5.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.5
      ref_id: 7016-d.5.A
      description: "A good-faith estimate of the value of the consumer\u2019s data\
        \ that forms the basis  for offering the price or service difference; and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.5.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7016-d.5
      ref_id: 7016-d.5.B
      description: " A description of the method(s) the business used to calculate\
        \ the value of the  consumer\u2019s data."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 3
      name: BUSINESS PRACTICES FOR HANDLING CONSUMER REQUESTS
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7020'
      name: Methods for Submitting Requests to Delete, Requests to Correct, and Requests
        to  Know
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      ref_id: 7020-a
      description: A business that operates exclusively online and has a direct relationship
        with a consumer  from whom it collects personal information shall only be
        required to provide an email  address for submitting requests to delete, requests
        to correct, and requests to know.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      ref_id: 7020-b
      description: A business that does not fit the description in subsection (a)
        shall provide two or more  designated methods for submitting requests to delete,
        requests to correct, and requests to  know. One of those methods must be a
        toll-free telephone number. If the business  maintains an internet website,
        one of the methods for submitting these requests shall be  through its website,
        such as through a webform. Other methods for submitting requests to  delete,
        requests to correct, and requests to know may include, but are not limited
        to, a  designated email address, a form submitted in person, and a form submitted
        through the  mail
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      ref_id: 7020-c
      description: "A business shall consider the methods by which it primarily interacts\
        \ with consumers when  determining which methods to provide for submitting\
        \ requests to delete, requests to  correct, and requests to know. If the business\
        \ interacts with consumers in person, the  business shall consider providing\
        \ an in-person method such as a printed form the  consumer can directly submit\
        \ or send by mail, a tablet or computer portal that allows the  CPPA  Page\
        \ 26 of 67  consumer to complete and submit an online form, or a telephone\
        \ with which the  consumer can call the business\u2019s toll-free number"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      ref_id: 7020-d
      description: A business may use a two-step process for online requests to delete
        where the consumer  must first, submit the request to delete and then second,
        separately confirm that they  want their personal information deleted provided
        that the business otherwise complies  with section 7004
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020
      ref_id: 7020-e
      description: 'If a consumer submits a request in a manner that is not one of
        the designated methods of  submission, or is deficient in some manner unrelated
        to the verification process, the  business shall either:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-e
      ref_id: 7020-e.1
      description: "Treat the request as if it had been submitted in accordance with\
        \ the business\u2019s  designated manner, or"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7020-e
      ref_id: 7020-e.2
      description: Provide the consumer with information on how to submit the request
        or remedy any  deficiencies with the request, if applicable.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7021
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7021'
      name: Timelines for Responding to Requests to Delete, Requests to Correct, and
        Requests  to Know.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7021-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7021
      ref_id: 7021-a
      description: "No later than 10 business days after receiving a request to delete,\
        \ request to correct, or  request to know, a business shall confirm receipt\
        \ of the request and provide information  about how the business will process\
        \ the request. The information provided shall describe in  general the business\u2019\
        s verification process and when the consumer should expect a  response, except\
        \ in instances where the business has already granted or denied the  request.\
        \ The confirmation may be given in the same manner in which the request was\
        \  received. For example, if the request is made over the phone, the confirmation\
        \ may be  given orally during the phone call."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7021-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7021
      ref_id: 7021-b
      description: "Businesses shall respond to a request to delete, request to correct,\
        \ and request to know no  later than 45 calendar days after receipt of the\
        \ request. The 45-day period will begin on the  day that the business receives\
        \ the request, regardless of time required to verify the  request. If the\
        \ business cannot verify the consumer within the 45-day time period, the \
        \ business may deny the request. If necessary, businesses may take up to an\
        \ additional 45  calendar days to respond to the consumer\u2019s request,\
        \ for a maximum total of 90 calendar  days from the day the request is received,\
        \ provided that the business provides the  consumer with notice and an explanation\
        \ of the reason that the business will take more  than 45 days to respond\
        \ to the request."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7022'
      name: ' Requests to Delete'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-a
      description: For requests to delete, if a business cannot verify the identity
        of the requestor pursuant to  the regulations set forth in Article 5, the
        business may deny the request to delete. The  business shall inform the requestor
        that their identity cannot be verified.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-b
      description: "A business shall comply with a consumer\u2019s request to delete\
        \ their personal information by:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b
      ref_id: 7022-b.1
      description: Permanently and completely erasing the personal information from
        its existing  systems except archived or backup systems, deidentifying the
        personal information, or  aggregating the consumer information;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b
      ref_id: 7022-b.2
      description: "Notifying the business\u2019s service providers or contractors\
        \ of the need to delete from  their records the consumer\u2019s personal information\
        \ that they collected pursuant to  their written contract with the business,\
        \ or if enabled to do so by the service provider  or contractor, the business\
        \ shall delete the personal information that the service  provider or contractor\
        \ collected pursuant to their written contract with the business;  and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-b
      ref_id: 7022-b.3
      description: "Notifying all third parties to whom the business has sold or shared\
        \ the personal  information of the need to delete the consumer\u2019s personal\
        \ information unless this  proves impossible or involves disproportionate\
        \ effort. If a business claims that  notifying some or all third parties would\
        \ be impossible or would involve  disproportionate effort, the business shall\
        \ provide the consumer a detailed  explanation that includes enough facts\
        \ to give a consumer a meaningful understanding  as to why the business cannot\
        \ notify all third parties. The business shall not simply  state that notifying\
        \ all third parties is impossible or would require disproportionate  effort."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-c
      description: A service provider or contractor shall, with respect to personal
        information that they  collected pursuant to their written contract with the
        business and upon notification by the  business, cooperate with the business
        in responding to a request to delete by doing all of  the following
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c
      ref_id: 7022-c.1
      description: Permanently and completely erasing the personal information from
        its existing  systems except archived or backup systems, deidentifying the
        personal information,  aggregating the consumer information, or enabling the
        business to do so.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c
      ref_id: 7022-c.2
      description: "To the extent that an exception applies to the deletion of personal\
        \ information,  deleting or enabling the business to delete the consumer\u2019\
        s personal information that  is not subject to the exception and refraining\
        \ from using the consumer\u2019s personal  information retained for any purpose\
        \ other than the purpose provided for by that  exception"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c
      ref_id: 7022-c.3
      description: "Notifying any of its own service providers or contractors of the\
        \ need to delete from  their records in the same manner the consumer\u2019\
        s personal information that they  collected pursuant to their written contract\
        \ with the service provider or contractor."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-c
      ref_id: 7022-c.4
      description: "Notifying any other service providers, contractors, or third parties\
        \ that may have  accessed personal information from or through the service\
        \ provider or contractor,  unless the information was accessed at the direction\
        \ of the business, of the need to  delete the consumer\u2019s personal information\
        \ unless this proves impossible or involves  disproportionate effort."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-d
      description: "If a business, service provider, or contractor stores any personal\
        \ information on archived or  backup systems, it may delay compliance with\
        \ the consumer\u2019s request to delete, with  respect to data stored on the\
        \ archived or backup system, until the archived or backup  system relating\
        \ to that data is restored to an active system or is next accessed or used\
        \ for a  sale, disclosure, or commercial purpose."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-e
      description: "In responding to a request to delete, a business shall inform\
        \ the consumer whether it has  complied with the consumer\u2019s request.\
        \ The business shall also inform the consumer that it  will maintain a record\
        \ of the request as required by section 7101, subsection (a). A  business,\
        \ service provider, contractor, or third party may retain a record of the\
        \ request for  the purpose of ensuring that the consumer\u2019s personal information\
        \ remains deleted from  its records."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-f
      description: "In cases where a business denies a consumer\u2019s request to\
        \ delete in whole or in part, the  business shall do all of the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f
      ref_id: 7022-f.1
      description: Provide to the consumer a detailed explanation of the basis for
        the denial, including  any conflict with federal or state law, exception to
        the CCPA, or factual basis for  contending that compliance would be impossible
        or involve disproportionate effort,  unless prohibited from doing so by law.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f
      ref_id: 7022-f.2
      description: "Delete the consumer\u2019s personal information that is not subject\
        \ to the exception."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f
      ref_id: 7022-f.3
      description: "Not use the consumer\u2019s personal information retained for\
        \ any other purpose than  provided for by that exception; and"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-f
      ref_id: 7022-f.4
      description: "Instruct its service providers and contractors to delete the consumer\u2019\
        s personal  information that is not subject to the exception and to not use\
        \ the consumer\u2019s  personal information retained for any purpose other\
        \ than the purpose provided for  by that exception."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-g
      description: "If a business that denies a consumer\u2019s request to delete\
        \ sells or shares personal  information and the consumer has not already made\
        \ a request to opt-out of sale/sharing,  the business shall ask the consumer\
        \ if they would like to opt-out of the sale or sharing of  CPPA  Page 29 of\
        \ 67  their personal information and shall include either the contents of,\
        \ or a link to, the Notice  of Right to Opt-out of Sale/Sharing in accordance\
        \ with section 7013."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7022-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7022
      ref_id: 7022-h
      description: " In responding to a request to delete, a business may present\
        \ the consumer with the choice  to delete select portions of their personal\
        \ information as long as a single option to delete  all personal information\
        \ is also offered. A business that provides consumers the ability to  delete\
        \ select categories of personal information in other contexts (e.g., purchase\
        \ history,  browsing history, voice recordings), however, must inform consumers\
        \ of their ability to do  so and direct them to how they can do so. For example,\
        \ a business may provide the  consumer with a link to a support page or other\
        \ resource that explains consumers\u2019 data  deletion options."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7023'
      name: Requests to Correct.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-a
      description: For requests to correct, if a business cannot verify the identity
        of the requestor pursuant to  the regulations set forth in Article 5, the
        business may deny the request to correct. The  business shall inform the requestor
        that their identity cannot be verified.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-b
      description: "In determining the accuracy of the personal information that is\
        \ the subject of a consumer\u2019s  request to correct, the business shall\
        \ consider the totality of the circumstances relating to  the contested personal\
        \ information. A business may deny a consumer\u2019s request to correct  if\
        \ it determines that the contested personal information is more likely than\
        \ not accurate  based on the totality of the circumstances."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      ref_id: 7023-b.1
      description: 'Considering the totality of the circumstances includes, but is
        not limited to,  considering:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b.1.a
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      ref_id: 7023-b.1.A
      description: The nature of the personal information (e.g., whether it is objective,
        subjective,  unstructured, sensitive, etc.).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b.1.b
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      ref_id: 7023-b.1.B
      description: How the business obtained the contested information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b.1.c
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      ref_id: 7023-b.1.C
      description: Documentation relating to the accuracy of the information whether
        provided by  the consumer, the business, or another source. Requirements regarding  documentation
        are set forth in subsection (d).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-b
      ref_id: 7023-b.2
      description: "If the business is not the source of the personal information\
        \ and has no  documentation in support of the accuracy of the information,\
        \ the consumer\u2019s  assertion of inaccuracy may be sufficient to establish\
        \ that the personal information is  inaccurate."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-c
      description: "A business that complies with a consumer\u2019s request to correct\
        \ shall correct the personal  information at issue on its existing systems.\
        \ The business shall also instruct all service  CPPA  Page 30 of 67  providers\
        \ and contractors that maintain the personal information at issue pursuant\
        \ to their  written contract with the business to make the necessary corrections\
        \ in their respective  systems. Service providers and contractors shall comply\
        \ with the business\u2019s instructions to  correct the personal information\
        \ or enable the business to make the corrections. If a  business, service\
        \ provider, or contractor stores any personal information that is the subject\
        \  of the request to correct on archived or backup systems, it may delay compliance\
        \ with the  consumer\u2019s request to correct, with respect to data stored\
        \ on the archived or backup  system, until the archived or backup system relating\
        \ to that data is restored to an active  system or is next accessed or used."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-d
      description: Documentation
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d
      ref_id: 7023-d.1
      description: A business shall accept, review, and consider any documentation
        that the consumer  provides in connection with their right to correct whether
        provided voluntarily or as  required by the business. Consumers should make
        a good-faith effort to provide  businesses with all necessary information
        available at the time of the request.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d
      ref_id: 7023-d.2
      description: 'A business may require the consumer to provide documentation if
        necessary to rebut  its own documentation that the personal information is
        accurate. In determining the  necessity of the documentation requested, the
        business shall consider the following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2
      ref_id: 7023-d.2.A
      description: The nature of the personal information at issue (e.g., whether
        it is objective,  subjective, unstructured, sensitive, etc.).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2
      ref_id: 7023-d.2.B
      description: The nature of the documentation upon which the business considers
        the  personal information to be accurate (e.g., whether the documentation
        is from a  trusted source, whether the documentation is verifiable, etc.)
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2
      ref_id: 7023-d.2.C
      description: The purpose for which the business collects, maintains, or uses
        the personal  information. For example, if the personal information is essential
        to the  functioning of the business, the business may require more documentation.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.2
      ref_id: 7023-d.2.D
      description: The impact on the consumer. For example, if the personal information
        has a  negative impact on the consumer, the business may require less  documentation.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d
      ref_id: 7023-d.3
      description: "Any documentation provided by the consumer in connection with\
        \ their request to  correct shall only be used and/or maintained by the business\
        \ for the purpose of  correcting the consumer\u2019s personal information\
        \ and to comply with the record-  keeping obligations under section 7101."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-d
      ref_id: 7023-d.4
      description: "The business shall implement and maintain reasonable security\
        \ procedures and  practices in maintaining any documentation relating to the\
        \ consumer\u2019s request to  correct."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-e
      description: "A business may delete the contested personal information as an\
        \ alternative to correcting  the information if the deletion of the personal\
        \ information does not negatively impact the  consumer, or the consumer consents\
        \ to the deletion. For example, if deleting instead of  correcting inaccurate\
        \ personal information would make it harder for the consumer to  obtain a\
        \ job, housing, credit, education, or other type of opportunity, the business\
        \ shall  process the request to correct or obtain the consumer\u2019s consent\
        \ to delete the information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-f
      description: "In responding to a request to correct, a business shall inform\
        \ the consumer whether it has  complied with the consumer\u2019s request.\
        \ If the business denies a consumer\u2019s request to  correct in whole or\
        \ in part, the business shall do the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f
      ref_id: 7023-f.1
      description: Explain the basis for the denial, including any conflict with federal
        or state law,  exception to the CCPA, inadequacy in the required documentation,
        or contention  that compliance proves impossible or involves disproportionate
        effort.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f
      ref_id: 7023-f.2
      description: "If a business claims that complying with the consumer\u2019s request\
        \ to correct would be  impossible or would involve disproportionate effort,\
        \ the business shall provide the  consumer a detailed explanation that includes\
        \ enough facts to give a consumer a  meaningful understanding as to why the\
        \ business cannot comply with the request.  The business shall not simply\
        \ state that it is impossible or would require  disproportionate effort."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f
      ref_id: 7023-f.3
      description: "If a business denies a consumer\u2019s request to correct personal\
        \ information collected  and analyzed concerning a consumer\u2019s health,\
        \ the business shall also inform the  consumer that they may provide a written\
        \ statement to the business to be made part  of the consumer\u2019s record\
        \ pursuant to Civil Code section 1798.185, subdivision  (a)(8)(D). The business\
        \ shall explain to the consumer that the written statement is  limited to\
        \ 250 words per alleged inaccurate piece of personal information and shall\
        \  include that the consumer must request that the statement be made part\
        \ of the  consumer\u2019s record. Upon receipt of such a statement, the business\
        \ shall include it  with the consumer\u2019s record."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-f
      ref_id: 7023-f.4
      description: If the personal information at issue can be deleted pursuant to
        a request to delete,  inform the consumer that they can make a request to
        delete the personal  information and provide instructions on how the consumer
        can make a request to  delete.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-g
      description: "A business may deny a consumer\u2019s request to correct if the\
        \ business has denied the  consumer\u2019s request to correct the same alleged\
        \ inaccuracy within the past six months of  receiving the request. However,\
        \ the business must treat the request to correct as new if  the consumer provides\
        \ new or additional documentation to prove that the information at  issue\
        \ is inaccurate."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-h
      description: A business may deny a request to correct if it has a good-faith,
        reasonable, and  documented belief that a request to correct is fraudulent
        or abusive. The business shall  CPPA  Page 32 of 67  inform the requestor
        that it will not comply with the request and shall provide an  explanation
        why it believes the request is fraudulent or abusive.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-i
      description: "Where the business is not the source of the information that the\
        \ consumer contends is  inaccurate, in addition to processing the consumer\u2019\
        s request, the business may provide the  consumer with the name of the source\
        \ from which the business received the alleged  inaccurate information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-j
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-j
      description: "Upon request, a business shall disclose specific pieces of personal\
        \ information that the  business maintains and has collected about the consumer\
        \ to allow the consumer to  confirm that the business has corrected the inaccurate\
        \ information that was the subject of  the consumer\u2019s request to correct.\
        \ This disclosure shall not be considered a response to a  request to know\
        \ that is counted towards the limitation of two requests within a 12-month\
        \  period as set forth in Civil Code section 1798.130, subdivision (b). With\
        \ regard to a  correction to a consumer\u2019s Social Security number, driver\u2019\
        s license number or other  government-issued identification number, financial\
        \ account number, any health insurance  or medical identification number,\
        \ an account password, security questions and answers, or  unique biometric\
        \ data generated from measurements or technical analysis of human  characteristics,\
        \ a business shall not disclose this information, but may provide a way to\
        \  confirm that the personal information it maintains is the same as what\
        \ the consumer has  provided."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7023-k
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7023
      ref_id: 7023-k
      description: "Whether a business, service provider, or contractor has implemented\
        \ measures to ensure  that personal information that is the subject of a request\
        \ to correct remains corrected  factors into whether that business, service\
        \ provider, or contractor has complied with a  consumer\u2019s request to\
        \ correct in accordance with the CCPA and these regulations. For  example,\
        \ a business, service provider, or contractor may supplement personal information\
        \  it maintains about consumers with information obtained from a data broker.\
        \ Failing to  consider and address the possibility that corrected information\
        \ may be overridden by  inaccurate information subsequently received from\
        \ a data broker may factor into whether  that business, service provider,\
        \ or contractor has adequately complied with a consumer\u2019s  request to\
        \ correct."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7024'
      name: Requests to Know.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-a
      description: " For requests that seek the disclosure of specific pieces of information\
        \ about the consumer,  if a business cannot verify the identity of the person\
        \ making the request pursuant to the  regulations set forth in Article 5,\
        \ the business shall not disclose any specific pieces of  personal information\
        \ to the requestor and shall inform the requestor that it cannot verify  their\
        \ identity. If the request is denied in whole or in part, the business shall\
        \ also evaluate  the consumer\u2019s request as if it is seeking the disclosure\
        \ of categories of personal  information about the consumer pursuant to subsection\
        \ (b)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-b
      description: For requests that seek the disclosure of categories of personal
        information about the  consumer, if a business cannot verify the identity
        of the person making the request  pursuant to the regulations set forth in
        Article 5, the business may deny the request to  disclose the categories and
        other information requested and shall inform the requestor  that it cannot
        verify their identity. If the request is denied in whole or in part, the business  shall
        provide or direct the consumer to its information practices set forth in its
        privacy  policy.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-c
      description: 'In responding to a request to know, a business is not required
        to search for personal  information if all of the following conditions are
        met:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c
      ref_id: 7024-c.1
      description: The business does not maintain the personal information in a searchable
        or  reasonably accessible format.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c
      ref_id: 7024-c.2
      description: The business maintains the personal information solely for legal
        or compliance  purposes.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c
      ref_id: 7024-c.3
      description: The business does not sell the personal information and does not
        use it for any  commercial purpose.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-c
      ref_id: 7024-c.4
      description: The business describes to the consumer the categories of records
        that may contain  personal information that it did not search because it meets
        the conditions stated  above.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-d
      description: "A business shall not disclose in response to a request to know\
        \ a consumer\u2019s Social Security  number, driver\u2019s license number\
        \ or other government-issued identification number,  financial account number,\
        \ any health insurance or medical identification number, an  account password,\
        \ security questions and answers, or unique biometric data generated  from\
        \ measurements or technical analysis of human characteristics. The business\
        \ shall,  however, inform the consumer with sufficient particularity that\
        \ it has collected the type of  information. For example, a business shall\
        \ respond that it collects \u201Cunique biometric data  including a fingerprint\
        \ scan\u201D without disclosing the actual fingerprint scan data."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-e
      description: "If a business denies a consumer\u2019s verified request to know\
        \ specific pieces of personal  information, in whole or in part, because of\
        \ a conflict with federal or state law, or an  exception to the CCPA, the\
        \ business shall inform the requestor and explain the basis for the  denial,\
        \ unless prohibited from doing so by law. If the request is denied only in\
        \ part, the  business shall disclose the other information sought by the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-f
      description: A business shall use reasonable security measures when transmitting
        personal information  to the consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-g
      description: If a business maintains a password-protected account with the consumer,
        it may comply  with a request to know by using a secure self-service portal
        for consumers to access, view,  and receive a portable copy of their personal
        information if the portal fully discloses the  CPPA  Page 34 of 67  personal
        information that the consumer is entitled to under the CCPA and these  regulations,
        uses reasonable data security controls, and complies with the verification  requirements
        set forth in Article 5.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-h
      description: "In response to a request to know, a business shall provide all\
        \ the personal information it  has collected and maintains about the consumer\
        \ during the 12-month period preceding the  business\u2019s receipt of the\
        \ consumer\u2019s request. A consumer may request that the business  provide\
        \ personal information that the business collected beyond the 12-month period,\
        \ as  long as it was collected on or after January 1, 2022, and the business\
        \ shall be required to  provide that information unless doing so proves impossible\
        \ or would involve  disproportionate effort. That information shall include\
        \ any personal information that the  business\u2019s service providers or\
        \ contractors collected pursuant to their written contract with  the business.\
        \ If a business claims that providing personal information beyond the 12-month\
        \  period preceding the business\u2019s receipt of the consumer\u2019s request\
        \ would be impossible or  would involve disproportionate effort, the business\
        \ shall not be required to provide it as  long as the business provides the\
        \ consumer a detailed explanation that includes enough  facts to give a consumer\
        \ a meaningful understanding as to why the business cannot  provide personal\
        \ information beyond the 12-month period. The business shall not simply  state\
        \ that it is impossible or would require disproportionate effort."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-i
      description: "A service provider or contractor shall provide assistance to the\
        \ business in responding to a  verifiable consumer request to know, including\
        \ by providing the business the consumer\u2019s  personal information it has\
        \ in its possession that it collected pursuant to their written  contract\
        \ with the business, or by enabling the business to access that personal \
        \ information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-j
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-j
      description: "In responding to a consumer\u2019s verified request to know categories\
        \ of personal information,  categories of sources, and/or categories of third\
        \ parties, a business shall provide an  individualized response to the consumer\
        \ as required by the CCPA. It shall not refer the  consumer to the businesses\u2019\
        \ information practices outlined in its privacy policy unless its  response\
        \ would be the same for all consumers and the privacy policy discloses all\
        \ the  information that is otherwise required to be in a response to a request\
        \ to know such  categories."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-k
      description: 'In responding to a verified request to know categories of personal
        information, the  business shall provide all of the following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.1
      description: The categories of personal information the business has collected
        about the  consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.2
      description: The categories of sources from which the personal information was
        collected.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.3
      description: The business or commercial purpose for which it collected or sold
        the personal  information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.4
      description: The categories of third parties with whom the business shares personal
        information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.5
      description: The categories of personal information that the business sold,
        and for each category  identified, the categories of third parties to whom
        it sold that particular category of  personal information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-k
      ref_id: 7024-k.6
      description: The categories of personal information that the business disclosed
        for a business  purpose, and for each category identified, the categories
        of third parties to whom it  disclosed that particular category of personal
        information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7024-l
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7024
      ref_id: 7024-l
      description: A business shall identify the categories of personal information,
        categories of sources of  personal information, and categories of third parties
        to whom a business sold or disclosed  personal information, in a manner that
        provides consumers a meaningful understanding of  the categories listed.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7025'
      name: Opt-out Preference Signals
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-a
      description: The purpose of an opt-out preference signal is to provide consumers
        with a simple and  easy-to-use method by which consumers interacting with
        businesses online can  automatically exercise their right to opt-out of sale/sharing.
        Through an opt-out preference  signal, a consumer can opt-out of sale and
        sharing of their personal information with all  businesses they interact with
        online without having to make individualized requests with  each business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-b
      description: 'A business that sells or shares personal information shall process
        any opt-out preference  signal that meets the following requirements as a
        valid request to opt-out of sale/sharing:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-b
      ref_id: 7025-b.1
      description: The signal shall be in a format commonly used and recognized by
        businesses. An  example would be an HTTP header field or JavaScript object.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-b
      ref_id: 7025-b.2
      description: The platform, technology, or mechanism that sends the opt-out preference
        signal shall  make clear to the consumer, whether in its configuration or
        in disclosures to the  public, that the use of the signal is meant to have
        the effect of opting the consumer  out of the sale and sharing of their personal
        information. The configuration or  disclosure does not need to be tailored
        only to California or to refer to California.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-c
      description: 'When a business that collects personal information from consumers
        online receives or  detects an opt-out preference signal that complies with
        subsection (b):'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.1
      description: The business shall treat the opt-out preference signal as a valid
        request to opt-out of  sale/sharing submitted pursuant to Civil Code section
        1798.120 for that browser or  device and any consumer profile associated with
        that browser or device, including  pseudonymous profiles. If known, the business
        shall also treat the opt-out preference  CPPA  Page 36 of 67  signal as a
        valid request to opt-out of sale/sharing for the consumer. This is not  required
        for a business that does not sell or share personal information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.2
      description: "The business shall not require a consumer to provide additional\
        \ information beyond  what is necessary to send the signal. However, a business\
        \ may provide the consumer  with an option to provide additional information\
        \ if it will help facilitate the consumer\u2019s  request to opt-out of sale/sharing.\
        \ Any information provided by the consumer shall  not be used, disclosed,\
        \ or retained for any purpose other than processing the request  to opt-out\
        \ of sale/sharing. For example, a business may give the consumer the option\
        \  to provide information that identifies the consumer so that the request\
        \ to opt-out of  sale/sharing can apply to offline sale or sharing of personal\
        \ information. However, if  the consumer does not respond, the business shall\
        \ still process the opt-out preference  signal as a valid request to opt-out\
        \ of sale/sharing for that browser or device and any  consumer profile the\
        \ business associates with that browser or device, including  pseudonymous\
        \ profiles."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.3
      description: "If the opt-out preference signal conflicts with a consumer\u2019\
        s business-specific privacy  setting that allows the business to sell or share\
        \ their personal information, the  business shall process the opt-out preference\
        \ signal as a valid request to opt-out of  sale/sharing, but may notify the\
        \ consumer of the conflict and provide the consumer  with an opportunity to\
        \ consent to the sale or sharing of their personal information.  The business\
        \ shall comply with section 7004 in obtaining the consumer\u2019s consent\
        \ to  the sale or sharing of their personal information. If the consumer consents\
        \ to the sale  or sharing of their personal information, the business may\
        \ ignore the opt-out  preference signal for as long as the consumer is known\
        \ to the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.4
      description: "If the opt-out preference signal conflicts with the consumer\u2019\
        s participation in a  business\u2019s financial incentive program that requires\
        \ the consumer to consent to the  sale or sharing of personal information,\
        \ the business may notify the consumer that  processing the opt-out preference\
        \ signal as a valid request to opt-out of sale/sharing  would withdraw the\
        \ consumer from the financial incentive program and ask the  consumer to affirm\
        \ that they intend to withdraw from the financial incentive program.  If the\
        \ consumer affirms that they intend to withdraw from the financial incentive\
        \  program, the business shall process the consumer\u2019s request to opt-out\
        \ of sale/sharing.  If the business asks and the consumer does not affirm\
        \ their intent to withdraw, the  business may ignore the opt-out preference\
        \ signal with respect to that consumer\u2019s  participation in the financial\
        \ incentive program for as long as the consumer is known  to the business.\
        \ If the business does not ask the consumer to affirm their intent with  regard\
        \ to the financial incentive program, the business shall still process the\
        \ opt-out  preference signal as a valid request to opt-out of sale/sharing\
        \ for that browser or  device and any consumer profile the business associates\
        \ with that browser or device."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.5
      description: Where the consumer is known to the business, the business shall
        not interpret the  absence of an opt-out preference signal after the consumer
        previously sent an opt-out  preference signal as consent to opt-in to the
        sale or sharing of personal information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.6
      description: "A business may display whether it has processed the consumer\u2019\
        s opt-out preference  signal as a valid request to opt-out of sale/sharing\
        \ on its website. For example, the  business may display on its website \u201C\
        Opt-Out Preference Signal Honored\u201D when a  browser, device, or consumer\
        \ using an opt-out preference signal visits the website, or  display through\
        \ a toggle or radio button that the consumer has opted out of the sale  of\
        \ their personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c
      ref_id: 7025-c.7
      description: Illustrative examples follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      ref_id: 7025-c.7.A
      description: "Caleb visits Business N\u2019s website using a browser with an\
        \ opt-out preference  signal enabled, but he is not otherwise logged into\
        \ his account and the business  cannot otherwise associate Caleb\u2019s browser\
        \ with a consumer profile the business  maintains. Business N collects and\
        \ shares Caleb\u2019s personal information tied to his  browser identifier\
        \ for cross-context behavioral advertising. Upon receiving the  opt-out preference\
        \ signal, Business N shall stop selling and sharing Caleb\u2019s  information\
        \ linked to Caleb\u2019s browser identifier for cross-context behavioral \
        \ advertising, but it would not be able to apply the request to opt-out of\
        \ the  sale/sharing to Caleb\u2019s account information because the connection\
        \ between  Caleb\u2019s browser and Caleb\u2019s account is not known to the\
        \ business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      ref_id: 7025-c.7.B
      description: "Noelle has an account with Business O, an online retailer who\
        \ manages  consumer\u2019s privacy choices through a settings menu. Noelle\u2019\
        s privacy settings  default to allowing Business O to sell and share her personal\
        \ information with  the business\u2019s marketing partners. Noelle enables\
        \ an opt-out preference signal  on her browser and then visits Business O\u2019\
        s website. Business O recognizes that  Noelle is visiting its website because\
        \ she is logged into her account. Upon  receiving Noelle\u2019s opt-out preference\
        \ signal, Business O shall treat the signal as a  valid request to opt-out\
        \ of sale/sharing and shall apply it to her device and/or  browser and also\
        \ to her account and any offline sale or sharing of personal  information.\
        \ Business O may inform Noelle that her opt-out preference signal  differs\
        \ from her current privacy settings and provide her with an opportunity to\
        \  consent to the sale or sharing of her personal information, but it must\
        \ process  the request to opt-out of sale/sharing unless Noelle instructs\
        \ otherwise. Business  O must also wait at least 12 months before asking Noelle\
        \ to opt-in to the sale or  sharing of her personal information in accordance\
        \ with section 7026, subsection  (k). In addition, Business O\u2019s notification\
        \ would not allow it to fall within the  exception set forth in Civil Code\
        \ section 1798.135, subdivision (b)(1), because it  would not be complying\
        \ with the requirements set forth in subsection (f)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      ref_id: 7025-c.7.C
      description: "Angela also has an account with Business O and has enabled an\
        \ opt-out  preference signal on her browser while logged into her account.\
        \ Business O  CPPA  Page 38 of 67  applies the opt-out preference signal as\
        \ a valid request to opt-out of sale/sharing  not only to Angela\u2019s current\
        \ browser, but also to Angela\u2019s account because she is  known to the\
        \ business while making the request. Angela later logs into her  account with\
        \ Business O using a different device that does not have the opt-out  preference\
        \ signal enabled. Business O shall not interpret the absence of the opt- \
        \ out preference signal as consent to opt-in to the sale of personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      ref_id: 7025-c.7.D
      description: "Ramona participates in Business P\u2019s financial incentive program\
        \ where she  receives coupons in exchange for allowing the business to pseudonymously\
        \ track  and share her online browsing habits with marketing partners. Ramona\
        \ enables  an opt-out preference signal on her browser and then visits Business\
        \ P\u2019s website.  Business P knows that it is Ramona through a cookie that\
        \ has been placed on her  browser, but also detects the opt-out preference\
        \ signal. Business P may ignore  the opt-out preference signal and notify\
        \ Ramona that her opt-out preference  signal conflicts with her participation\
        \ in the financial incentive program and ask  whether she intends to withdraw\
        \ from the financial incentive program. If  Ramona does not affirm her intent\
        \ to withdraw, Business P may ignore the opt-  out preference signal and place\
        \ Ramona on a whitelist so that Business P does  not have to notify Ramona\
        \ of the conflict again."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-c.7
      ref_id: 7025-c.7.E
      description: "Ramona clears her cookies and revisits Business P\u2019s website\
        \ with the opt-out  preference signal enabled. Business P no longer knows\
        \ that it is Ramona visiting  its website. Business P shall honor Ramona\u2019\
        s opt-out preference signal as it  pertains to her browser or device and any\
        \ consumer profile the business  associates with that browser or device."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-d
      description: The business and the platform, technology, or mechanism that sends
        the opt-out  preference signal shall not use, disclose, or retain any personal
        information collected from  the consumer in connection with the sending or
        processing the request to opt-out of  sale/sharing for any purpose other than
        sending or processing the opt-out preference  signal.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-e
      description: "Civil Code section 1798.135, subdivisions (b)(1) and (3), provide\
        \ a business the choice  between (1) processing opt-out preference signals\
        \ and providing the \u201CDo Not Sell or Share  My Personal Information\u201D\
        \ and \u201CLimit the Use of My Sensitive Personal Information\u201D links\
        \ or  the Alternative Opt-out Link; or (2) processing opt-out preference signals\
        \ in a frictionless  manner in accordance with these regulations and not having\
        \ to provide the \u201CDo Not Sell or  Share My Personal Information\u201D\
        \ and \u201CLimit the Use of My Sensitive Personal Information\u201D  links\
        \ or the Alternative Opt-out Link. They do not give the business the choice\
        \ between  posting the above-referenced links or honoring opt-out preference\
        \ signals. Even if the  business posts the above-referenced links, the business\
        \ must still process opt-out  preference signals, though it may do so in a\
        \ non-frictionless manner. If a business  processes opt-out preference signals\
        \ in a frictionless manner in accordance with  CPPA  Page 39 of 67  subsections\
        \ (f) and (g), then it may, but is not required to, provide the above-referenced\
        \  links."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-f
      description: 'Except as allowed by these regulations, processing an opt-out
        preference signal in a  frictionless manner as required by Civil Code section
        1798.135, subdivision (b)(1), means  that the business shall not:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f
      ref_id: 7025-f.1
      description: Charge a fee or require any valuable consideration if the consumer
        uses an opt-out  preference signal.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f
      ref_id: 7025-f.2
      description: "Change the consumer\u2019s experience with the product or service\
        \ offered by the  business. For example, the consumer who uses an opt-out\
        \ preference signal shall have  the same experience with regard to how the\
        \ business\u2019s product or service functions  compared to a consumer who\
        \ does not use an opt-out preference signal."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-f
      ref_id: 7025-f.3
      description: "Display a notification, pop-up, text, graphic, animation, sound,\
        \ video, or any interstitial  content in response to the opt-out preference\
        \ signal. However, a business\u2019s display of  whether the consumer visiting\
        \ their website has opted out of the sale or sharing their  personal information\
        \ shall not be considered a violation of this regulation. The  business may\
        \ also provide a link to a privacy settings page, menu, or similar interface\
        \  that enables the consumer to consent to the business ignoring the opt-out\
        \ preference  signal with respect to the business\u2019s sale or sharing of\
        \ the consumer\u2019s personal  information provided that it complies with\
        \ subsections (f)(1) through (3)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025
      ref_id: 7025-g
      description: "A business meeting the requirements of Civil Code section 1798.135,\
        \ subdivision (b)(1) is  not required to post the \u201CDo Not Sell or Share\
        \ My Personal Information\u201D link or the  Alternative Opt-out Link if it\
        \ meets all of the following additional requirements:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g
      ref_id: 7025-g.1
      description: "A business meeting the requirements of Civil Code section 1798.135,\
        \ subdivision (b)(1) is  not required to post the \u201CDo Not Sell or Share\
        \ My Personal Information\u201D link or the  Alternative Opt-out Link if it\
        \ meets all of the following additional requirements:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g
      ref_id: 7025-g.2
      description: ' Includes in its privacy policy the following information:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2
      ref_id: 7025-g.2.A
      description: "A description of the consumer\u2019s right to opt-out of the sale\
        \ or sharing of their  personal information by the business;"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2
      ref_id: 7025-g.2.B
      description: A statement that the business processes opt-out preference signals
        in a  frictionless manner;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2
      ref_id: 7025-g.2.C
      description: Information on how consumers can implement opt-out preference signals
        for  the business to process in frictionless manner; and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.2
      ref_id: 7025-g.2.D
      description: ' Instructions for any other method by which the consumer may submit
        a request  to opt-out of sale/sharing.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g
      ref_id: 7025-g.3
      description: "Allows the opt-out preference signal to fully effectuate the consumer\u2019\
        s request to opt-  out of sale/sharing. For example, if the business sells\
        \ or shares personal information  offline and needs to request from the consumer\
        \ additional information that is not  provided by the opt-out preference signal\
        \ in order to apply the request to opt-out of  sale/sharing to offline sales\
        \ and sharing of personal information, then the business has  not fully effectuated\
        \ the consumer\u2019s request to opt-out of sale/sharing. Illustrative  examples\
        \ follow."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.3
      ref_id: 7025-g.3.A
      description: "Business Q collects consumers\u2019 online browsing history and\
        \ shares it with third  parties for cross-context behavioral advertising purposes.\
        \ Business Q also sells  consumers\u2019 personal information offline to marketing\
        \ partners. Business Q  cannot fall within the exception set forth in Civil\
        \ Code section 1798.135,  subdivision (b)(1), because a consumer\u2019s opt-out\
        \ preference signal would only  apply to Business Q\u2019s online sharing\
        \ of personal information about the  consumer\u2019s browser or device; the\
        \ consumer\u2019s opt-out preference signal would  not apply to Business Q\u2019\
        s offline selling of the consumer\u2019s information because  Business Q could\
        \ not apply it to the offline selling without additional information  provided\
        \ by the consumer, i.e., the logging into an account."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7025-g.3
      ref_id: 7025-g.3.B
      description: "Business R only sells and shares personal information online for\
        \ cross-context  behavioral advertising purposes. Business R may use the exception\
        \ set forth in  Civil Code section 1798.135, subdivision (b)(1), and not post\
        \ the \u201CDo Not Sell or  Share My Personal Information\u201D link because\
        \ a consumer using an opt-out  preference signal would fully effectuate their\
        \ right to opt-out of the sale or  sharing of their personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7026'
      name: Requests to Opt-out of Sale/Sharing.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-a
      description: A business that sells or shares personal information shall provide
        two or more designated  methods for submitting requests to opt-out of sale/sharing.
        A business shall consider the  methods by which it interacts with consumers,
        the manner in which the business collects  the personal information that it
        makes available to third parties, available technology, and  ease of use by
        the consumer when determining which methods consumers may use to  submit requests
        to opt-out of sale/sharing. At least one method offered shall reflect the  manner
        in which the business primarily interacts with the consumer. Illustrative
        examples  follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a
      ref_id: 7026-a.1
      description: "A business that collects personal information from consumers online\
        \ shall, at a  minimum, allow consumers to submit requests to opt-out of sale/sharing\
        \ through an  opt-out preference signal and at least one of the following\
        \ methods: an interactive  form accessible via the \u201CDo Not Sell or Share\
        \ My Personal Information\u201D link, the  CPPA  Page 41 of 67  Alternative\
        \ Opt-out Link, or the business\u2019s privacy policy if the business processes\
        \ an  opt-out preference signal in a frictionless manner."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a
      ref_id: 7026-a.2
      description: A business that interacts with consumers in person and online may
        provide an in-  person method for submitting requests to opt-out of sale/sharing
        in addition to the  opt-out preference signal.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a
      ref_id: 7026-a.3
      description: Other methods for submitting requests to opt-out of the sale/sharing
        include, but  are not limited to, a toll-free phone number, a designated email
        address, a form  submitted in person, and a form submitted through the mail.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-a
      ref_id: 7026-a.4
      description: A notification or tool regarding cookies, such as a cookie banner
        or cookie controls,  is not by itself an acceptable method for submitting
        requests to opt-out of  sale/sharing because cookies concern the collection
        of personal information and not  the sale or sharing of personal information.
        An acceptable method for submitting  requests to opt-out of sale/sharing must
        address the sale and sharing of personal  information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-b
      description: "A business\u2019s methods for submitting requests to opt-out of\
        \ sale/sharing shall be easy for  consumers to execute, shall require minimal\
        \ steps, and shall comply with section 7004."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-c
      description: "A business shall not require a consumer submitting a request to\
        \ opt-out of sale/sharing to  create an account or provide additional information\
        \ beyond what is necessary to direct the  business not to sell or share the\
        \ consumer\u2019s personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-d
      description: A business shall not require a verifiable consumer request for
        a request to opt-out of  sale/sharing. A business may ask the consumer for
        information necessary to complete the  request, such as information necessary
        to identify the consumer whose information shall  cease to be sold or shared
        by the business. However, to the extent that the business can  comply with
        a request to opt-out of sale/sharing without additional information, it shall
        do  so.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-e
      description: ' If a business has a good-faith, reasonable, and documented belief
        that a request to opt-out  of sale/sharing is fraudulent, the business may
        deny the request. The business shall inform  the requestor that it will not
        comply with the request and shall provide to the requestor an  explanation
        why it believes the request is fraudulent.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-f
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-f
      description: 'A business shall comply with a request to opt-out of sale/sharing
        by:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-f.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-f
      ref_id: 7026-f.1
      description: "Ceasing to sell to and/or share with third parties the consumer\u2019\
        s personal information  as soon as feasibly possible, but no later than 15\
        \ business days from the date the  business receives the request. Service\
        \ providers or contractors collecting personal  information pursuant to the\
        \ written contract with the business required by the CCPA  and these regulations\
        \ does not constitute a sale or sharing of personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-f.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-f
      ref_id: 7026-f.2
      description: "Notifying all third parties to whom the business has sold or shared\
        \ the consumer\u2019s  personal information, after the consumer submits the\
        \ request to opt-out of  sale/sharing and before the business complies with\
        \ that request, that the consumer  has made a request to opt-out of sale/sharing\
        \ and directing them to comply with the  consumer\u2019s request and forward\
        \ the request to any other person to whom the third  party has made the personal\
        \ information available during that time period."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-g
      description: "A business may provide a means by which the consumer can confirm\
        \ that their request to  opt-out of sale/sharing has been processed by the\
        \ business. For example, the business may  display on its website \u201CConsumer\
        \ Opted Out of Sale/Sharing\u201D or display through a toggle or  radio button\
        \ that the consumer has opted out of the sale/sharing of their personal  information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-h
      description: In responding to a request to opt-out of sale/sharing, a business
        may present the  consumer with the choice to opt-out of the sale or sharing
        of personal information for  certain uses as long as a single option to opt-out
        of the sale or sharing of all personal  information is also offered. However,
        doing so in response to an opt-out preference signal  will prevent the business
        from using the exception set forth in Civil Code section 1798.135,  subdivision
        (b)(1)
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-i
      description: A business that responds to a request to opt-out of sale/sharing
        by informing the  consumer of a charge for the use of any product or service
        shall comply with Article 7 and  shall provide the consumer with a Notice
        of Financial Incentive that complies with section  7016 in its response. However,
        doing so in response to an opt-out preference signal will  prevent the business
        from using the exception set forth in Civil Code section 1798.135,  subdivision
        (b)(1).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-j
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-j
      description: "A consumer may use an authorized agent to submit a request to\
        \ opt-out of sale/sharing on  the consumer\u2019s behalf if the consumer provides\
        \ the authorized agent written permission  signed by the consumer. A business\
        \ may deny a request from an authorized agent if the  agent does not provide\
        \ to the business the consumer\u2019s signed permission demonstrating  that\
        \ they have been authorized by the consumer to act on the consumer\u2019s\
        \ behalf. The  requirement to obtain and provide written permission from the\
        \ consumer does not apply  to requests made by an opt-out preference signal."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7026-k
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7026
      ref_id: 7026-k
      description: "Except as allowed by these regulations, a business shall wait\
        \ at least 12 months from the  date of the consumer\u2019s request before\
        \ asking a consumer who has opted out of the sale or  sharing of their personal\
        \ information to consent to the sale or sharing of their personal  information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7027'
      name: Requests to Limit Use and Disclosure of Sensitive Personal Information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-a
      description: "The unauthorized use or disclosure of sensitive personal information\
        \ creates a heightened  risk of harm for the consumer. The purpose of the\
        \ request to limit is to give consumers  meaningful control over how their\
        \ sensitive personal information is collected, used, and  disclosed. It gives\
        \ the consumer the ability to limit the business\u2019s use of sensitive personal\
        \  information to that which is necessary to perform the services or provide\
        \ the goods  reasonably expected by an average consumer who requests those\
        \ goods or services, with  some narrowly tailored exceptions, which are set\
        \ forth in subsection (m). Sensitive  personal information that is collected\
        \ or processed without the purpose of inferring  characteristics about a consumer\
        \ is not subject to requests to limit."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-b
      description: A business that uses or discloses sensitive personal information
        for purposes other than  those set forth in subsection (m) shall provide two
        or more designated methods for  submitting requests to limit. A business shall
        consider the methods by which it interacts  with consumers, the manner in
        which the business collects the sensitive personal  information that it uses
        for purposes other than those set forth in subsection (m), available  technology,
        and ease of use by the consumer when determining which methods consumers  may
        use to submit requests to limit. At least one method offered shall reflect
        the manner  in which the business primarily interacts with the consumer. Illustrative
        examples follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b
      ref_id: 7027-b.1
      description: "A business that collects sensitive personal information from consumers\
        \ online shall,  at a minimum, allow consumers to submit requests to limit\
        \ through an interactive  form accessible via the \u201CLimit the Use of My\
        \ Sensitive Personal Information\u201D link or  the Alternative Opt-out Link."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b
      ref_id: 7027-b.2
      description: A business that interacts with consumers in person and online may
        provide an in-  person method for submitting requests to limit in addition
        to the online form.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b
      ref_id: 7027-b.3
      description: Other methods for submitting requests to limit include, but are
        not limited to, a toll-  free phone number, a designated email address, a
        form submitted in person, and a  form submitted through the mail.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-b
      ref_id: 7027-b.4
      description: A notification or tool regarding cookies, such as a cookie banner
        or cookie controls,  is not by itself an acceptable method for submitting
        requests to limit because  cookies concern the collection of personal information
        and not necessarily the use  and disclosure of sensitive personal information.
        An acceptable method for  submitting requests to limit must address the specific
        right to limit.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-c
      description: "A business\u2019s methods for submitting requests to limit shall\
        \ be easy for consumers to  execute, shall require minimal steps, and shall\
        \ comply with section 7004."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-d
      description: "A business shall not require a consumer submitting a request to\
        \ limit to create an account  or provide additional information beyond what\
        \ is necessary to direct the business to limit  the use or disclosure of the\
        \ consumer\u2019s sensitive personal information"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-e
      description: A business shall not require a verifiable consumer request for
        a request to limit. A business  may ask the consumer for information necessary
        to complete the request, such as  information necessary to identify the consumer
        to whom the request should be applied.  However, to the extent that the business
        can comply with a request to limit without  additional information, it shall
        do so.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-f
      description: If a business has a good-faith, reasonable, and documented belief
        that a request to limit is  fraudulent, the business may deny the request.
        The business shall inform the requestor  that it will not comply with the
        request and shall provide to the requestor an explanation  why it believes
        the request is fraudulent.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-g
      description: 'A business shall comply with a request to limit by:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g
      ref_id: 7027-g.1
      description: "Ceasing to use and disclose the consumer\u2019s sensitive personal\
        \ information for  purposes other than those set forth in subsection (m) as\
        \ soon as feasibly possible, but  no later than 15 business days from the\
        \ date the business receives the request."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g
      ref_id: 7027-g.2
      description: "Notifying all the business\u2019s service providers or contractors\
        \ that use or disclose the  consumer\u2019s sensitive personal information\
        \ for purposes other than those set forth in  subsection (m) that the consumer\
        \ has made a request to limit and instructing them to  comply with the consumer\u2019\
        s request to limit within the same time frame."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-g
      ref_id: 7027-g.3
      description: "Notifying all third parties to whom the business has disclosed\
        \ or made available the  consumer\u2019s sensitive personal information for\
        \ purposes other than those set forth in  subsection (m), after the consumer\
        \ submitted their request and before the business  complies with that request,\
        \ that the consumer has made a request to limit and direct  them 1) to comply\
        \ with the consumer\u2019s request and 2) to forward the request to any  other\
        \ person with whom the third party has disclosed or shared the sensitive personal\
        \  information during that time period."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-h
      description: "A business may provide a means by which the consumer can confirm\
        \ that their request to  limit has been processed by the business. For example,\
        \ the business may display through a  toggle or radio button that the consumer\
        \ has limited the business\u2019s use and disclosure of  their sensitive personal\
        \ information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-i
      description: In responding to a request to limit, a business may present the
        consumer with the choice  to allow specific uses for the sensitive personal
        information as long as a single option to  limit the use of the personal information
        is also offered.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-j
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-j
      description: "A consumer may use an authorized agent to submit a request to\
        \ limit on the consumer\u2019s  behalf if the consumer provides the authorized\
        \ agent written permission signed by the  consumer. A business may deny a\
        \ request from an authorized agent if the agent does not  provide to the business\
        \ the consumer\u2019s signed permission demonstrating that they have  been\
        \ authorized by the consumer to act on the consumer\u2019s behalf."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-k
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-k
      description: A business that responds to a request to limit by informing the
        consumer of a charge for  the use of any product or service shall comply with
        Article 7 and shall provide the  consumer with a Notice of Financial Incentive
        that complies with section 7016 in its  response.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-l
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-l
      description: "Except as allowed by these regulations, a business shall wait\
        \ at least 12 months from the  date the consumer\u2019s request to limit is\
        \ received before asking a consumer who has  exercised their right to limit\
        \ to consent to the use or disclosure of their sensitive personal  information\
        \ for purposes other than those set forth in subsection (m)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027
      ref_id: 7027-m
      description: The purposes identified in Civil Code section 1798.121, subdivision
        (a), for which a business  may use or disclose sensitive personal information
        without being required to offer  consumers a right to limit are as follows.
        A business that only uses or discloses sensitive  personal information for
        these purposes, provided that the use or disclosure is reasonably  necessary
        and proportionate for those purposes, is not required to post a Notice of
        Right  to Limit or provide a method for submitting a request to limit.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.1
      description: "To perform the services or provide the goods reasonably expected\
        \ by an average  consumer who requests those goods or services. For example,\
        \ a consumer\u2019s precise  geolocation may be used by a mobile application\
        \ that is providing the consumer with  directions on how to get to a specific\
        \ location. A consumer\u2019s precise geolocation may  not, however, be used\
        \ by a gaming application where the average consumer would  not expect the\
        \ application to need this piece of sensitive personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.2
      description: "To prevent, detect, and investigate security incidents that compromise\
        \ the  availability, authenticity, integrity, or confidentiality of stored\
        \ or transmitted personal  information. For example, a business may disclose\
        \ a consumer\u2019s log-in information to  a data security company that it\
        \ has hired to investigate and remediate a data breach  that involved that\
        \ consumer\u2019s account."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.3
      description: "To resist malicious, deceptive, fraudulent, or illegal actions\
        \ directed at the business  and to prosecute those responsible for those actions.\
        \ For example, a business may  use information about a consumer\u2019s ethnicity\
        \ and/or the contents of email and text  messages to investigate claims of\
        \ racial discrimination or hate speech."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.4
      description: "To ensure the physical safety of natural persons. For example,\
        \ a business may  disclose a consumer\u2019s geolocation information to law\
        \ enforcement to investigate an  alleged kidnapping."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.5
      description: "For short-term, transient use, including, but not limited to,\
        \ nonpersonalized  advertising shown as part of a consumer\u2019s current\
        \ interaction with the business,  provided that the personal information is\
        \ not disclosed to another third party and is  not used to build a profile\
        \ about the consumer or otherwise alter the consumer\u2019s  experience outside\
        \ the current interaction with the business. For example, a business  that\
        \ sells religious books can use information about its customers\u2019 interest\
        \ in its  CPPA  Page 46 of 67  religious content to serve contextual advertising\
        \ for other kinds of religious  merchandise within its store or on its website,\
        \ so long as the business does not use  sensitive personal information to\
        \ create a profile about an individual consumer or  disclose personal information\
        \ that reveals consumers\u2019 religious beliefs to third  parties."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.6
      description: To perform services on behalf of the business. For example, a business
        may use  information for maintaining or servicing accounts, providing customer
        service,  processing or fulfilling orders and transactions, verifying customer
        information,  processing payments, providing financing, providing analytic
        services, providing  storage, or providing similar services on behalf of the
        business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.7
      description: "To verify or maintain the quality or safety of a product, service,\
        \ or device that is  owned, manufactured, manufactured for, or controlled\
        \ by the business, and to  improve, upgrade, or enhance the service or device\
        \ that is owned, manufactured by,  manufactured for, or controlled by the\
        \ business. For example, a car rental business  may use a consumer\u2019s\
        \ driver\u2019s license for the purpose of testing that its internal text\
        \  recognition software accurately captures license information used in car\
        \ rental  transactions."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m.8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7027-m
      ref_id: 7027-m.8
      description: To collect or process sensitive personal information where the
        collection or  processing is not for the purpose of inferring characteristics
        about a consumer. For  example, a business that includes a search box on their
        website by which consumers  can search for articles related to their health
        condition may use the information  provided by the consumer for the purpose
        of providing the search feature without  inferring characteristics about the
        consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7028
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-3
      ref_id: '7028'
      name: Requests to Opt-in After Opting-out of the Sale or Sharing of Personal
        Information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7028-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7028
      ref_id: 7028-a
      description: Requests to opt-in to sale or sharing of personal information shall
        use a two-step opt-in  process whereby the consumer shall first, clearly request
        to opt-in and then second,  separately confirm their choice to opt-in.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7028-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7028
      ref_id: 7028-b
      description: "If a consumer who has opted-out of the sale or sharing of their\
        \ personal information  initiates a transaction or attempts to use a product\
        \ or service that requires the sale or  sharing of their personal information,\
        \ the business may inform the consumer that the  transaction, product, or\
        \ service requires the sale or sharing of their personal information  and\
        \ provide instructions on how the consumer can provide consent to opt-in to\
        \ the sale or  CPPA  Page 47 of 67  sharing of their personal information.\
        \ The business shall comply with section 7004 when  obtaining the consumer\u2019\
        s consent."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 4
      name: SERVICE PROVIDERS, CONTRACTORS, AND THIRD PARTIES
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-4
      ref_id: '7050'
      name: Service Providers and Contractors.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-a
      description: 'A service provider or contractor shall not retain, use, or disclose
        personal information  collected pursuant to its written contract with the
        business except:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      ref_id: 7050-a.1
      description: For the specific business purpose(s) set forth in the written contract
        between the  business and the service provider or contractor that is required
        by the CCPA and  these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      ref_id: 7050-a.2
      description: To retain and employ another service provider or contractor as
        a subcontractor,  where the subcontractor meets the requirements for a service
        provider or contractor  under the CCPA and these regulations
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      ref_id: 7050-a.3
      description: For internal use by the service provider or contractor to build
        or improve the quality  of the services it is providing to the business, even
        if this business purpose is not  specified in the written contract required
        by the CCPA and these regulations,  provided that the service provider or
        contractor does not use the personal  information to perform services on behalf
        of another person. Illustrative examples  follow
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.3
      ref_id: 7050-a.3.A
      description: "An email marketing service provider can send emails on a business\u2019\
        s behalf using  the business\u2019s customer email list. The service provider\
        \ could analyze those  customers\u2019 interactions with the marketing emails\
        \ to improve its services and  offer those improved services to everyone.\
        \ But the service provider cannot use  the original email list to send marketing\
        \ emails on behalf of another business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.3
      ref_id: 7050-a.3.B
      description: "A shipping service provider that delivers businesses\u2019 products\
        \ to their customers  may use the addresses received from their business clients\
        \ and their experience  delivering to those addresses to identify faulty or\
        \ incomplete addresses, and  thus, improve their delivery services. However,\
        \ the shipping service provider  cannot compile the addresses received from\
        \ one business to send  advertisements on behalf of another business, or compile\
        \ addresses received  from businesses to sell to data brokers."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      ref_id: 7050-a.4
      description: To prevent, detect, or investigate data security incidents or protect
        against malicious,  deceptive, fraudulent or illegal activity, even if this
        business purpose is not specified  in the written contract required by the
        CCPA and these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a.5
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-a
      ref_id: 7050-a.5
      description: For the purposes enumerated in Civil Code section 1798.145, subdivisions
        (a)(1)  through (a)(7).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-b
      description: A service provider or contractor cannot contract with a business
        to provide cross-context  behavioral advertising. Pursuant to Civil Code section
        1798.140, subdivision (e)(6), a service  provider or contractor may contract
        with a business to provide advertising and marketing  services, but the service
        provider or contractor shall not combine the personal information  of consumers
        who have opted-out of the sale/sharing that the service provider or  contractor
        receives from, or on behalf of, the business with personal information that
        the  service provider or contractor receives from, or on behalf of, another
        person or collects  from its own interaction with consumers. A person who
        contracts with a business to  provide cross-context behavioral advertising
        is a third party and not a service provider or  contractor with respect to
        cross-context behavioral advertising services. Illustrative  examples follow.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-b.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-b
      ref_id: 7050-b.1
      description: "Business S, a clothing company, hires a social media company as\
        \ a service provider  for the purpose of providing Business S\u2019s advertisements\
        \ on the social media  company\u2019s platform. The social media company can\
        \ serve Business S by providing  non-personalized advertising services on\
        \ its platform based on aggregated or  demographic information (e.g., advertisements\
        \ to women, 18-30 years old, that live  in Los Angeles). However, it cannot\
        \ use a list of customer email addresses provided  by Business S to identify\
        \ users on the social media company\u2019s platform to serve  advertisements\
        \ to them."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-b.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-b
      ref_id: 7050-b.2
      description: "Business T, a company that sells cookware, hires an advertising\
        \ company as a service  provider for the purpose of advertising its services.\
        \ The advertising agency can serve  Business T by providing contextual advertising\
        \ services, such as placing  advertisements for Business T\u2019s products\
        \ on websites that post recipes and other  cooking tips."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-c
      description: "If a service provider or contractor receives a request made pursuant\
        \ to the CCPA directly  from the consumer, the service provider or contractor\
        \ shall either act on behalf of the  business in accordance with the business\u2019\
        s instructions for responding to the request or  inform the consumer that\
        \ the request cannot be acted upon because the request has been  sent to a\
        \ service provider or contractor."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-d
      description: A service provider or contractor that is a business shall comply
        with the CCPA and these  regulations with regard to any personal information
        that it collects, maintains, or sells  outside of its role as a service provider
        or contractor.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-e
      description: "A person who does not have a contract that complies with section\
        \ 7051, subsection (a), is  not a service provider or a contractor under the\
        \ CCPA. For example, a business\u2019s disclosure  of personal information\
        \ to a person who does not have a contract that complies with  section 7051,\
        \ subsection (a), may be considered a sale or sharing of personal information\
        \  CPPA  Page 49 of 67  for which the business must provide the consumer with\
        \ the right to opt-out of  sale/sharing."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-f
      description: A service provider or a contractor shall comply with the terms
        of the contract required by  the CCPA and these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7050-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7050
      ref_id: 7050-g
      description: "Whether an entity that provides services to a nonbusiness must\
        \ comply with a consumer\u2019s  CCPA request depends upon whether the entity\
        \ is a \u201Cbusiness,  \u201D as defined by Civil Code  section 1798.140,\
        \ subdivision (d)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-4
      ref_id: '7051'
      name: Contract Requirements for Service Providers and Contractors.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051
      ref_id: 7051-a
      description: 'The contract required by the CCPA for service providers and contractors
        shall:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.1
      description: Prohibit the service provider or contractor from selling or sharing
        personal  information it collects pursuant to the written contract with the
        business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.2
      description: Identify the specific business purpose(s) for which the service
        provider or contractor is  processing personal information pursuant to the
        written contract with the business,  and specify that the business is disclosing
        the personal information to the service  provider or contractor only for the
        limited and specified business purpose(s) set forth  within the contract.
        The business purpose(s) shall not be described in generic terms,  such as
        referencing the entire contract generally. The description shall be specific.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.3
      description: Prohibit the service provider or contractor from retaining, using,
        or disclosing the  personal information that it collected pursuant to the
        written contract with the  business for any purpose other than the business
        purpose(s) specified in the contract  or as otherwise permitted by the CCPA
        and these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.4
      description: Prohibit the service provider or contractor from retaining, using,
        or disclosing the  personal information that it collected pursuant to the
        written contract with the  business for any commercial purpose other than
        the business purpose(s) specified in  the contract, unless expressly permitted
        by the CCPA or these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.5
      description: Prohibit the service provider or contractor from retaining, using,
        or disclosing the  personal information that it collected pursuant to the
        written contract with the  business outside the direct business relationship
        between the service provider or  contractor and the business, unless expressly
        permitted by the CCPA or these  regulations. For example, a service provider
        or contractor shall be prohibited from  combining or updating personal information
        that it collected pursuant to the written  contract with the business with
        personal information that it received from another  CPPA  Page 50 of 67  source
        or collected from its own interaction with the consumer, unless expressly  permitted
        by the CCPA or these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.6
      description: "Require the service provider or contractor to comply with all\
        \ applicable sections of the  CCPA and these regulations, including\u2014\
        with respect to the personal information that  it collected pursuant to the\
        \ written contract with the business\u2014providing the same  level of privacy\
        \ protection as required of businesses by the CCPA and these  regulations.\
        \ For example, the contract may require the service provider or contractor\
        \  to cooperate with the business in responding to and complying with consumers\u2019\
        \  requests made pursuant to the CCPA, and to implement reasonable security\
        \  procedures and practices appropriate to the nature of the personal information\
        \ to  protect the personal information from unauthorized or illegal access,\
        \ destruction, use,  modification, or disclosure in accordance with Civil\
        \ Code section 1798.81.5."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.7
      description: "Grant the business the right to take reasonable and appropriate\
        \ steps to ensure that  the service provider or contractor uses the personal\
        \ information that it collected  pursuant to the written contract with the\
        \ business in a manner consistent with the  business\u2019s obligations under\
        \ the CCPA and these regulations. Reasonable and  appropriate steps may include\
        \ ongoing manual reviews and automated scans of the  service provider\u2019\
        s system and regular internal or third-party assessments, audits, or  other\
        \ technical and operational testing at least once every 12 months."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.8
      description: Require the service provider or contractor to notify the business
        after it makes a  determination that it can no longer meet its obligations
        under the CCPA and these  regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.9
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.9
      description: "Grant the business the right, upon notice, to take reasonable\
        \ and appropriate steps to  stop and remediate the service provider or contractor\u2019\
        s unauthorized use of personal  information. For example, the business may\
        \ require the service provider or contractor  to provide documentation that\
        \ verifies that they no longer retain or use the personal  information of\
        \ consumers that have made a valid request to delete with the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a.10
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-a
      ref_id: 7051-a.10
      description: ' Require the service provider or contractor to enable the business
        to comply with  consumer requests made pursuant to the CCPA or require the
        business to inform the  service provider or contractor of any consumer request
        made pursuant to the CCPA  that they must comply with and provide the information
        necessary for the service  provider or contractor to comply with the request.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051
      ref_id: 7051-b
      description: A service provider or contractor that subcontracts with another
        person in providing  services to the business for whom it is a service provider
        or contractor shall have a contract  with the subcontractor that complies
        with the CCPA and these regulations, including  subsection (a).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7051-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7051
      ref_id: 7051-c
      description: "Whether a business conducts due diligence of its service providers\
        \ and contractors factors  into whether the business has reason to believe\
        \ that a service provider or contractor is  CPPA  Page 51 of 67  using personal\
        \ information in violation of the CCPA and these regulations. For example,\
        \  depending on the circumstances, a business that never enforces the terms\
        \ of the contract  nor exercises its rights to audit or test the service provider\u2019\
        s or contractor\u2019s systems might  not be able to rely on the defense that\
        \ it did not have reason to believe that the service  provider or contractor\
        \ intends to use the personal information in violation of the CCPA and  these\
        \ regulations at the time the business disclosed the personal information\
        \ to the service  provider or contractor."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7052
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-4
      ref_id: '7052'
      name: Third Parties
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7052-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7052
      ref_id: 7052-a
      description: A third party that does not have a contract that complies with
        section 7053, subsection (a),  shall not collect, use, process, retain, sell,
        or share the personal information that the  business made available to it.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7052-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7052
      ref_id: 7052-B
      description: "A third party shall comply with the terms of the contract required\
        \ by the CCPA and these  regulations, which include treating the personal\
        \ information that the business made  available to it in a manner consistent\
        \ with the business\u2019s obligations under the CCPA and  these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-4
      ref_id: '7053'
      name: Contract Requirements for Third Parties.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053
      ref_id: 7053-a
      description: "A business that sells or shares a consumer\u2019s personal information\
        \ with a third party shall  enter into an agreement with the third party that:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.1
      description: Identifies the limited and specified purpose(s) for which the personal
        information is  made available to the third party. The purpose(s) shall not
        be described in generic  terms, such as referencing the entire contract generally.
        The description shall be  specific.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.2
      description: Specifies that the business is making the personal information
        available to the third  party only for the limited and specified purpose(s)
        set forth within the contract and  requires the third party to use it only
        for that limited and specified purpose(s).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.3
      description: "Requires the third party to comply with all applicable sections\
        \ of the CCPA and these  regulations, including\u2014with respect to the personal\
        \ information that the business  makes available to the third party\u2014\
        providing the same level of privacy protection as  required of businesses\
        \ by the CCPA and these regulations. For example, the contract  may require\
        \ the third party to comply with a consumer\u2019s request to opt-out of \
        \ CPPA  Page 52 of 67  sale/sharing forwarded to it by a first-party business\
        \ and to implement reasonable  security procedures and practices appropriate\
        \ to the nature of the personal  information to protect the personal information\
        \ from unauthorized or illegal access,  destruction, use, modification, or\
        \ disclosure in accordance with Civil Code section  1798.81.5."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.4
      description: "Grants the business the right\u2014with respect to the personal\
        \ information that the  business makes available to the third party\u2014\
        to take reasonable and appropriate  steps to ensure that the third party uses\
        \ it in a manner consistent with the business\u2019s  obligations under the\
        \ CCPA and these regulations. For example, the business may  require the third\
        \ party to attest that it treats the personal information the business  made\
        \ available to it in the same manner that the business is obligated to treat\
        \ it  under the CCPA and these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.5
      description: Grants the business the right, upon notice, to take reasonable
        and appropriate steps  to stop and remediate unauthorized use of personal
        information made available to  the third party. For example, the business
        may require the third party to provide  documentation that verifies that it
        no longer retains or uses the personal information  of consumers who have
        had their requests to opt-out of sale/sharing forwarded to it  by the first
        party business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-a
      ref_id: 7053-a.6
      description: Requires the third party to notify the business after it makes
        a determination that it  can no longer meet its obligations under the CCPA
        and these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7053-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7053
      ref_id: 7053-b
      description: Whether a business conducts due diligence of the third party factors
        into whether the  business has reason to believe that the third party is using
        personal information in  violation of the CCPA and these regulations. For
        example, depending on the circumstances,  a business that never enforces the
        terms of the contract might not be able to rely on the  defense that it did
        not have reason to believe that the third party intends to use the  personal
        information in violation of the CCPA and these regulations at the time the  business
        disclosed the personal information to the third party.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 5
      name: VERIFICATION OF REQUESTS
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-5
      ref_id: '7060'
      name: General Rules Regarding Verification.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-a
      description: A business shall establish, document, and comply with a reasonable
        method for verifying  that the person making a request to delete, request
        to correct, or request to know is the  consumer about whom the business has
        collected information.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-b
      description: "A business shall not require a consumer to verify their identity\
        \ to make a request to opt-  out of sale/sharing or to make a request to limit.\
        \ A business may ask the consumer for  information necessary to complete the\
        \ request; however, it shall not be burdensome on  the consumer. For example,\
        \ a business may ask the consumer for their name, but it shall  not require\
        \ the consumer to take a picture of themselves with their driver\u2019s license."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-c
      description: "In determining the method by which the business will verify the\
        \ consumer\u2019s identity, the  business shall:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c
      ref_id: 7060-c.1
      description: Whenever feasible, match the identifying information provided by
        the consumer to  the personal information of the consumer already maintained
        by the business, or use  a third-party identity verification service that
        complies with this section.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c
      ref_id: 7060-c.2
      description: Avoid collecting the types of personal information identified in
        Civil Code section  1798.81.5, subdivision (d), unless necessary for the purpose
        of verifying the  consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c
      ref_id: 7060-c.3
      description: 'Consider the following factors:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.A
      description: The type, sensitivity, and value of the personal information collected
        and  maintained about the consumer. Sensitive personal information shall warrant
        a  more stringent verification process.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.B
      description: The risk of harm to the consumer posed by any unauthorized deletion,  correction,
        or access. A greater risk of harm to the consumer by unauthorized  deletion,
        correction, or access shall warrant a more stringent verification  process.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.C
      description: The likelihood that fraudulent or malicious actors would seek the
        personal  information. The higher the likelihood, the more stringent the verification  process
        shall be.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.D
      description: Whether the personal information to be provided by the consumer
        to verify  their identity is sufficiently robust to protect against fraudulent
        requests or  being spoofed or fabricated.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.E
      description: The manner in which the business interacts with the consumer.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-c.3
      ref_id: 7060-c.3.F
      description: Available technology for verification.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-d
      description: "A business shall generally avoid requesting additional information\
        \ from the consumer for  purposes of verification. If, however, the business\
        \ cannot verify the identity of the  consumer from the information already\
        \ maintained by the business, the business may  request additional information\
        \ from the consumer, which shall only be used for the  purposes of verifying\
        \ the identity of the consumer seeking to exercise their rights under  the\
        \ CCPA, security, or fraud-prevention. The business shall delete any new personal\
        \  CPPA  Page 54 of 67  information collected for the purposes of verification\
        \ as soon as practical after processing  the consumer\u2019s request, except\
        \ as required to comply with section 7101."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-e
      description: "A business shall not require the consumer or the consumer\u2019\
        s authorized agent to pay a fee  for the verification of their request to\
        \ delete, request to correct, or request to know. For  example, a business\
        \ may not require a consumer to provide a notarized affidavit to verify  their\
        \ identity unless the business compensates the consumer for the cost of notarization."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-f
      description: "A business shall implement reasonable security measures to detect\
        \ fraudulent identity-  verification activity and prevent the unauthorized\
        \ deletion, correction, or access of a  consumer\u2019s personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-g
      description: If a business maintains consumer information that is deidentified,
        a business is not  obligated to provide or delete this information in response
        to a consumer request or to re-  identify individual data to verify a consumer
        request.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7060-h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7060
      ref_id: 7060-h
      description: "For requests to correct, the business shall make an effort to\
        \ verify the consumer based on  personal information that is not the subject\
        \ of the request to correct. For example, if the  consumer is contending that\
        \ the business has the wrong address for the consumer, the  business shall\
        \ not use address as a means of verifying the consumer\u2019s identity."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7061
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-5
      ref_id: '7061'
      name: Verification for Password-Protected Accounts.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7061-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7061
      ref_id: 7061-a
      description: "If a business maintains a password-protected account with the\
        \ consumer, the business may  verify the consumer\u2019s identity through\
        \ the business\u2019s existing authentication practices for  the consumer\u2019\
        s account, provided that the business follows the requirements in section\
        \  7060. The business shall also require a consumer to re-authenticate themselves\
        \ before  deleting, correcting, or disclosing the consumer\u2019s data."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7061-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7061
      ref_id: 7061-b
      description: "If a business suspects fraudulent or malicious activity on or\
        \ from the password-protected  account, the business shall not comply with\
        \ a consumer\u2019s request to delete, request to  correct, or request to\
        \ know until further verification procedures determine that the  consumer\
        \ request is authentic and the consumer making the request is the person about\
        \  whom the business has collected information. The business may use the procedures\
        \ set  forth in section 7062 to further verify the identity of the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-5
      ref_id: '7062'
      name: Verification for Non-Accountholders.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-a
      description: If a consumer does not have or cannot access a password-protected
        account with a  business, the business shall comply with this section, in
        addition to section 7060.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-b
      description: "A business\u2019s compliance with a request to know categories\
        \ of personal information  requires that the business verify the identity\
        \ of the consumer making the request to a  reasonable degree of certainty.\
        \ A reasonable degree of certainty may include matching at  least two data\
        \ points provided by the consumer with data points maintained by the  business\
        \ that it has determined to be reliable for the purpose of verifying the consumer."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-c
      description: "A business\u2019s compliance with a request to know specific pieces\
        \ of personal information  requires that the business verify the identity\
        \ of the consumer making the request to a  reasonably high degree of certainty.\
        \ A reasonably high degree of certainty may include  matching at least three\
        \ pieces of personal information provided by the consumer with  personal information\
        \ maintained by the business that it has determined to be reliable for  the\
        \ purpose of verifying the consumer together with a signed declaration under\
        \ penalty of  perjury that the requestor is the consumer whose personal information\
        \ is the subject of  the request. If a business uses this method for verification,\
        \ the business shall maintain all  signed declarations as part of its record-keeping\
        \ obligations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-d
      description: "A business\u2019s compliance with a request to delete or a request\
        \ to correct may require that  the business verify the identity of the consumer\
        \ to a reasonable or reasonably high degree  of certainty depending on the\
        \ sensitivity of the personal information and the risk of harm  to the consumer\
        \ posed by unauthorized deletion or correction. For example, the deletion\
        \  of family photographs or the correction of contact information may require\
        \ a reasonably  high degree of certainty, while the deletion of browsing history\
        \ or correction of marital  status may require only a reasonable degree of\
        \ certainty. A business shall act in good faith  when determining the appropriate\
        \ standard to apply when verifying the consumer in  accordance with these\
        \ regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-e
      description: 'Illustrative examples follow:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-e.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-e
      ref_id: 7062-e.1
      description: 'Example 1: If a business maintains personal information in a manner
        associated with  a named actual person, the business may verify the consumer
        by requiring the  consumer to provide evidence that matches the personal information
        maintained by  the business. For example, if a retailer maintains a record
        of purchases made by a  consumer, the business may require the consumer to
        identify items that they  recently purchased from the store or the dollar
        amount of their most recent purchase  to verify their identity to a reasonable
        degree of certainty.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-e.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-e
      ref_id: 7062-e.2
      description: ' Example 2: If a business maintains personal information in a
        manner that is not  associated with a named actual person, the business may
        verify the consumer by  requiring the consumer to demonstrate that they are
        the sole consumer associated  with the personal information. For example,
        a business may have a mobile  CPPA  Page 56 of 67  application that collects
        personal information about the consumer but does not  require an account.
        The business may determine whether, based on the facts and  considering the
        factors set forth in section 7060, subsection (b)(3), it may reasonably  verify
        a consumer by asking them to provide information that only the person who  used
        the mobile application may '
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-f
      description: A business shall deny a request to know specific pieces of personal
        information if it cannot  verify the identity of the requestor pursuant to
        these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7062-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7062
      ref_id: 7062-g
      description: If there is no reasonable method by which a business can verify
        the identity of the  consumer to the degree of certainty required by this
        section, the business shall state so in  response to any request and explain
        why it has no reasonable method by which it can  verify the identity of the
        requestor. If the business has no reasonable method by which it  can verify
        any consumer, the business shall explain why it has no reasonable verification  method
        in its privacy policy. The business shall evaluate and document whether a  reasonable
        method can be established at least once every 12 months, in connection with  the
        requirement to update the privacy policy set forth in Civil Code section 1798.130,  subdivision
        (a)(5).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-5
      ref_id: '7063'
      name: Authorized Agents.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063
      ref_id: 7063-a
      description: 'When a consumer uses an authorized agent to submit a request to
        delete, request to  correct, or a request to know, a business may require
        the authorized agent to provide  proof that the consumer gave the agent signed
        permission to submit the request. The  business may also require the consumer
        to do either of the following:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-a
      ref_id: 7063-a.1
      description: Verify their own identity directly with the business.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-a
      ref_id: 7063-a.2
      description: Directly confirm with the business that they provided the authorized
        agent  permission to submit the request.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063
      ref_id: 7063-b
      description: Subsection (a) does not apply when a consumer has provided the
        authorized agent with  power of attorney pursuant to Probate Code sections
        4121 to 4130. A business shall not  require power of attorney in order for
        a consumer to use an authorized agent to act on  their behalf.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063
      ref_id: 7063-c
      description: "An authorized agent shall implement and maintain reasonable security\
        \ procedures and  practices to protect the consumer\u2019s information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7063-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7063
      ref_id: 7063-d
      description: "An authorized agent shall not use a consumer\u2019s personal information,\
        \ or any information  collected from or about the consumer, for any purposes\
        \ other than to fulfill the consumer\u2019s  requests, verification, or fraud\
        \ prevention."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 6
      name: SPECIAL RULES REGARDING CONSUMERS UNDER 16 YEARS OF AGE
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-6
      ref_id: '7070'
      name: Consumers Less Than 13 Years of Age
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070
      ref_id: 7070-a
      description: Process for Opting-In to Sale or Sharing of Personal Information
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a
      ref_id: 7070-a.1
      description: A business that has actual knowledge that it sells or shares the
        personal information  of a consumer less than the age of 13 shall establish,
        document, and comply with a  reasonable method for determining that the person
        consenting to the sale or sharing  of the personal information about the child
        is the parent or guardian of that child.  This consent to the sale or sharing
        of personal information is in addition to any  verifiable parental consent
        required under COPPA.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a
      ref_id: 7070-a.2
      description: "Methods that are reasonably calculated to ensure that the person\
        \ providing consent  is the child\u2019s parent or guardian include, but are\
        \ not limited to:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.A
      description: Providing a consent form to be signed by the parent or guardian
        under penalty  of perjury and returned to the business by postal mail, facsimile,
        or electronic  scan;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.B
      description: Requiring a parent or guardian, in connection with a monetary transaction,
        to  use a credit card, debit card, or other online payment system that provides  notification
        of each discrete transaction to the primary account holder;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.C
      description: Having a parent or guardian call a toll-free telephone number staffed
        by trained  personnel;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.D
      description: Having a parent or guardian connect to trained personnel via video-conference;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.E
      description: Having a parent or guardian communicate in person with trained
        personnel;  and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-a.2
      ref_id: 7070-a.2.F
      description: "Verifying a parent or guardian\u2019s identity by checking a form\
        \ of government-  issued identification against databases of such information,\
        \ as long as the  parent or guardian\u2019s identification is deleted by the\
        \ business from its records  promptly after such verification is complete."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070
      ref_id: 7070-b
      description: When a business receives consent to the sale or sharing of personal
        information pursuant  to subsection (a), the business shall inform the parent
        or guardian of the right to opt-out of  sale/sharing and of the process for
        doing so on behalf of their child pursuant to section  7026, subsections (a)-(f).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7070-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7070
      ref_id: 7070-c
      description: ' A business shall establish, document, and comply with a reasonable
        method, in accordance  with the methods set forth in subsection (a)(2), for
        determining that a person submitting a  request to delete, request to correct,
        or request to know the personal information of a  child under the age of 13
        is the parent or guardian of that child.'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7071
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-6
      ref_id: '7071'
      name: Consumers at Least 13 Years of Age and Less Than 16 Years of Age
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7071.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7071
      ref_id: 7071.a
      description: A business that has actual knowledge that it sells or shares the
        personal information of  consumers at least 13 years of age and less than
        16 years of age shall establish, document,  and comply with a reasonable process
        for allowing such consumers to opt-in to the sale or  sharing of their personal
        information, pursuant to section 7028.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7071.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7071
      ref_id: 7071.b
      description: When a business receives a request to opt-in to the sale or sharing
        of personal information  from a consumer at least 13 years of age and less
        than 16 years of age, the business shall  inform the consumer of their ongoing
        right to opt-out of sale/sharing at any point in the  future and of the process
        for doing so pursuant to section 7026.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7072
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-6
      ref_id: '7072'
      name: Notices to Consumers Less Than 16 Years of Age
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7072-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7072
      ref_id: 7072-a
      description: A business subject to sections 7070 and/or 7071 shall include a
        description of the  processes set forth in those sections in its privacy policy.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7072-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7072
      ref_id: 7072-b
      description: A business that exclusively targets offers of goods or services
        directly to consumers under  16 years of age and does not sell or share the
        personal information without the consent of  consumers at least 13 years of
        age and less than 16 years of age, or the consent of their  parent or guardian
        for consumers under 13 years of age, is not required to provide the  Notice
        of Right to Opt-out of Sale/Sharing.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-7
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 7
      name: NON-DISCRIMINATION
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-7
      ref_id: '7080'
      name: Discriminatory Practices.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-a
      description: A price or service difference is discriminatory, and therefore
        prohibited by Civil Code  section 1798.125, if the business treats a consumer
        differently because the consumer  exercised a right conferred by the CCPA
        or these regulations.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-b
      description: "A business may offer a price or service difference that is non-discriminatory.\
        \ A price or  service difference is non-discriminatory if it is reasonably\
        \ related to the value of the  consumer\u2019s data. If a business is unable\
        \ to calculate a good-faith estimate of the value of  the consumer\u2019s\
        \ data or cannot show that the price or service difference is reasonably \
        \ related to the value of the consumer\u2019s data, that business shall not\
        \ offer the price or  service difference."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-c
      description: "A business\u2019s denial of a consumer\u2019s request to delete,\
        \ request to correct, request to know,  or request to opt-out of sale/sharing\
        \ for reasons permitted by the CCPA or these  regulations shall not be considered\
        \ discriminatory."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-d
      description: 'Illustrative examples follow:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d
      ref_id: 7080-d.1
      description: "Example 1: A music streaming business offers a free service as\
        \ well as a premium  service that costs $5 per month. If only the consumers\
        \ who pay for the music  streaming service are allowed to opt-out of the sale\
        \ or sharing of their personal  information, then the practice is discriminatory,\
        \ unless the $5-per-month payment is  reasonably related to the value of the\
        \ consumer\u2019s data to the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d
      ref_id: 7080-d.2
      description: "Example 2: A clothing business offers a loyalty program whereby\
        \ customers receive a  $5-off coupon by email after spending $100 with the\
        \ business. A consumer submits a  request to delete all personal information\
        \ the business has collected about them but  also informs the business that\
        \ they want to continue to participate in the loyalty  program. The business\
        \ may deny their request to delete with regard to their email  address and\
        \ the amount the consumer has spent with the business because that  information\
        \ is necessary for the business to provide the loyalty program requested by\
        \  the consumer and is reasonably anticipated within the context of the business\u2019\
        s  ongoing relationship with them pursuant to Civil Code section 1798.105,\
        \ subdivision  (d)(1)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d
      ref_id: 7080-d.3
      description: "Example 3: A grocery store offers a loyalty program whereby consumers\
        \ receive  coupons and special discounts when they provide their phone numbers.\
        \ A consumer  submits a request to opt-out of the sale/sharing of their personal\
        \ information. The  retailer complies with their request but no longer allows\
        \ the consumer to participate  in the loyalty program. This practice is discriminatory\
        \ unless the grocery store can  demonstrate that the value of the coupons\
        \ and special discounts are reasonably  related to the value of the consumer\u2019\
        s data to the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-d
      ref_id: 7080-d.4
      description: "Example 4: An online bookseller collects information about consumers,\
        \ including  their email addresses. It offers coupons to consumers through\
        \ browser pop-up  windows while the consumer uses the bookseller\u2019s website.\
        \ A consumer submits a  request to delete all personal information that the\
        \ bookseller has collected about  them, including their email address and\
        \ their browsing and purchasing history. The  bookseller complies with the\
        \ request but stops providing the periodic coupons to the  consumer. The bookseller\u2019\
        s failure to provide coupons is discriminatory unless the  CPPA  Page 60 of\
        \ 67  value of the coupons is reasonably related to the value provided to\
        \ the business by  the consumer\u2019s data. The bookseller may not deny the\
        \ consumer\u2019s request to delete  with regard to the email address because\
        \ the email address is not necessary to  provide the coupons or reasonably\
        \ aligned with the expectations of the consumer  based on the consumer\u2019\
        s relationship with the business."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-e
      description: A business shall notify consumers of any financial incentive or
        price or service difference  subject to Civil Code section 1798.125 that it
        offers in accordance with section 7016.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-f
      description: "A business\u2019s charging of a reasonable fee pursuant to Civil\
        \ Code section 1798.145,  subdivision (h)(3), shall not be considered a financial\
        \ incentive subject to these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7080-g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7080
      ref_id: 7080-g
      description: A price or service difference that is the direct result of compliance
        with a state or federal  law shall not be considered discriminatory.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-7
      ref_id: '7081'
      name: Calculating the Value of Consumer Data
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081
      ref_id: 7081-a
      description: "A business offering a price or service difference subject to Civil\
        \ Code section 1798.125 shall use and document a reasonable and good-faith\
        \ method for calculating the value of the consumer\u2019s data. The business\
        \ shall consider one or more of the following:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.1
      description: "The marginal value to the business of the sale, collection, or\
        \ deletion of a consumer\u2019s  data."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.2
      description: "The average value to the business of the sale, collection, or\
        \ deletion of a consumer\u2019s  data."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.3
      description: "The aggregate value to the business of the sale, collection, or\
        \ deletion of consumers\u2019  data divided by the total number of consumers."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.4
      description: " Revenue generated by the business from sale, collection, or retention\
        \ of consumers\u2019  personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.5
      description: "Expenses related to the sale, collection, or retention of consumers\u2019\
        \ personal  information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.6
      description: Expenses related to the offer, provision, or imposition of any
        financial incentive or  price or service difference.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.7
      description: "Profit generated by the business from sale, collection, or retention\
        \ of consumers\u2019  personal information."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a.8
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-a
      ref_id: 7081-a.8
      description: Any other practical and reasonably reliable method of calculation
        used in good faith.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7081-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7081
      ref_id: 7081-b
      description: For the purpose of calculating the value of consumer data, a business
        may consider the  value to the business of the data of all natural persons
        in the United States and not just  consumers.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-8
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 8
      name: TRAINING AND RECORD-KEEPING
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7100
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-8
      ref_id: '7100'
      name: Training
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7100-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7100
      ref_id: 7100-a
      description: "All individuals responsible for handling consumer inquiries about\
        \ the business\u2019s  information practices or the business\u2019s compliance\
        \ with the CCPA shall be informed of all  of the requirements in the CCPA\
        \ and these regulations and how to direct consumers to  exercise their rights\
        \ under the CCPA and these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7100-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7100
      ref_id: 7100-b
      description: "A business that knows or reasonably should know that it, alone\
        \ or in combination, buys,  receives for the business\u2019s commercial purposes,\
        \ sells, or shares for commercial purposes  the personal information of 10,000,000\
        \ or more consumers in a calendar year shall  establish, document, and comply\
        \ with a training policy to ensure that all individuals  responsible for handling\
        \ consumer requests made under the CCPA or the business\u2019s  compliance\
        \ with the CCPA are informed of all the requirements in these regulations\
        \ and  the CCPA."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-8
      ref_id: '7101'
      name: Record-Keeping
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      ref_id: 7101-a
      description: A business shall maintain records of consumer requests made pursuant
        to the CCPA and  how it responded to the requests for at least 24 months.
        The business shall implement and  maintain reasonable security procedures
        and practices in maintaining these records.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      ref_id: 7101-b
      description: "The records may be maintained in a ticket or log format provided\
        \ that the ticket or log  includes the date of request, nature of request,\
        \ manner in which the request was made,  the date of the business\u2019s response,\
        \ the nature of the response, and the basis for the  denial of the request\
        \ if the request is denied in whole or in part."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101-c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      ref_id: 7101-c
      description: "A business\u2019s maintenance of the information required by this\
        \ section, where that  information is not used for any other purpose, does\
        \ not taken alone violate the CCPA or  these regulations."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101-d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      ref_id: 7101-d
      description: Information maintained for record-keeping purposes shall not be
        used for any other  purpose except as reasonably necessary for the business
        to review and modify its  CPPA  Page 62 of 67  processes for compliance with
        the CCPA and these regulations. Information maintained for  record-keeping
        purposes shall not be shared with any third party except as necessary to  comply
        with a legal obligation.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7101-e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7101
      ref_id: 7101-e
      description: Other than as required by subsection (b), a business is not required
        to retain personal  information solely for the purpose of fulfilling a consumer
        request made under the CCPA.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-8
      ref_id: '7102'
      name: Requirements for Businesses Collecting Large Amounts of Personal Information
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102
      ref_id: 7102-a
      description: "A business that knows or reasonably should know that it, alone\
        \ or in combination, buys,  receives for the business\u2019s commercial purposes,\
        \ sells, shares, or otherwise makes  available for commercial purposes the\
        \ personal information of 10,000,000 or more  consumers in a calendar year\
        \ shall:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a
      ref_id: 7102-a.1
      description: 'Compile the following metrics for the previous calendar year:'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.a
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.A
      description: The number of requests to delete that the business received, complied
        with in  whole or in part, and denied;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.b
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.B
      description: The number of requests to correct that the business received, complied
        with in  whole or in part, and denied;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.c
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.C
      description: The number of requests to know that the business received, complied
        with in  whole or in part, and denied;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.d
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.D
      description: The number of requests to opt-out of sale/sharing that the business
        received,  complied with in whole or in part, and denied;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.e
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.E
      description: The number of requests to limit that the business received, complied
        with in  whole or in part, and denied; and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1.f
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.1
      ref_id: 7102-a.1.F
      description: The median or mean number of days within which the business substantively  responded
        to requests to delete, requests to correct, requests to know,  requests to
        opt-out of sale/sharing, and requests to limit.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-a
      ref_id: 7102-a.2
      description: Disclose, by July 1 of every calendar year, the information compiled
        in subsection  (a)(1) within their privacy policy or posted on their website
        and accessible from a link  included in their privacy policy. In its disclosure,
        a business may choose to disclose  the number of requests that it denied in
        whole or in part because the request was  not verifiable, was not made by
        a consumer, called for information exempt from  disclosure, or was denied
        on other grounds.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7102-b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7102
      ref_id: 7102-b
      description: A business may choose to compile and disclose the information required
        by subsection  (a)(1) for requests received from all individuals, rather than
        requests received from  consumers. The business shall state whether it has
        done so in its disclosure and shall, upon  request, compile and provide to
        the Attorney General the information required by  subsection (a)(1) for requests
        received from consumers.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-1
      ref_id: ARTICLE 9
      name: ' INVESTIGATIONS AND ENFORCEMENT'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      ref_id: '7300'
      name: Sworn Complaints Filed with the Agency
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7300
      ref_id: 7300-a
      description: "Requirements for filing a sworn complaint. Sworn complaints may\
        \ be filed with the  Enforcement Division via the electronic complaint system\
        \ available on the Agency\u2019s  website at https://cppa.ca.gov/ or submitted\
        \ in person or by mail to the headquarters  office of the Agency."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7300
      description: A complaint must
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a.1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      ref_id: 7300-a.1
      description: Identify the business, service provider, contractor, or person
        who allegedly violated  the CCPA;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a.2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      ref_id: 7300-a.2
      description: State the facts that support each alleged violation and include
        any documents or  other evidence supporting this conclusion;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a.3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      ref_id: 7300-a.3
      description: Authorize the alleged violator and the Agency to communicate regarding
        the  complaint, including disclosing the complaint and any information relating
        to the  complaint;
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a.4
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      ref_id: 7300-a.4
      description: Include the name and current contact information of the complainant;
        and
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-a.5
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:node543
      ref_id: 7300-a.5
      description: Be signed and submitted under penalty of perjury.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7300-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7300
      ref_id: 7300-b
      description: The Enforcement Division will notify the complainant in writing
        of the action, if any, the  Agency has taken or plans to take on the complaint,
        together with the reasons for that  action or nonaction. Duplicate complaints
        submitted by the same complainant may be  rejected without notice.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7301
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      ref_id: '7301'
      name: ' Investigations'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7301-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7301
      ref_id: 7301-a
      description: The Agency may open investigations upon the sworn complaint of
        any person or on its own  initiative. For example, the Agency may initiate
        investigations based upon referrals from  government agencies or private organizations,
        and nonsworn or anonymous complaints.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7301-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7301
      ref_id: 7301-b
      description: "As part of the Agency\u2019s decision to pursue investigations\
        \ of possible or alleged violations of  the CCPA, the Agency may consider\
        \ all facts it determines to be relevant, including the  amount of time between\
        \ the effective date of the statutory or regulatory requirement(s)  and the\
        \ possible or alleged violation(s) of those requirements, and good-faith efforts\
        \ to  comply with those requirements."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      ref_id: '7302'
      name: Probable Cause Proceedings
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      ref_id: 7302-a
      description: Probable Cause. Under Civil Code section 1798.199.50, probable
        cause exists when the  evidence supports a reasonable belief that the CCPA
        has been violated.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      ref_id: 7302-b
      description: Probable Cause Notice. The Enforcement Division will provide the
        alleged violator with  notice of the probable cause proceeding as required
        by Civil Code section 1798.199.50.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      ref_id: 7302-c
      description: Probable Cause Proceeding.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c.1
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c
      ref_id: 7302-c.1
      description: The proceeding shall be closed to the public unless the alleged
        violator files, at least  10 business days before the proceeding, a written
        request for a public proceeding. If  the proceeding is not open to the public,
        then the proceeding may be conducted in  whole or in part by telephone or
        videoconference.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c.2
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c
      ref_id: 7302-c.2
      description: The Agency shall conduct the proceeding informally. Only the alleged
        violator(s), their  legal counsel, and the Enforcement Division shall have
        the right to participate at the  proceeding. The Agency shall determine whether
        there is probable cause based on the  probable cause notice and any information
        or arguments presented at the probable  cause proceeding by the parties.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c.3
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-c
      ref_id: 7302-c.3
      description: If the alleged violator(s) fails to participate or appear at the
        probable cause  proceeding, the alleged violator(s) waives the right to further
        probable cause  proceedings under Civil Code section 1798.199.50, and the
        Agency shall determine  whether there is probable cause based on the notice
        and any information or  arguments provided by the Enforcement Division.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      ref_id: 7302-d
      description: "Probable Cause Determination. The Agency shall issue a written\
        \ decision with its probable  cause determination and serve it on the alleged\
        \ violator electronically or by mail. The  Agency\u2019s probable cause determination\
        \ is final and not subject to appeal."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7302-e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7302
      ref_id: 7302-e
      description: Notices of probable cause and probable cause determinations shall
        not be open to the  public nor admissible in evidence in any action or special
        proceeding other than one  enforcing the CCPA.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7303
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      ref_id: '7303'
      name: Stipulated Orders.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7303-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7303
      ref_id: 7303-a
      description: At any time before or during an administrative hearing and in lieu
        of such a hearing, the  Head of Enforcement and the alleged violator may stipulate
        to the entry of a final order. If  a stipulation has been agreed upon and
        the scheduled date of the hearing is set to occur  before the next Board meeting,
        the Enforcement Division will apply for a continuance of  the hearing.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7303-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7303
      ref_id: 7303-b
      description: The final order must be approved by the Board, which may consider
        the matter in closed  session.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7303-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7303
      ref_id: 7303-c
      description: The stipulated final order shall be public and have the force of
        an order of the Board.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-9
      ref_id: '7304'
      name: Agency Audits
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      ref_id: 7304-a
      description: Scope. The Agency may audit a business, service provider, contractor,
        or person to ensure  compliance with any provision of the CCPA.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304-b
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      ref_id: 7304-b
      description: "Criteria for Selection. The Agency may conduct an audit to investigate\
        \ possible violations of  the CCPA. Alternatively, the Agency may conduct\
        \ an audit if the subject\u2019s collection or  processing of personal information\
        \ presents significant risk to consumer privacy or  security, or if the subject\
        \ has a history of noncompliance with the CCPA or any other  privacy protection\
        \ law."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304-c
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      ref_id: 7304-c
      description: Audits may be announced or unannounced as determined by the Agency.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304-d
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      ref_id: 7304-d
      description: "Failure to Cooperate. A subject\u2019s failure to cooperate during\
        \ the Agency\u2019s audit may result  in the Agency issuing a subpoena, seeking\
        \ a warrant, or otherwise exercising its powers to  ensure compliance with\
        \ the CCPA."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7304-e
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7304
      ref_id: 7304-e
      description: Protection of Personal Information. Consumer personal information
        disclosed to the  Agency during an audit shall be maintained in compliance
        with the Information Practices  Act of 1977, Civil Code section 1798, et seq.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-2
      assessable: false
      depth: 1
      ref_id: CHAPTER 2
      name: CONFLICT OF INTEREST
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7500
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-2
      ref_id: '7500'
      name: California Privacy Protection Agency -- Conflict-of-Interest Code.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node574
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7500
      description: "The Political Reform Act (Government Code Section 81000, et seq.)\
        \ requires state and local  government agencies to adopt and promulgate conflict\
        \ of interest codes. The Fair Political  Practices Commission has adopted\
        \ a regulation (2 California Code of Regulations Section  18730), that contains\
        \ the terms of a standard conflict of interest code which can be  incorporated\
        \ by reference in an agency\u2019s code. After public notice and hearing,\
        \ the standard  code may be amended by the Fair Political Practices Commission\
        \ to conform to amendments in  the Political Reform Act. Therefore, the terms\
        \ of 2 California Code of Regulations Section 18730  and any amendments to\
        \ it duly adopted by the Fair Political Practices Commission are hereby  incorporated\
        \ by reference into the Conflict of Interest Code for the California Privacy\
        \ Protection  Agency. This regulation and the attached Appendices, designating\
        \ positions, and establishing  disclosure requirement categories, shall constitute\
        \ the Conflict of Interest code of the California  Privacy Protection Agency\
        \ (CPPA)."
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node575
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7500
      description: The statement of economic interests for the CPPA Board Members
        and the Executive Director  shall be filed electronically with the Fair Political
        Practices Commission. All other individuals  holding designated positions
        shall file their statements with the CPPA. All statements must be  made available
        for public inspection and reproduction (Gov. Code Sec. 81008).
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-2
      ref_id: APPENDIX A
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node577
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: 'Designated Positions : California Privacy Protection Agency Board
        Members   Disclosure Category: 1'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node578
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: 'Designated Positions : Executive Director   Disclosure Category:
        1'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node579
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: 'Designated Positions : Chief Privacy Auditor   Disclosure Category:
        1'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node580
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: 'Designated Positions : Attorney (all levels)   Disclosure Category:
        1'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node581
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: 'Designated Positions : Deputy Director of Administration   Disclosure
        Category: 2'
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node582
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: "Designated Positions : Consultants / New Positions   Disclosure\
        \ Category: *  \n* Consultants/new positions shall be included in the list\
        \ of designated positions and  shall disclose pursuant to the broadest disclosure\
        \ category in the code subject to the  following limitation:"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node583
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-a
      description: "The Executive Director may determine in writing that a particular\
        \ consultant or new position,  although a \u201Cdesignated position,\u201D\
        \ is hired to perform a range of duties that is limited in scope  and thus\
        \ is not required to comply with the disclosure requirements described in\
        \ this section.  Such determination shall include a description of the consultant\u2019\
        s or new position\u2019s duties and,  CPPA  Page 67 of 67  based upon that\
        \ description, a statement of the extent of disclosure requirements. The \
        \ Executive Director\u2019s determination is a public record and shall be\
        \ retained for public inspection  in the same manner and location as this\
        \ conflict-of-interest code. (Gov. Code Sec. 81008.)"
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-2
      ref_id: APPENDIX B
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:node585
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-b
      description: Disclosure Categories
    - urn: 'urn:intuitem:risk:req_node:ccpa_regulations:category-1:'
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-b
      ref_id: 'Category 1:'
      description: Designated positions in this category shall disclose investments,
        business positions in business  entities and income, (including receipt of
        gifts, loans and travel payments) and real property in  the state of California.
    - urn: 'urn:intuitem:risk:req_node:ccpa_regulations:category-2:'
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:appendix-b
      ref_id: 'Category 2:'
      description: Designated positions in this category shall disclose investments,
        business positions in business  entities and income (including receipt of
        gifts, loans and travel payments), from sources that  provide leased facilities,
        goods, equipment, vehicles, machinery or services, including training  or
        consulting services of the type utilized by the California Privacy Protection
        Agency.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-3.
      assessable: false
      depth: 1
      ref_id: CHAPTER 3.
      name: DATA BROKER REGISTRATION
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1.
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:chapter-3.
      ref_id: ARTICLE 1.
      name: ANNUAL REGISTRATION FEES
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7600
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:article-1.
      ref_id: '7600'
      name: Annual Registration Fee.
    - urn: urn:intuitem:risk:req_node:ccpa_regulations:7600-a
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccpa_regulations:7600
      ref_id: 7600-a
      description: The annual fee to register as a data broker is $400.00.