(gg)  “Right to limit” means the consumer’s right to request that a business limit the use and disclosure of a consumer’s
sensitive personal information as set forth in Civil Code section 1798.121.
(hh)  “Right to opt-out of sale/sharing” means the consumer’s right to direct a business that sells or shares personal information
about the consumer to third parties to stop doing so as set forth in Civil Code section 1798.120.
(ii)  “Signed” means that the written attestation, declaration, or permission has either been physically signed or provided
electronically in accordance with the Uniform Electronic Transactions Act, Civil Code section 1633.1 et seq.
(jj)  “Third-party identity verification service” means a security process offered by an independent third party that verifies the
identity of the consumer making a request to the business. Third-party identity verification services are subject to the
requirements set forth in Article 5 regarding and requests to delete, requests to correct, or requests to know.
(kk)  “Unstructured” as it relates to personal information means personal information that is not organized in a pre-defined
manner and could not be retrieved or organized in a pre-defined manner without disproportionate effort on behalf of the
business, service provider, contractor, or third party.
(ll)  “Value of the consumer’s data” means the value provided to the business by the consumer’s data as calculated under
section 7081.
(mm)  “Verify” means to determine that the consumer making request to delete, request to correct, or request to know is
the consumer about whom the business has collected information, or if that consumer is less than 13 years of age, the
consumer’s parent or legal guardian.
Note: Authority cited: Sections 1798.175 and 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106,
1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.150, 1798.155,
1798.175, 1798.185, 1798.199.40, 1798.199.45, 1798.199.50, 1798.199.55 and 1798.199.65, Civil Code
11 C.C.R. § 7002. Restrictions on the Collection and Use of Personal Information
(a)  In accordance with Civil Code section 1798.100, subdivision (c), a business’s collection, use, retention, and/or sharing of a
consumer’s personal information shall be reasonably necessary and proportionate to achieve:
(1)  The purpose(s) for which the personal information was collected or processed, which shall comply with the requirements
set forth in subsection (b); or
(2)  Another disclosed purpose that is compatible with the context in which the personal information was collected, which
shall comply with the requirements set forth in subsection (c).
(b)  The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable
expectations of the consumer(s) whose personal information is collected or processed. The consumer’s (or consumers’)
reasonable expectations concerning the purpose for which their personal information will be collected or processed shall
be based on the following:
(1)  The relationship between the consumer(s) and the business. For example, if the consumer is intentionally interacting
with the business on its website to purchase a good or service, the consumer likely expects that the purpose for
collecting or processing the personal information is to provide that good or service. By contrast, for example, the
consumer of a business’s mobile flashlight application would not expect the business to collect the consumer’s
geolocation information to provide the flashlight service.
California Consumer Privacy Act of 2018 (as amended by the
63 | 
California Privacy Rights Act of 2020) and Related Regulations