proportionate to achieve any purpose for which the business obtains the consumer’s consent in compliance with subsection
(e). Whether a business’s collection, use, retention, and/or sharing of a consumer’s personal information is reasonably
necessary and proportionate to achieve the purpose identified in compliance with subsection (a)(1) or (a)(2), or any purpose
for which the business obtains consent, shall be based on the following:
(1)  The minimum personal information that is necessary to achieve the purpose identified in compliance with subsection
(a)(1) or (a)(2), or any purpose for which the business obtains consent. For example, to complete an online purchase
and send an email confirmation of the purchase to the consumer, an online retailer may need the consumer’s order
information, payment and shipping information, and email address.
(2)  The possible negative impacts on consumers posed by the business’s collection or processing of the personal
information. For example, a possible negative impact of collecting precise geolocation information is that it may reveal
other sensitive personal information about the consumer, such as health information based on visits to healthcare
providers.
(3)  The existence of additional safeguards for the personal information to specifically address the possible negative impacts
on consumers considered by the business in subsection (d)(2). For example, a business may consider encryption or
automatic deletion of personal information within a specific window of time as potential safeguards.
(e)  A business shall obtain the consumer’s consent in accordance with section 7004 before collecting or processing personal
information for any purpose that does not meet the requirements set forth in subsection (a).
(f)  A business shall not collect categories of personal information other than those disclosed in its Notice at Collection in
accordance with the CCPA and section 7012. If the business intends to collect additional categories of personal information
or intends to use the personal information for additional purposes that are incompatible with the disclosed purpose
for which the personal information was collected, the business shall provide a new Notice at Collection. However, any
additional collecting or processing of personal information shall comply with subsection (a).
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.106, 1798.121, 1798.130, 1798.135
and 1798.185, Civil Code.
11 C.C.R. § 7003. Requirements for Disclosures and Communications to Consumers
(a)  Disclosures and communications to consumers shall be easy to read and understandable to consumers. For example, they
shall use plain, straightforward language and avoid technical or legal jargon.
(b) Disclosures required under Article 2 shall also:
(1) Use a format that makes the disclosure readable, including on smaller screens, if applicable.
(2)  Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale
announcements, and other information to consumers in California.
(3)  Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally
recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from
the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide
information on how a consumer with a disability may access the policy in an alternative format.
(c)  For websites, a conspicuous link required under the CCPA or these regulations shall appear in a similar manner as other
similarly-posted links used by the business on its homepage(s). For example, the business shall use a font size and color that
is at least the approximate size or color as other links next to it that are used by the business on its homepage(s).
California Consumer Privacy Act of 2018 (as amended by the
65 | 
California Privacy Rights Act of 2020) and Related Regulations