86 | 
California Consumer Privacy Act of 2018 (as amended by the
California Privacy Rights Act of 2020) and Related Regulations
(g)  A business may provide Providing a means by which the consumer can confirm that their request to opt-out of sale/
sharing has been processed by the business. For example, the business may display on its website “Consumer Opted Out
of Sale/Sharing” or display through a toggle or radio button that the consumer has opted out of the sale of their personal
information.
(h)  In responding to a request to opt-out of sale/sharing, a business may present the consumer with the choice to opt-out
of the sale or sharing of personal information for certain uses as long as a single option to opt-out of the sale or sharing
of all personal information is also offered. However, doing so in response to an opt-out preference signal will prevent the
business from using the exception set forth in Civil Code section 1798.135, subdivision (b)(1).
(i)  A business that responds to a request to opt-out of sale/sharing by informing the consumer of a charge for the use of any
product or service shall comply with Article 7 and shall provide the consumer with a Notice of Financial incentive that
complies with section 7016 in its response. However, doing so in response to an opt-out preference signal will prevent the
business from using the exception set forth in Civil Code section 1798.135, subdivision (b)(1).
(j)  A consumer may use an authorized agent to submit a request to opt-out of sale/sharing on the consumer’s behalf if the
consumer provides the authorized agent written permission signed by the consumer. A business may deny a request from
an authorized agent if the agent cannot does not provide to the business the consumer’s signed permission demonstrating
that they have been authorized by the consumer to act on the consumer’s behalf. The requirement to obtain and provide
written permission from the consumer does not apply to requests made by an opt-out preference signal.
(k)  Except as allowed by these regulations, a business shall wait at least 12 months from the date the consumer’s request
before asking a consumer who has opted out of the sale or sharing of their personal information to consent to the sale or
sharing of their personal information.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, 1798.140 and 1798.185, Civil
Code.
11 C.F.R. § 7027. Requests to Limit Use and Disclosure of Sensitive Personal Information
(a)  The unauthorized use or disclosure of sensitive personal information creates a heightened risk of harm for the consumer.
The purpose of the request to limit is to give consumers meaningful control over how their sensitive personal information is
collected, used, and disclosed. It gives the consumer the ability to limit the business’s use of sensitive personal information
to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who
requests those goods or services, with some narrowly tailored exceptions, which are set forth in subsection (m). Sensitive
personal information that is collected or processed without the purpose of inferring characteristics about a consumer is
not subject to requests to limit.
(b)  A business that uses or discloses sensitive personal information for purposes other than those set forth in subsection (m)
shall provide two or more designated methods for submitting requests to limit. A business shall consider the methods by
which it interacts with consumers, the manner in which the business collects the sensitive personal information that it uses
for purposes other than those set forth in subsection (m), available technology, and ease of use by the consumer when
determining which methods consumers may use to submit requests to limit. At least one method offered shall reflect the
manner in which the business primarily interacts with the consumer. Illustrative examples follow.
(1)  A business that collects sensitive personal information from consumers online shall, at a minimum, allow consumers
to submit requests to limit through an interactive form accessible via the “Limit the Use of My Sensitive Personal
Information” link or the Alternative Opt-out Link.
(2)  A business that interacts with consumers in person and online may provide an inperson method for submitting requests
to limit in addition to the online form.