Legal Framework and Construction / Statutory Construction and Interpretation

Statutory Construction and Interpretation

The CCPA includes several provisions governing how the law should be interpreted, its relationship to other laws, and the regulatory framework that implements it. These statutory construction rules guide courts, businesses, and the California Privacy Protection Agency (CPPA) in applying the law.

Constitutional Foundation and Purpose

The CCPA is grounded in the California Constitution's right to privacy and is intended to supplement existing consumer privacy protections. The law's fundamental construction principle is found in Section 1798.194:

"This title shall be liberally construed to effectuate its purposes."

This directive requires interpreters to favor broad application of consumer privacy protections when ambiguities arise.

Conflicting Provisions and Harmonization

Section 1798.175 establishes the hierarchy when the CCPA conflicts with other laws:

Principle Rule
Supplemental nature CCPA supplements existing privacy laws, including Business and Professions Code Chapter 22 (Sec. 22575+) and Title 1.81 (Sec. 1798.80+)
Scope of application Applies to all personal information collection by businesses from consumers, not limited to electronic or internet-based collection
Harmonization standard Laws relating to consumers' personal information should be construed to harmonize with CCPA provisions wherever possible
Conflict resolution When harmonization is impossible, the law affording the greatest protection for the right of privacy controls

This "pro-privacy" tiebreaker ensures that consumer protections are maximized when multiple laws apply to the same situation.

State Preemption of Local Rules

Section 1798.180 establishes CCPA as a matter of statewide concern:

"This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers' personal information by a business."

This provision prevents a patchwork of local privacy ordinances, ensuring uniform application across California. Businesses operating in multiple California jurisdictions need only comply with the single statewide CCPA framework.

Anti-Avoidance Doctrine

Section 1798.190 prohibits circumvention of the law through technical structuring:

Courts and the CPPA are authorized to disregard intermediate steps or transactions in two scenarios:

(a) Multi-step evasion schemes
If a series of steps or transactions were component parts of a single transaction intended from the beginning to avoid CCPA's reach, including:

  • Disclosure of information to a third party to avoid the definition of "sell" or "share"
  • Complex transaction chains designed to obscure the ultimate sale or sharing

(b) Purposeful restructuring to avoid "sale" or "share" definitions
If steps or transactions were taken to purposely avoid these definitions by:

  • Eliminating monetary or other valuable consideration from contracts
  • Entering into contracts without explicit exchange terms, but where a party obtains something of value or use

This anti-avoidance rule prevents businesses from using legal formalism to undermine consumer rights.

Federal Law Relationship

Section 1798.196 defines CCPA's relationship to federal law:

"This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution."

The CCPA yields only when:

  • Federal law explicitly preempts state privacy regulation in the specific area, or
  • Application would create an irreconcilable conflict with federal statutory or constitutional requirements

For specific federal law interactions, see /legal-framework/exemptions-limitations.

Waiver Prohibition

Section 1798.192 invalidates contractual attempts to limit CCPA rights:

"Any provision of a contract or agreement of any kind, including a representative action waiver, that purports to waive or limit in any way rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable."

Exception: This does not prevent a consumer from:

  • Voluntarily declining to request information from a business
  • Declining to opt out of a business's sale of personal information
  • Authorizing a business to sell or share personal information after previously opting out

Businesses cannot require consumers to waive CCPA rights as a condition of service, employment, or any contractual relationship. Such provisions are automatically void.

Regulatory Authority Under Section 1798.185

Section 1798.185 grants the Attorney General (and subsequently the CPPA) extensive rulemaking authority to implement the CCPA. The section mandates regulations in 21 specific areas:

Rulemaking Timeline:
├─ Original deadline: July 1, 2020 (Attorney General)
├─ CPRA transition: July 1, 2021 or 6 months after CPPA readiness
├─ CPRA final regulations: July 1, 2022
└─ CPRA enforcement start: July 1, 2023 (violations on/after that date)

Key Regulatory Areas

Category Topics Authority
Definitions (1798.185(a)(1)-(3), (11)-(13)) Personal information categories, sensitive PI categories, "deidentified," "unique identifier," "intentionally interacts," "precise geolocation," "specific pieces of information" Update as needed for technology changes, data collection practices, obstacles to implementation, and privacy concerns
Consumer Rights Mechanisms (1798.185(a)(4)-(8), (18)-(19)) Opt-out procedures, opt-out preference signals, correction requests, verifiable consumer requests, authentication standards, logo/button design Minimize consumer burden, prevent deceptive/harassing conduct, ensure functionality
Business Obligations (1798.185(a)(5), (9)-(10), (14)-(17), (20)-(21)) Notice requirements, business purpose definitions, service provider uses, cybersecurity audits, risk assessments, automated decisionmaking, audit authority, insurance harmonization Balance privacy protection with operational feasibility

Opt-Out Preference Signal Requirements (1798.185(a)(18))

The regulations must define technical specifications for opt-out preference signals that:

Core Requirements:

  • (i) Ensure platform/browser/device manufacturers cannot unfairly disadvantage other businesses
  • (ii) Are consumer-friendly, clearly described, and easy to use without requiring unnecessary information
  • (iii) Clearly represent consumer intent and be free of defaults constraining or presupposing that intent
  • (iv) Do not conflict with other commonly used privacy settings or tools
  • (v) Provide mechanism for selective consent to specific businesses without globally disabling the signal
  • (vi) Present up to three choices on the settings page:
    • Global opt-out from sale/sharing + sensitive PI limits
    • "Limit the Use of My Sensitive Personal Information"
    • "Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising"

Additional Technical Specifications (1798.185(a)(18)(B)):
Must allow specification that the consumer is:

  • Less than 13 years of age, or
  • At least 13 but less than 16 years of age

Business Response to Opt-Out Signals (1798.185(a)(19))

Regulations governing business responses must:

Prohibited Responses:

  • (i) Intentionally degrading functionality
  • (ii) Charging fees in response to opt-out preferences
  • (iii) Making products/services not function properly compared to non-opt-out users
  • (iv) Coercing the consumer to opt in by stating/implying adverse effects
  • (v) Displaying any notification or popup in response to the signal

Consent Mechanism Requirements (if business seeks subsequent opt-in):

  • (i) Not part of popup/notice/banner/intrusive design obscuring or interfering with the intended web page
  • (ii) Does not require or imply clicking is necessary for full functionality
  • (iii) Does not use dark patterns
  • (iv) Applies only to the specific business the consumer intends to interact with

Guiding Principles:

  • Strive to promote competition and consumer choice
  • Be technology neutral
  • Curb coercive or deceptive practices
  • Not unduly restrict good faith compliance efforts

Risk Assessment Requirements (1798.185(a)(14))

For businesses whose processing presents significant risk to consumer privacy or security, regulations must require:

(A) Annual Cybersecurity Audits:

  • Define audit scope
  • Establish process ensuring audits are thorough and independent
  • Consider size/complexity of business and nature/scope of processing activities

(B) Regular Risk Assessments:

  • Identify and weigh benefits to business, consumer, other stakeholders, and public
  • Assess potential risks to consumer rights
  • Goal: Restrict or prohibit processing if risks outweigh benefits
  • Must not require disclosure of trade secrets

Sensitive Personal Information Use Regulations (1798.185(a)(18)(C))

Regulations must govern use/disclosure of sensitive PI notwithstanding consumer's direction to limit, including:

  • (i) Determining any additional permitted purposes
  • (ii) Defining scope of activities permitted under Section 1798.140(e)(8) to ensure they don't involve health-related research
  • (iii) Ensuring business functionality
  • (iv) Clarifying the incidental/non-inferential collection exemption in Section 1798.121(d) while preventing evasion

Trade Secret and Intellectual Property Protections (1798.185(a)(3))

The Attorney General/CPPA must establish exceptions necessary to comply with state or federal law relating to trade secrets and intellectual property rights:

  • Within one year of CCPA passage and as needed thereafter
  • With the intention that trade secrets should not be disclosed in response to verifiable consumer requests

Enforcement Delay (1798.185(c)-(d))

Original CCPA:

"The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner."

CPRA Amendments:

  • CPPA assumes rulemaking authority beginning July 1, 2021 or six months after CPPA readiness notice to Attorney General
  • Civil and administrative enforcement of CPRA provisions: July 1, 2023 (applies only to violations on/after that date)
  • Pre-existing CCPA provisions remain enforceable until CPRA provisions become operative

Operative Dates

Section 1798.198 and Section 1798.199 establish the law's effective dates:

Provision Operative Date Condition
Most CCPA sections January 1, 2020 Only if initiative measure 17-0039 withdrawn from ballot (condition met)
Section 1798.180 (preemption) September 23, 2018 Immediate effect
CPRA amendments (Prop 24) January 1, 2023 Per Proposition 24, Sec. 31

Enactment History

Legislative Timeline:

2018
├─ Stats. 2018, Ch. 55 (AB 375) - Original CCPA
├─ Stats. 2018, Ch. 735 (SB 1121) - Technical amendments
└─ Sections 1798.198/1798.199 operative dates established

2020
├─ Prop 24 (Nov 3, 2020) - California Privacy Rights Act (CPRA)
│  ├─ Effective: December 16, 2020
│  └─ Operative: January 1, 2023 (most provisions)

2025
└─ Stats. 2025, Ch. 67 (AB 1170) - Section 1798.185 amendments
   └─ Effective: January 1, 2026

For enforcement procedures and CPPA oversight, see /cppa-oversight/investigation-procedures.

← Investigation and Adjudication Procedures Exemptions and Limitations →