The California Privacy Protection Agency values the security and privacy of your personal information and is committed to protecting your privacy rights, as detailed in Article 1 of the Constitution of California, Information Practices Act of 1977 (Civ. Code §§ 1798-1798.78), California Public Records Act (Gov. Code §§ 7920, et seq.), and other applicable laws pertaining to information privacy.  

In accordance with these laws, it is our policy to limit the collection and safeguard the privacy of personal information collected or maintained by the Agency.

We collect personal information only through lawful means and in a variety of ways: 

Interaction with the Agency.  We may collect the personal information identified below when you interact with the Agency in the following ways.   

• Submission of a Complaint.  When you submit a complaint through our complaint form, you may provide us with name, email address, phone number, address, and other personal information (e.g., employment history, financial information, internet activity) related to your complaint.  The complaint form also uses technologies to reduce misuse and unwanted processing, such as spam, phishing, or bot activity.
• Attending Board Meetings.  When you attend Board meetings in person, you may provide your name and email address.  When you attend via Zoom, you may reveal some information, such as your name, IP address, email address, and phone number.   
• Emails or PRA Requests to the Agency.  When you email the Agency or make a request under the Public Records Act, you may provide us with your name, address, email address, and the contents of your email. 
• Public Comments during Rulemaking or Board Meetings.  When you speak or comment during the Agency’s rulemaking activities or during Board meetings, you may provide your name, contact information (e.g., email address, phone number, mailing address), and other personal information in the contents of the comment.
• Joining an email list.  When you join a listserv offered by the Agency, you may provide us with your email address.
• Other Rulemaking Activities.  You may provide us with your name, email address, and other information when participating in the Agency’s pre-rulemaking activities.   

Website. We automatically collect information about your visits to our website to help run and improve our services, and for data security purposes.  Some of the information we automatically collect and store are: 

• A partial Internet Protocol address and domain name is collected. 
• The type of browser and operating system you used.
• The city and zip code you used it from.
• The date and time you visited this website.
• The webpages or services you accessed at this website.
• The website you visited prior to coming to this website.
• The website you visit as you leave this website.
• If you downloaded a form, the form that was downloaded.

This information is used to improve the content of our web services and to help us understand how people are using our services. We take steps to limit how this information can be used by our service providers.   

Investigations. We may collect personal information through investigations of potential or alleged violations of the CCPA.  

The personal information we obtain will be used for the purposes for which it was provided and in accordance with the duties required of the Agency under the CCPA (see Civ. Code § 1798.199.40).  For example, this includes:

• Processing and investigating consumer complaints of potential violations of the CCPA and enforcing the CCPA through administrative actions. 
• Facilitating the public’s participation in the Agency’s rulemaking activities, such as by maintaining an email listserv to inform the public of rulemaking activities and obtaining public comment on potential regulations as required by the Administrative Procedure Act. 
• Promoting awareness and understanding of the CCPA and providing guidance to consumers of their rights and businesses of their obligations. 
• Cooperating with other agencies and other authorities with jurisdiction to enforce privacy laws and ensure consistent application of privacy protections. 
• Facilitating the public’s participation in the Board’s public meetings. 
• Monitoring basic website statistics, such as unique visitors per day. 
• Ensuring the safety and security of our website.    

We do not sell your personal information. Government Code § 11015.5(a)(6) prohibits all state agencies from distributing or selling any electronically collected personal information about users to any third party without the permission of the user. 
We may, however, disclose or share your personal information in limited circumstances, such as when: 

• You give us permission (including through your submission of a sworn complaint).  
• We receive a request from a party with legal authority to obtain the information, such as a subpoena, court order, or government order.  
• We transfer or share your complaint or public comment with another California agency, state, local, federal, or foreign government, as appropriate.  
• We disclose personal information in connection with rulemaking activities or facilitating public Board meetings, such as when coordinating public hearings or submitting materials to the Office of Administrative Law.  
• We are complying with a valid California Public Records Act request. See “Public Disclosures” section below for more information about the Public Records Act.  

The Agency is supported by other state agencies, including the Department of Consumer Affairs and the Department of Technology, which provide IT services and support for our websites. These Departments adhere to their own privacy policies.  

Your personal information may be part of a public record that could be subject to a Public Records Act request.  The California Public Records Act (PRA), Gov. Code §§ 7920 et seq., gives the public the right to inspect government records upon request, with some exemptions.  For example, the Agency is exempt from disclosing portions of public records that contain personnel, medical, or similar files for Agency employees, and records pertaining to pending litigation.  Electronically collected personal information is also exempt from disclosure in response to PRA requests, as well as enforcement-related investigative files that may contain personal information. The exemptions are listed in Government Code §§ 7930.100, et seq. 

In response to a PRA request, we will redact personal information if an exemption applies, or if required to do so by other laws.  Find out more information about how we handle PRA requests.

In the event of a conflict between this privacy notice and the Public Records Act, the Information Practices Act and/or other law governing the disclosure of records, the Public Records Act, the Information Practices Act and/or other applicable law will control. 

Our website may contain links to other websites that are owned and operated by third parties. These are provided for the convenience and information of our visitors. We do not control the privacy practices of these websites and are not responsible for the content or practices of any linked third-party website.

We do not collect information such as names, addresses, and email addresses from individuals browsing the Agency’s website. However, when you visit our website, a “cookie” may be saved on your computer.

A cookie is a tiny file stored on your computer by your browser that helps us recognize your unique computer and your preferences when using our website. For example, you may choose a high contrast setting and the cookie communicates this next time you visit.

You can remove cookies on your computer by accessing your browser’s preferences menu and deleting existing cookies.

The Agency has security measures in place to safeguard and protect the personal information collected and maintained by the Agency from unauthorized access, disclosure, and loss. We rely on services provided by Department of Technology and Department of Consumer Affairs to host our websites and provide IT services. For more information about their privacy practices, please see their respective privacy policies.

In accordance with the Information Practices Act, you have the right to review the personal information we have collected about you and request a correction of any personal information that is not accurate, relevant, timely, or complete. You also have the right to have any electronically collected personal information deleted by the Agency, without reuse or distribution.

To do so, submit the request to info@cppa.ca.gov and include “Access Request” or “Correction Request” in the subject line. We will take reasonable steps to verify your identity before granting access or making corrections to any personal information.

We may update and revise our privacy policy, which we will post on this page.  If the changes are significant, we will note so at the top of this page. 

If you have any questions or concerns about this policy, contact our Chief Privacy Officer.

Mailing Address: CPPA Privacy Officer
2101 Arena Boulevard
Sacramento, CA 95834

Email: info@cppa.ca.gov with the subject line: “Attn: Chief Privacy Officer”

Phone Number: (916) 572-2900