AB 1542 imposes new upfront disclosure and proportionality duties on businesses that control consumers’ personal information. It makes point-of-collection notice mandatory for categories and purposes (including a separate disclosure for sensitive personal information), requires businesses to limit retention to what is reasonably necessary for disclosed purposes, and conditions sharing or selling on written contractual safeguards with downstream recipients.
The bill matters because it shifts compliance attention to the moment of collection and to lifecycle limits on data use: businesses must demonstrate why they keep data and must contractually bind third parties to equivalent privacy obligations and remediation rights. That raises new operational steps for product design, vendor contracts, and retention policies — and creates legal uncertainty around terms like “reasonably necessary” and “compatible” purposes that counsel and compliance teams will need to interpret.
At a Glance
What It Does
The bill requires businesses that control collection to give clear, point-of-collection notices about categories and purposes of personal and sensitive information and to disclose retention periods or the criteria used to set them. It also mandates that transfers to third parties or service providers be governed by contracts containing specified protections and remediation rights.
Who It Affects
Any entity that controls collection of Californians’ personal information, including retailers, app developers, data brokers acting as third-party collectors, and service providers receiving data. Small operators will face the same notice and retention tests unless otherwise exempted by regulation.
Why It Matters
AB 1542 moves California privacy law from primarily notice-and-choice to lifecycle controls: collection-time transparency plus a substantive proportionality and retention limit. That creates new compliance priorities — point-of-collection UX, retention schedules tied to disclosed purposes, and contracting playbooks for downstream data recipients.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1542 centers compliance obligations at the point of collection. When a business controls collection, it must present consumers with clear information at or before collection about what categories of personal information will be collected, why the information will be used, and whether that information will be sold or shared.
For sensitive personal information the statute requires a separate disclosure of the specific sensitive categories and the purposes for which they are collected. The statute also forces businesses to be explicit about how long they will keep each category of data or, if an exact period can’t be given, what criteria determine retention timeframes.
Beyond disclosure, the bill imposes a substantive proportionality test on collection, use, retention, and sharing: personal information must be reasonably necessary and proportionate to the disclosed purpose, and further processing must be compatible with the original context. This raises an affirmative requirement to align product and data flows with documented business purposes and to avoid open-ended or speculative reuses of data.For transfers, AB 1542 requires businesses that sell, share, or disclose data to service providers to have written agreements that limit purposes, bind recipients to the same statutory obligations, give the controller oversight rights, and require notice if the recipient can no longer meet its obligations.
The controller must also have contractual rights to stop and remediate unauthorized uses. The bill permits a limited alternative for third-party collectors to satisfy the point-of-collection notice obligation by posting the required disclosures prominently on their homepage; if collection happens on premises (including vehicles), the collector must notify consumers at or before the collection location.Finally, AB 1542 cross-references California’s existing security standard (Section 1798.81.5) and preserves a trade-secret exception to disclosure where regulations allow it.
Compliance therefore requires coordination among product, legal, records-retention, security, and vendor-management teams to translate purpose statements into retention schedules, implement upfront UX/notice flows, and update vendor contracts and monitoring practices.
The Five Things You Need to Know
Section 1798.100(a)(1)-(2) requires separate point-of-collection disclosures for categories of personal information and for categories of sensitive personal information, and prohibits collecting or using additional categories or purposes without providing new notice.
Section 1798.100(a)(3) obligates businesses to disclose retention periods per category or, if not possible, the criteria used to set retention; it also bars retention longer than is reasonably necessary for the disclosed purposes.
Subdivision (b) lets a third party-controller comply by placing required disclosures prominently on its website homepage, but if the third party collects on its premises (including vehicles) it must give clear, conspicuous notice at or before the point of collection.
Subdivision (d) mandates written agreements with downstream recipients that (1) limit uses to specified purposes, (2) require recipients to meet the same statutory obligations, (3) give controllers oversight rights to ensure compliance, (4) require recipients to notify the controller if they cannot meet obligations, and (5) grant controllers rights to stop and remediate unauthorized uses.
Section 1798.100(e) requires businesses to implement reasonable security procedures appropriate to the nature of the information and references compliance with Section 1798.81.5; subdivision (f) preserves a trade-secret non-disclosure carve-out subject to regulatory rules under Section 1798.185.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Point-of-collection disclosures and retention obligation
This subsection sets the core upfront notice rules: controllers must tell consumers which categories of data they will collect, the purposes for each category, whether the data will be sold or shared, and for sensitive data a separate disclosure of categories and purposes. It then requires disclosure of retention periods or the criteria used to determine them, and states a hard-to-avoid limitation: businesses shall not retain data longer than reasonably necessary for the disclosed purpose. Practically, this forces businesses to formalize purpose statements and map each data element to a retention timeline or an objective retention criterion.
Third-party homepage alternative and onsite notice
This subsection creates a compliance shortcut for entities that act as third-party controllers: they may satisfy the point-of-collection disclosure requirement by posting the required information prominently on their homepage. However, collection occurring on the third party’s premises (including vehicles) requires an onsite, clear and conspicuous notice at or before collection. That creates two distinct compliance tracks — a web-based disclosure model and a location-based notice model — each with different UX and signage implications.
Proportionality and compatibility limits on processing
Here the bill moves beyond notice to substance: collection, use, retention, and sharing must be reasonably necessary and proportionate to the purposes for which data was collected, and any further processing must be compatible with the collection context. This language allows regulators or courts to scrutinize not just what companies told consumers, but whether internal data practices match those representations, potentially limiting broad downstream analytics or repurposing that lacks a clear connection to the original purpose.
Mandatory contractual safeguards with downstream recipients
The statute specifies five contractual obligations for controllers that sell or disclose data to third parties or contractors: limit uses to specified purposes; require recipients to comply with the title and provide equivalent protections; give controllers rights to take steps to ensure compliant use; require recipients to notify controllers if they cannot meet obligations; and grant controllers remedial rights to stop unauthorized use. This clause creates concrete contract language compliance expectations and gives controllers affirmative monitoring and remediation tools they must contractually secure.
Security obligations and trade-secret exception
Subdivision (e) requires businesses to implement ‘‘reasonable security procedures and practices appropriate to the nature of the personal information’’ in line with Section 1798.81.5, tying the new duties into existing California data-security law. Subdivision (f) protects trade secrets from required disclosure, but only as specified in regulations under Section 1798.185, meaning agencies will define the boundary where transparency yields to legitimate confidentiality claims.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers — get clearer, collection-time explanations about what personal and sensitive data will be taken, why, and how long it will be retained, improving informed decision-making at the moment of interaction.
- Privacy and compliance teams at larger firms — receive a statutory framework for retention mapping and vendor contracting that creates predictable requirements for audits and documentation.
- Companies that provide privacy, retention, and vendor-management services — increased demand for tooling to map purposes to data inventories, automate retention rules, and standardize downstream contracts.
- Regulators and privacy auditors — gain concrete statutory hooks (proportionality, retention limits, contract requirements) to evaluate business practices against consumer-facing statements.
Who Bears the Cost
- Small and medium-sized businesses — will need to create or revise point-of-collection notices, retention schedules, and vendor contracts, which increases compliance costs and operational burden relative to their current practices.
- Service providers and contractors receiving data — must accept contractual obligations to meet the same statutory standards and to notify controllers if they cannot, potentially exposing them to higher liability and monitoring costs.
- Legal and product teams — must invest time to translate high-level business purposes into defensible, documented purposes and retention criteria and to redesign UX flows to capture required disclosures at collection points.
- IT and security teams — must implement retention enforcement, logging, and remediation capabilities, and ensure security measures meet the ‘‘appropriate’’ standard cross-referenced to Section 1798.81.5.
Key Issues
The Core Tension
The central tension is between stronger consumer-facing controls (clear, point-of-collection disclosures and limits on retention/use) and the need for operational flexibility and legal certainty for businesses: the bill protects consumers by narrowing acceptable uses and demanding documented retention rationales, but it does so using imprecise standards that shift compliance burdens onto companies and invite interpretive disputes over what ‘‘reasonably necessary’’ and ‘‘compatible’’ processing mean in practice.
AB 1542 tightens the link between what businesses tell consumers at collection and how they manage data thereafter, but it leaves several operationally significant questions unresolved. The statute uses standards like ‘‘reasonably necessary,’’ ‘‘proportionate,’’ and ‘‘compatible with the context’’ without defining them, which makes compliance dependent on subsequent regulatory guidance, enforcement precedent, or litigation.
That ambiguity is practical: businesses will need to craft defensible policies showing why particular retention periods or processing activities meet those open-ended tests.
Contractual obligations for third parties create clearer expectations, but practical enforcement is harder. Requiring recipients to ‘‘provide the same level of privacy protection’’ raises questions about differing legal obligations across jurisdictions and the scope of monitoring a controller must undertake.
The homepage disclosure option for third-party controllers simplifies compliance for some web-driven collectors, but regulators may question whether homepage notices constitute adequate notice for specific, contextual collections — especially in physical settings or where a consumer’s attention is limited.
Finally, tying security to Section 1798.81.5 and preserving a trade-secret carve-out balances transparency with operational confidentiality, but it pushes important decisions to administrative rulemaking. Those future regulations will determine how broadly trade secrets can be invoked to avoid disclosure and how closely security measures must align with the new retention and proportionality duties — creating an implementation timeline risk for businesses that must act now to align practices with the statute’s high-level obligations.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.