AB 364 requires any business that controls the collection of a California consumer’s personal information to give clear, point-of-collection information about what categories of data are collected, the purposes for collection, whether data are sold or shared, any cross-border storage, and—if applicable—which sensitive categories are collected. If a specific retention period cannot be stated, the business must disclose the criteria it will use to determine how long each category of data will be kept, and the statute bars retaining data for a disclosed purpose longer than is reasonably necessary for that purpose.
The bill also imposes a proportionality requirement on collection and processing, mandates specific contractual protections and flow-down obligations when data are sold, shared, or disclosed to service providers and contractors, and ties security obligations to the State’s existing data-security standard (Section 1798.81.5). The combination of upfront notice, retention constraints, and enforceable contract language will require changes in product design, vendor contracts, cross-border practices, and data-mapping for many organizations operating in California.
At a Glance
What It Does
Requires controllers to provide consumers, at or before the point of collection, with categories of personal and sensitive information collected, purposes, whether data are sold/shared, intended retention periods or retention criteria, and whether data will be stored outside the U.S. It limits further collection or new uses incompatible with disclosed purposes without fresh notice, requires collection/use to be reasonably necessary and proportionate, and mandates contractual protections with downstream parties.
Who It Affects
Businesses that control collection of Californians’ personal information (including online platforms, retailers, app operators, and third-party collectors acting on their premises), service providers and contractors that receive data, and compliance, product, and contracting teams managing notices, retention, and data flows. Companies storing California consumer data offshore will need to disclose that fact.
Why It Matters
The bill creates a concrete point-of-collection disclosure regime and ties retention to purpose, reducing vague indefinite retention practices. It also forces stronger contractual obligations on downstream recipients, shifting operational risk back to controllers and creating new compliance burdens for vendors and small businesses that serve as data processors.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 364 frames privacy obligations around the moment data are collected. Instead of leaving notice to dense privacy policies, the bill requires controllers to tell consumers, up front, what types of personal and sensitive data they will collect, the specific reasons for collection, whether the data will be sold or shared, and if the data will be stored outside the United States.
If a business cannot give a concrete retention period for a category of data, it must explain the criteria it will use to decide how long to keep that category. The statute then caps retention by saying data cannot be kept longer than is reasonably necessary for each disclosed purpose.
The bill also stops businesses from widening the scope of collection or repurposing data without giving another notice that meets the same standard. That compatibility test applies to new categories of personal or sensitive information and to uses that would be inconsistent with the purpose consumers were told about at collection.
Complementing these notice rules, AB 364 imposes a proportionality requirement: collection, use, retention, and sharing must be reasonably necessary and proportionate to the disclosed purposes or to another disclosed compatible purpose.When a controller sells, shares, or discloses data to a third party, service provider, or contractor, AB 364 requires an express written agreement. The contract must limit the recipient’s use to specified purposes, require recipients to comply with the same obligations in the statute, give the controller rights to verify and take remedial steps, and create a duty for recipients to notify the controller if they can no longer meet their obligations.
That structure pushes accountability down the chain while preserving the controller’s ability to intervene.AB 364 ties data security obligations to the State’s existing standard (Section 1798.81.5) rather than creating new technical rules; controllers must implement ‘‘reasonable security procedures and practices appropriate to the nature of the personal information.’’ Finally, the bill preserves a narrow trade-secret exception, allowing businesses to withhold information that would reveal trade secrets under procedures set by regulation. Together the provisions change how organizations approach notice, retention, vendor contracts, and cross-border storage decisions in order to stay within the statute’s purpose-bound, proportionate framework.
The Five Things You Need to Know
The bill requires controllers to provide point‑of‑collection disclosures of categories of personal and sensitive information, the purposes for collection, and whether the data are sold or shared.
Controllers must disclose the intended retention period for each category of data or, if that isn’t possible, the criteria used to determine retention, and may not keep data longer than is reasonably necessary for the disclosed purpose.
Businesses may not collect additional categories of information or repurpose data for uses incompatible with the disclosed purpose without giving a new notice meeting the same requirements.
When data are sold, shared, or disclosed for a business purpose, the controller must have a contract that limits purposes, requires statutory compliance by recipients, grants verification and remediation rights, and obligates recipients to notify the controller if they can’t meet their obligations.
Controllers must implement reasonable security practices appropriate to the data under Section 1798.81.5; the bill includes a regulatory trade‑secret carveout allowing limited nondisclosure of proprietary details.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Point-of-collection disclosures for categories, purposes, sales/sharing, and sensitive data
Subdivisions (a)(1) and (a)(2) require controllers to inform consumers, at or before collection, about the categories of personal information and, separately, categories of sensitive personal information being collected along with the specific purposes and whether that information is sold or shared. Practically, this will convert high-level privacy notices into actionable, itemized disclosures at the collection touchpoint (e.g., sign-up forms, checkout flows, kiosks). The requirement to disclose whether data are sold or shared is binary and actionable; organizations should map where ‘‘sale’’ or ‘‘sharing’’ occurs in their stack to ensure accurate consumer-facing language.
Retention disclosure and 'reasonably necessary' retention cap
Paragraph (a)(3) forces controllers to state the retention period for each category or, if a fixed period isn’t feasible, the criteria used to set retention. The statute then limits retention to what is reasonably necessary for each disclosed purpose. That combination creates both a transparency obligation (explain how long you’ll keep data) and a substantive constraint (don’t keep it beyond what the purpose requires). Expect data inventories, purpose documents, and retention schedules to be primary compliance artifacts.
Cross‑border storage notice and alternate homepage/onsite notice option
Subdivision (a)(4) requires businesses to tell consumers if their personal information will be kept outside the U.S. For third parties that control collection, subdivision (b) allows the required information to be posted prominently on the third party’s website homepage as a compliance option; if collection happens on premises (including in vehicles), the business must provide clear, conspicuous notice at the physical point of collection. The homepage alternative is useful for adtech and widget providers, but businesses relying on it must ensure prominence and accessibility to meet the statutory standard.
Necessity and proportionality standard for collection and processing
Subdivision (c) imposes a proportionality test: collection, use, retention, and sharing must be reasonably necessary and proportionate to the disclosed purposes or to another disclosed compatible purpose. This is a legal standard rather than a bright‑line rule, requiring organizations to document purpose compatibility and proportionality analyses — particularly for analytics, profiling, and targeted advertising where the line between compatible and incompatible uses is often contested.
Contractual flow‑downs and security obligations
Subdivision (d) lists contractual elements required when controllers sell, share, or disclose data to third parties or service providers: limited-scope purposes, recipient obligations to meet the statute’s requirements, rights for the controller to verify and remediate, recipient notice if it cannot comply, and contractual remediation rights. Subdivision (e) then requires controllers to implement reasonable security procedures ‘‘in accordance with Section 1798.81.5,’’ meaning the bill delegates technical specifics to that existing authority while mandating that security be appropriate to the data’s nature. Together these provisions push controllers to build enforceable vendor contracts and to operationalize ongoing monitoring and incident response.
Trade secret exception
Subdivision (f) preserves an exception allowing businesses not to disclose trade secrets, subject to regulations adopted under Section 1798.185. The presence of a regulatory carveout means agencies (or future regulations) will define the contours of permissible secrecy; until then, businesses must balance transparency obligations against narrowly proven trade‑secret claims.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California consumers who receive clearer, front‑line disclosures — they’ll know at the moment of interaction what categories of data are collected, purposes, whether their data are sold or stored offshore, and anticipated retention logic.
- Privacy and compliance teams gain concrete statutory standards (point-of-collection notice, retention criteria, proportionality) to base policies and audits on, reducing reliance on vague best-practice guidance.
- Organizations that prioritize data minimization and transparency will benefit competitively, as the law aligns market incentives toward clearer notices and shorter retention, which can be used in marketing and trust-building.
- Regulators and litigators benefit from sharper statutory hooks to evaluate compliance because the bill sets specific disclosure and contractual requirements rather than only high-level principles.
Who Bears the Cost
- Controllers that collect California consumer data — especially adtech companies, e-commerce platforms, and app owners — must overhaul collection notices, implement retention schedules, and document purpose compatibility, increasing legal and engineering costs.
- Service providers and contractors will face new contractual obligations, potential audit and remediation demands, and notification duties that increase compliance and operational overhead, particularly for smaller vendors.
- Small businesses and brick-and-mortar operators with incidental data collection (kiosks, point-of-sale, vehicles) will need to adopt clear onsite notices or adjust practices to avoid noncompliance, straining limited resources.
- Organizations that store or process data offshore will need to add conspicuous disclosures and may face commercial friction or renegotiation with cloud providers and international vendors to satisfy the bill’s contractual and security expectations.
Key Issues
The Core Tension
The bill tries to reconcile two legitimate aims — giving consumers meaningful, real‑time transparency and preventing indefinite, untethered data retention — with commercial needs for flexibility in product development and third‑party data uses; the statute tightens control and notice at the cost of operational complexity, leaving the most difficult questions about proportionality, compatibility, and enforceability to regulators, courts, and internal corporate processes.
AB 364 raises several practical and interpretive questions that will matter at implementation. The ‘‘reasonably necessary and proportionate’’ standard and the cap on retention for each disclosed purpose are conceptually powerful but legally vague: companies will need to develop internal methodologies to justify necessity and to measure when retention exceeds what a purpose requires.
Those methodologies — and the records supporting them — will be the primary site of enforcement disputes. The homepage notice option for third-party collectors is a pragmatic concession, but it risks creating notice that is nominally compliant yet practically ineffective unless regulators and courts define ‘‘prominently and conspicuously.’n
The contractual obligations push accountability down the vendor chain, but they also create enforcement complexity. Controllers must obtain contractual assurances, verification rights, and notification commitments, yet the statute doesn’t prescribe audit frequency, remediation timelines, or penalties for noncooperation.
That leaves controllers to choose between costly continuous monitoring and accepting residual downstream risk. The security requirement’s reference to Section 1798.81.5 delegates technical standards elsewhere, which avoids duplication but ties compliance to whatever interpretive regime evolves around that section.
Finally, the trade‑secret exception is necessary in principle but invites overbroad claims; absent narrow regulatory guidance, businesses may redact disclosure elements on shaky trade‑secret grounds, undermining the law’s transparency goals.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.