SB 923 amends California’s consumer privacy framework to prescribe how businesses must accept and respond to consumer requests to access, correct, or delete personal information. It sets minimum submission channels, a 45‑day response clock (with one possible 45‑day extension), delivery format requirements that enable portability, and duties for service providers to help businesses comply.
The bill narrows ambiguity in practice by: (1) mandating two or more designated submission methods (including a toll‑free phone for most businesses), (2) specifying the content and format of disclosures (including machine‑readable output and separate lists for sold/shared vs. disclosed‑for‑business‑purpose data), and (3) placing limits on frequency of requests and use of verification data. These mechanics matter to compliance teams, privacy engineers, call centers, and vendors that support portability and verification workflows.
At a Glance
What It Does
SB 923 requires businesses to publish at least two ways for consumers to submit access, deletion, and correction requests (with an online‑only exception), respond within 45 days (plus one 45‑day extension when necessary), and deliver disclosures in readily usable formats that facilitate transmission to another entity.
Who It Affects
California entities subject to the state privacy law, their service providers and contractors, compliance and customer‑support teams, and technology vendors that build verification, export, and privacy‑policy tooling. Online businesses that operate exclusively online and have a direct consumer relationship receive a narrower submission obligation.
Why It Matters
The bill shifts several operational questions into statute—method of submission, response timing, authentication limits, and data portability format—reducing legal uncertainty and forcing concrete engineering, customer‑service, and contracting changes for covered businesses and their vendors.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 923 lays out what channels consumers must be able to use to make privacy requests and how businesses must answer. For most businesses it requires at least two designated submission methods, and explicitly names a toll‑free telephone number as one minimum; businesses that are exclusively online and have a direct relationship with the consumer may meet the requirement with an email address plus an online submission method.
If a business operates a website, it must make that website available for submitting requests. Those choices affect how contact centers, web teams, and privacy pages are configured.
On timing and format, the bill fixes a 45‑day deadline for disclosure, correction, or deletion following receipt of a verifiable request and permits a single additional 45‑day extension only when reasonably necessary and after notifying the consumer within the initial period. Disclosures must cover the 12 months before the request by default and be delivered in writing via the consumer’s account, by mail, or electronically at the consumer’s option; the bill requires the result to be in a readily usable format so the consumer can transmit the data to another entity without hindrance.SB 923 also details what must appear in those disclosures.
Businesses must identify categories of information, sources, purposes for collection/sale/sharing, categories of third parties receiving data, and provide the specific pieces of personal information in an understandable way and—when technically feasible—in a structured, commonly used, machine‑readable format. For disclosures about sold or shared data and disclosures about data disclosed for a business purpose, the bill requires two separate lists.
The statute clarifies that service providers and contractors need not take requests directly from consumers but must assist the contracting business by supplying data and technical help to enable compliance.Operational requirements extend beyond response mechanics: businesses must publish, and update at least annually, privacy policy content describing consumer rights and designated submission methods; ensure staff handling privacy inquiries are informed about the law; and limit use of verification data to verification alone, retaining it only as long as necessary. The bill caps repeated disclosures by stating a business is not required to provide the same information to the same consumer more than twice in a 12‑month period and ties any disclosure obligations beyond the 12‑month lookback to future regulatory standards and a January 1, 2022 data cutoff.
The Five Things You Need to Know
Most businesses must provide at least two designated submission methods for consumer requests and, as a floor, a toll‑free telephone number; online‑only businesses with a direct relationship may use email plus an online form instead.
Businesses must disclose, correct, or delete requested data within 45 days of a verifiable request and may grant one additional 45‑day extension if they notify the consumer during the initial period.
Default disclosure covers the 12 months prior to the request; regulators may later allow disclosures beyond 12 months, but only for personal information collected on or after January 1, 2022, and unless providing it is impossible or involves disproportionate effort.
Disclosures must include category-level descriptions plus the specific pieces of personal information in an understandable form and, when technically feasible, in a structured, commonly used, machine‑readable format that can be transmitted to another entity.
Service providers and contractors are not required to accept requests directly from consumers but must assist their contracting businesses—by supplying relevant consumer data and technical/organizational measures—to enable compliance.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Designated request submission methods and website availability
This provision mandates that businesses provide two or more designated channels for receiving access, deletion, and correction requests, specifying a toll‑free telephone number as a minimum for covered businesses. The text creates a clear, narrower path for online‑only businesses with a direct consumer relationship—these businesses may rely on email and an online form or portal instead; the distinction will affect mixed‑model businesses deciding whether to operate a toll‑free line or modify online workflows. If a business maintains a website, the site must be usable for submitting requests, which places an explicit delivery duty on web teams and customer‑facing properties.
Timing, extensions, authentication, and delivery format
This section fixes the primary compliance clock at 45 days after a verifiable consumer request and allows one additional 45‑day extension when reasonably necessary, conditional on notifying the consumer within the first 45 days. It permits businesses to require reasonable authentication but bars requiring a consumer to create an account solely to make a request—unless the consumer already has an account, in which case the business may require use of that account. The bill requires disclosures to be delivered via account, mail, or electronically at the consumer’s option and in a readily usable format to support transfer to another entity, a practical mandate for engineers building export tools.
Content and structure of access and sale/share disclosures
These paragraphs prescribe the substance of responses to access and sale/share inquiries: identify the consumer, map request inputs to stored records, list categories of personal information and sources, state business purposes for collection/sale/sharing, and list categories of third‑party recipients. For access responses the business must provide the specific pieces of personal information in an understandable way and, where feasible, in structured machine‑readable form. For sale/share disclosures the bill requires two distinct lists—one for sold/shared categories and another for categories disclosed for a business purpose—forcing businesses to segregate different kinds of disclosures in policy and reporting.
Privacy policy content, staff preparedness, and verification limits
Businesses must publish specified information in their California‑facing privacy policies or on their website if they lack such policies and update that information at least annually. The statute requires training or otherwise informing all staff who handle privacy inquiries of the law’s requirements and how to direct consumers to exercise rights. It also restricts how verification data collected during the request process may be used—solely for verification—and limits retention to the time necessary for that purpose, creating constraints for authentication logs and compliance recordkeeping.
Limit on frequency of identical disclosures
This short provision prevents excessive duplication by stating a business need not provide the same information to the same consumer more than twice in any 12‑month period. That cap changes how intake teams should classify and respond to repeat requests and may prompt businesses to institute request‑tracking systems to identify duplicate inquiries and apply the statutory limit consistently.
Mapping disclosure categories to Section 1798.140 definitions
Subdivision (c) ties the categories businesses must disclose to the statutory definitions of personal and sensitive personal information in Section 1798.140, forcing use of the specific enumerated labels in that section. The practical effect is to standardize terminology across disclosures—helpful for consumers and auditors—but it also requires legal and engineering teams to align internal data inventories and export schemas to those statutory categories.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California consumers seeking access, correction, or deletion: they get clearer submission choices, a firm response timeline with one extension, and a mandate for machine‑readable exports that improve portability when technically feasible.
- Privacy engineers and data‑export vendors: the requirement for a readily usable, structured format creates market demand for standardized export tools and integrations that can transmit consumer data between entities.
- Consumer‑facing teams and compliance officers: the statute’s requirement to publish designated methods and to keep privacy‑policy content current simplifies the checklist for regulatory reviews and external audits.
Who Bears the Cost
- Businesses subject to California’s privacy law, especially mixed online/offline companies: they must operate additional intake channels (like toll‑free lines), update privacy policies annually, implement verification workflows, and build machine‑readable export capabilities.
- Service providers and contractors: while the bill exempts them from accepting direct requests, it requires them to assist contracting businesses—providing data and technical measures—which may impose operational and contractual costs.
- Small and mid‑sized companies without mature privacy programs: these entities will feel the compliance burden most acutely because they must train staff, track repeat requests to enforce the twice‑per‑12‑month limit, and potentially rearchitect data exports and authentication systems.
Key Issues
The Core Tension
The central dilemma is straightforward but ugly: the bill pushes hard for consumer access and portability—fewer friction points, machine‑readable exports, and quick deadlines—while simultaneously exposing businesses to fraud risk, operational costs, and technical impossibilities around older data; regulators must weigh consumer empowerment against realistic verification, retention, and cost constraints.
SB 923 sharply specifies mechanics but leaves several implementation questions unresolved. The bill requires machine‑readable, readily usable exports when technically feasible, yet it also says businesses don’t have to retain data for any length of time—creating a practical tension when consumers request older records.
The statutory carve for online‑only businesses with a direct relationship narrows obligations, but the text does not define the contours of "direct relationship" or the boundary between exclusive online operations and hybrid models, a gap that will force interpretive guidance or litigation.
Verification and security trade‑offs also loom. The statute allows businesses to require "reasonable" authentication but forbids forcing account creation, which constrains identity assurance design: firms must balance fraud mitigation against the consumer’s right to access.
Requiring service providers to assist businesses creates a compliance burden that often lacks a clear cost recovery path—contracts will need renegotiation. Finally, the standard that data be provided "without hindrance" and the regulator's future ability to expand the temporal scope of disclosures hinge on forthcoming regulation and nebulous standards like "disproportionate effort," leaving businesses with significant legal‑risk and engineering‑design ambiguity.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.