Companies find the California Consumer Privacy Act much more prescriptive than most other privacy laws. It contains a multitude of definitions, defined terms, and technical drafting errors and ambiguities, and the state legislature is considering numerous amendments. One term that is used multiple times in the statute and not defined in the current version of the CCPA or any of the amendment bills is the term “account.” Therefore, businesses must develop a perspective on the definition of account as they work to operationalize their CCPA compliance programs with respect to data access requests.

If a California resident asks for the personal information that a business holds about the Californian, the business must provide a copy “delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account= with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.” Companies that operate websites or mobile apps wonder whether account narrowly means the segment of their web or mobile site where consumers register for use of the site or whether account means more broadly the entirety of their offline and online relations, which may include communications via phone, SMS, snail mail and other channels. A narrow definition could be convenient for some companies and consumers. Other businesses may be forced into additional development work, and some consumers may find it inconvenient or an outright hindrance if they are forced to receive data access through online accounts if they do not usually access their accounts online.

The GDPR is less specific and avoids definitional ambiguity

For comparison, the EU General Data Protection Regulation provides in Article 15(3): “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.” There is no mention of account in the data access context, but there is a focus on user choice and convenience for data subjects.

The plain language meaning of account supports a broad definition

The CCPA does not provide a formal definition of account. In everyday language, “account” means a formal business arrangement that involves regular transactions, payments, payment terms and offset arrangements. Many consumers maintain accounts with banks, credit card companies, utility companies, fitness studios, airline loyalty program operators, retail club card providers and other businesses. A consumer who is in collections will have an “account” with the collection agency, but that does not mean that the account is accessible online.

In recent years, more and more businesses enable consumers to access accounts online through websites and mobile apps, but in many cases, consumers access accounts at ATMs, in stores, via the phone or other communication channels, and they receive account statements and other materials on paper via postal mail. In many use cases, there are significant limitations due to screen size, connection bandwidth, or data input and output mechanisms to allow for a user to effectively request or receive information within the product or service.

Therefore, based on the literal meaning of the term “account,” businesses are not required under the CCPA to deliver personal information requested by a California resident via an account segment on a website or mobile app but merely to communicate via one of its routine communication methods established in the account relationship.

Use of the term within the CCPA supports a broad definition over a narrow definition

The CCPA provides multiple detailed definitions for terms found in the statute in Section 1798.140, but it does not include a definition for account. Canons of statutory construction dictate that account must be understood in its ordinary, everyday meaning, unless the context indicates that it bears a technical sense (borrowing former Justice Antonin Scalia’s and Professor Bryan Garner’s influential description of the ordinary meaning canon of statutory construction in “Reading Law: The Interpretation of Legal Texts”). Historically, account has not meant “webpage or mobile app segment,” and the context within the CCPA supports a broader, common language understanding of the term. The term “account” appears 13 times in the CCPA — nine times as a noun or adjective and four times as a verb:

§ 1798.130(a)(2) — referring to a consumer
request exercising one of the consumer
rights contained in the CCPA, except for
the right to opt out of the sale of personal

§ 1798.135(a)(1) — placing limitations on
a business in reference to a consumer
exercising the right to opt out of the sale of
personal information.

§ 1798.140(d)(5) — offering an example of a
“business purpose.”

§ 1798.140(o)(1)(A) — offering examples of
identifiers under the definition of “personal

§ 1798.145(g)(1) — referring to
“notwithstanding a business’s obligations
to respond to and honor consumer rights
requests pursuant to this title”; account
is used as a verb and is irrelevant to the
discussion in this article.

§ 1798.145(g)(3) — setting parameters for
the elements a business may consider when
responding to a consumer request; account
is used as a verb and is irrelevant to the
discussion in this article.

§ 1798.185(a)(7) — referring to the attorney
general’s responsibility for rulemaking

Use of the word as a noun or as a descriptor attached to a noun has compliance implications for businesses. A narrow definition of account merely refers to a consumer created profile, whereas a broad definition of account refers to a general consumer business relationship.

The CCPA requires that a business “[d]isclose and deliver the required information to a consumer [after] receiving a verifiable consumer request from the consumer” (§ 1798.130(a)(2), describing operational capabilities necessary to comply with various consumer rights sections of the CCPA). The delivery of information “shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account … , or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business” (Id.).

The above phrase is the first appearance of “account” in the CCPA and serves a gateway function: If a consumer “maintains an account,” the consumer does not have access to a choice in how a request is delivered. Without an account, a consumer may choose how a business delivers a response to a consumer request. For a business, the existence of a consumer account lowers the potential administrative burden represented by a consumer request because the business, not the consumer, has the choice in how the response is delivered: If an account refers narrowly to a consumer-facing profile within a business’s systems, then a business may only insist upon delivery of a request through that type of profile if a consumer has proactively created an online profile. If, instead, an account refers more broadly to a consumer-business relationship, then the business may exercise more control over how it responds to a consumer request, and the control is independent of any action taken by a consumer.

For example, consider a situation in which a consumer ordered a product online from a business and checked out as a “guest” but included an email address to receive the order confirmation, rather than choosing to create an online account with the business when prompted during the checkout process. In this situation, a consumer may have an “account” with a business — an existing relationship and even a digital representation of that relationship in the form of a transaction number — but the consumer does not have a narrow definition of account in the form of a consumer created profile. When the consumer later submits a verifiable consumer request to the business, does the consumer have the choice to receive the response from the business “by mail or electronically,” or can the business leverage the existing broad-definition account — a pre-existing consumer-business relationship — that produced a communication channel from the previous transaction, the email address, and make the choice unilaterally to deliver the response to the email address? The meaning of account determines the answer.

Subsequent uses of the word “account” in the CCPA show similar ambiguity:

“A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information” (§ 1798.135(a)(1), prohibiting a business from requiring that a consumer create an account to exercise the consumer’s right to opt out of the sale of personal information to third parties). “Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider” (§ 1798.140(d)(5), offering examples of a “business purpose”). “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers” (§ 1798.140(o)(1)(A), offering examples of identifiers under the definition of “personal information”).

Subsection 1798.185(a)(7), directing the attorney general to conduct rulemaking, appears to offer some clarification for “account,” but a question about the application of the subsection to other sections of the CCPA leaves open ambiguity:

“Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account [(used as a verb here and irrelevant to this discussion)] available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.”

Here, the CCPA references a specific type of account, a “password-protected account maintained by the consumer,” which implies a narrow definition of the term. This level of specificity, however, does not appear anywhere else in the statute, so it indicates that less-specific references are intended as a broader concept, including online and offline communication channels. The distinct uses of the term within the statute suggests that its definition is different in different contexts (see the presumption of consistent usage canon of statutory construction, which presumes that a word or phrase has a consistent meaning throughout the text, unless a material variation in usage suggests a variation in meaning), and most frequently the context dictates a broad-definition for account. The subsection explicitly references Sections 1798.110, .115, and .130 — a consumer’s right to request the disclosure of personal information collected, a consumer’s right to request the disclosure of personal information sold to a third party or disclosed for a business purpose, and general compliance requirements placed on a business, respectively — and by reference via Section 1798.130, Sections 1798.100, .105, and .125 — the right to request access to personal information collected, the right to request deletion of personal information collected, and a prohibition on discrimination, respectively. Consequently, the rulemaking subsection references every consumer right found in the CCPA except for a consumer’s right to opt out of the sale of personal information to a third party, Section 1798.120.

Moreover, the provisions of the CCPA should be interpreted in a way that renders them compatible, not contradictory, to each other (see the harmonious-reading canon). The CCPA does not only apply to companies that operate websites, mobile sites or other online offerings. “Business” is defined to include brick-and-mortar companies. Therefore, in the legislative context, account cannot be interpreted to mean only “account segment of a web or mobile site” because it would practically exempt offline operators from CCPA requirements contrary to the statutory scope (see the whole-text canon).

Additionally, Section 1798.130(a)(1) states that a business is required to make available “two or more designated methods for submitting requests, including at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.” Subsection 1798.130(a)(1) clarifies that requests pursuant to Sections 1798.110 and 1798.115 can be made through “designated methods for submitting requests,” which includes “a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.” If consumers can submit requests via mail or phone within their account arrangement, businesses should be able to respond within the same catalogue of options.

Moreover, the largely parallel wording in Subsections 1798.100(d) and 1798.130(a) supports a broader and common-language understanding of account. The legislative context shows a focus on “without hindrance,” which appears in both subsections, as opposed to “through the consumer’s account,” which only appears in Subsection 1798.130(a). Subsection 1798.130(a) is more comprehensive and supports an understanding of both subsections to mean that “through the consumer’s account” is intended to clarify the meaning of “without hindrance.” This, in turn, means that the function of the requirement “through the consumer’s account” clarifies that where an account arrangement exists, the business shall respond via the existing account in order
to avoid creating additional hindrances for the consumer who wants to access their personal information. Where a business regularly communicates via multiple, alternative channels with a consumer, including snail mail, email, phone, website and mobile site, the business would not create a “hindrance” in which it selects any of these channels. Where a business only communicates via phone or snail mail with a consumer who does not have internet access, delivering responses via snail mail could be viewed as an undue hindrance, and the term account could not be interpreted as meaning “online account” in such a scenario.

A wider reading of the California code supports a broad definition

Reading the CCPA as one component of the broader framework of California statutes —specifically, the California Civil Code and the California Business & Professions Code —also supports a broad definition of account.

Other California statutes use account in different contexts with different meanings, especially when it comes to financial protection laws (e.g., deposit accounts, security accounts, escrow accounts). For instance, “consumer’s account” is used in California Civil Code Section 1799.202 in the context of accounts with financial institutions, and in California Business & Professions Code Section 17538 in the context of accounts with prepaid calling card companies.

Likewise, “online account” is used by lawmakers in laws dealing with privacy and data security. For example, California Civil Code Section 1798.81.5(a) of the California Customers Records Act states: “It is the intent of the Legislature to ensure that personal information about California residents is protected and to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.” Section 1798.81.5(a)(2) defines the terms “own” and “license” to include “personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.” In that same section, “personal information” is defined to include: “account number … password that would permit access to an individual’s financial account” and “a username or email address in combination with a password or security question and answer that would permit access to an online account.” Section 1798.82 also uses “online account” when describing business obligations in the case of a data breach of an online account.

During the Assembly Committe on Judiciary hearing on the CCPA, lawmakers stated that the bill sought to modernize and strengthen consumers’ rights under the CCRA and cited several definitions of the CCRA, including those mentioned above. Like the CCPA, the CCRA does not define the term “account.” Instead, the CCRA expressly calls out the type of account, whether it is financial or online. The fact that “online” or “password-protected” was not used adjunct to “account” in Section 1798.130 of the CCPA, as lawmakers have done in the past, reinforces the position that “account” does not only entail online accounts and should be interpreted to have a broad definition that refers to an existing consumer-business relationship.

The legislature intended access “without hindrance,” which requires a broad definition

One theme echoed throughout the CCPA is that delivery must be made “without
hindrance” to the consumer. In that respect, businesses must deliver data to a consumer who has established a formal account with the business (e.g., as an airline passenger, banking customer, phone subscriber or service provider) within the course of dealing and terms established for such accounts. Businesses should respond to an account holder’s inquiry without demanding additional, burdensome authentication, at least to the extent the account holder requests data that businesses previously collected and made available within the framework of an account arrangement. In other words, businesses cannot treat the account holder as a complete stranger when it comes to data access requests. This does not mean, however, that businesses must present the data on a particular app or webpage associated with the account (even though that may often be a mutually convenient method). Businesses are free to deliver data in response to data access requests via email, regular mail or a website or mobile app, depending on how they usually communicate with their customers and other business partners.


Based on everyday language, as well as contextual and purpose considerations, businesses should deliver information in response to data access requests within the established communication channels of accounts with consumers. This can mean the narrowly defined account segment of a web or mobile site, or also phone,fax, SMS, postal mail, ATMs and other communication channels, depending on the business’s practices and an existing broadly “defined consumer-business relationship account.


Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.