Acceptable Use Policy (California)

ACCEPTABLE USE POLICY — CALIFORNIA

Effective Date: [__/__/____]
Last Updated: [__/__/____]
Company: [________________________________] ("Provider" or "Company")
Website/Service: [________________________________] (the "Service")

TABLE OF CONTENTS

1. Definitions
2. Scope and Applicability
3. Permitted Use
4. Prohibited Conduct
5. Content Standards
6. AI and Automated Systems Usage Restrictions
7. Data Protection and Privacy Compliance (California-Specific)
8. Network and System Security
9. Email and Communication Standards
10. Monitoring and Enforcement
11. Violation Consequences
12. Reporting Violations
13. California-Specific Legal Provisions
14. Amendments and Updates
15. Acknowledgment and Acceptance
    Exhibit A — Prohibited Content Examples
    Exhibit B — Violation Reporting Form

1. DEFINITIONS

1.1 "Authorized User" means any individual or entity granted access to the Service under a valid agreement with Provider.

1.2 "Consumer" shall have the meaning set forth in Cal. Civ. Code § 1798.140(i) — a natural person who is a California resident.

1.3 "Content" means any data, text, images, audio, video, software, code, or other materials uploaded, transmitted, stored, or made available through the Service.

1.4 "Customer" means the entity that has entered into an agreement with Provider for access to the Service.

1.5 "Intimate Image" means any photograph, film, videotape, recording, or any other reproduction of another person depicting exposed intimate body parts or the person engaged in an act of sexual intercourse, as defined in Cal. Civ. Code § 1708.85(a).

1.6 "Malicious Code" means viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits, or any other harmful code.

1.7 "Minor" means any individual under the age of 18 for purposes of California law, or under 13 for COPPA purposes.

1.8 "Personal Information" shall have the meaning set forth in Cal. Civ. Code § 1798.140(v).

1.9 "Prohibited Content" means Content that violates this AUP, applicable law, or third-party rights.

1.10 "Service" means the SaaS platform, applications, APIs, websites, and related services provided by Provider.

1.11 "Spam" means unsolicited commercial electronic mail as defined in Cal. Bus. & Prof. Code § 17529.1(a).

1.12 "Synthetic Media" means any audio, video, or image that has been created or altered using artificial intelligence or machine learning to depict events or statements that did not occur.

2. SCOPE AND APPLICABILITY

2.1 Applicability. This AUP applies to all Authorized Users of the Service, including Customer's employees, contractors, agents, and end users.

2.2 Customer Responsibility. Customer is responsible for all Authorized Users' compliance and shall communicate this AUP to all users.

2.3 Age Restrictions. The Service is not intended for individuals under [____] (default: 18) without verifiable parental consent. If the Service is likely to be accessed by Minors under 18, Customer and Provider shall comply with the California Age-Appropriate Design Code Act (Cal. Civ. Code § 1798.99.28 et seq.), including default high privacy settings and data protection impact assessments for features likely to be accessed by children.

2.4 California Nexus. This AUP applies California-specific requirements to all use of the Service that involves California residents, content directed to California users, or activities conducted from within California, regardless of where Customer is located.

3. PERMITTED USE

3.1 Authorized Purposes. Use of the Service only for lawful business purposes within the scope of the applicable agreement.

3.2 Compliance. All use must comply with federal, California, and local laws, this AUP, and the applicable agreement.

3.3 Capacity Limits. Use within published capacity, usage limits, and fair use parameters.

4. PROHIBITED CONDUCT

4.1 Illegal Activities. Authorized Users shall not:

• (a) Violate any applicable federal, California, or local law;
• (b) Engage in fraud, identity theft, phishing, or social engineering;
• (c) Facilitate financial crimes;
• (d) Infringe intellectual property rights;
• (e) Violate the Computer Fraud and Abuse Act (18 U.S.C. § 1030) or California Penal Code § 502; or
• (f) Access a computer, computer system, or computer network without permission, or alter, damage, delete, destroy, or otherwise use any data or system in violation of Cal. Penal Code § 502(c).

4.2 California Penal Code § 502 Violations. The following are prohibited under both this AUP and California law:

• (a) Knowingly accessing and without permission altering, damaging, deleting, destroying, or otherwise using any data, computer, computer system, or computer network;
• (b) Knowingly accessing and without permission taking, copying, or making use of any data from a computer, computer system, or computer network;
• (c) Knowingly and without permission using or causing to be used computer services;
• (d) Knowingly accessing and without permission adding, altering, damaging, deleting, or destroying any data, computer software, or computer programs;
• (e) Knowingly and without permission disrupting or causing the disruption of computer services or denying or causing the denial of computer services to an authorized user; and
• (f) Knowingly introducing any computer contaminant into any computer, computer system, or computer network.

Note: Violations of Cal. Penal Code § 502 may be charged as misdemeanors or felonies ("wobblers") with penalties up to 3 years imprisonment, $10,000 in fines, and civil liability.

4.3 Security Violations. Authorized Users shall not:

• (a) Gain unauthorized access to any system, network, or data;
• (b) Conduct vulnerability scanning or penetration testing without written authorization;
• (c) Launch DoS or DDoS attacks;
• (d) Introduce Malicious Code;
• (e) Intercept or alter communications;
• (f) Bypass security features or access controls; or
• (g) Forge headers or manipulate identifiers.

4.4 Abuse and Misuse. Authorized Users shall not:

• (a) Resell or sublicense the Service without authorization;
• (b) Use the Service to develop competing products;
• (c) Publish unauthorized benchmarks;
• (d) Engage in cryptomining;
• (e) Deliberately consume excessive resources;
• (f) Scrape or data mine outside documented APIs; or
• (g) Misrepresent identity or authorization.

4.5 Harassment and Harmful Conduct. Authorized Users shall not:

• (a) Harass, threaten, or intimidate any individual;
• (b) Disseminate hate speech;
• (c) Distribute non-consensual Intimate Images in violation of Cal. Penal Code § 647(j)(4), which is a misdemeanor punishable by up to 6 months in county jail and/or a $1,000 fine;
• (d) Violate the civil cause of action for non-consensual distribution under Cal. Civ. Code § 1708.85, which provides for economic and non-economic damages, punitive damages, and attorneys' fees;
• (e) Create or distribute sexually explicit Synthetic Media depicting real individuals without consent, in violation of Cal. Civ. Code § 1708.86 (AB 602);
• (f) Dox any individual;
• (g) Engage in cyberbullying or coordinated harassment; or
• (h) Engage in "swatting" or false emergency reports.

5. CONTENT STANDARDS

5.1 Prohibited Content. Strictly prohibited:

• (a) Unlawful, fraudulent, or deceptive Content;
• (b) IP-infringing Content;
• (c) CSAM or content exploiting Minors;
• (d) Non-consensual Intimate Images (real or AI-generated);
• (e) Terrorist or extremist Content;
• (f) Malicious Code;
• (g) Stolen credentials or data;
• (h) Spam and phishing payloads;
• (i) Content violating privacy or publicity rights (including California's statutory and common law right of publicity); and
• (j) Deepfake election media within 60 days of an election, per Cal. Elec. Code § 20010 (AB 730), unless accompanied by a clear disclosure that the media has been manipulated.

5.2 DMCA Compliance. Provider maintains a DMCA designated agent. Contact: [________________________________].

• (a) Takedown: Provider removes allegedly infringing Content upon valid notice.
• (b) Counter-Notification: Available under 17 U.S.C. § 512(g).
• (c) Repeat Infringers: Accounts terminated for repeat infringement.

5.3 California Right of Publicity. Content shall not use any individual's name, voice, signature, photograph, or likeness for commercial purposes without consent, in violation of Cal. Civ. Code § 3344.

6. AI AND AUTOMATED SYSTEMS USAGE RESTRICTIONS

6.1 Prohibited AI Uses. Authorized Users shall not:

• (a) Use Service outputs to train competing models without written permission;
• (b) Make fully automated decisions with legal or significant effects without human review;
• (c) Generate deceptive Synthetic Media, including deepfakes intended to mislead;
• (d) Create AI-generated sexually explicit Content depicting real individuals;
• (e) Use AI to impersonate individuals without consent;
• (f) Hold out AI outputs as licensed professional advice without disclaimers; or
• (g) Use AI to circumvent content moderation or safety mechanisms.

6.2 California-Specific AI Obligations.

• (a) AB 730 (Deepfake Elections): AI-generated or manipulated media depicting candidates must include clear disclosure if distributed within 60 days of an election. Exempt: satire, parody, and media with affirmative disclosure.
• (b) AB 602 (Sexually Explicit Digital Identity Theft): Creating sexually explicit Synthetic Media of identifiable persons without consent creates civil liability under Cal. Civ. Code § 1708.86. Victims may recover actual damages, statutory damages, punitive damages, and attorneys' fees.
• (c) Automated Decision-Making: Where the Service involves automated decision-making affecting California Consumers, Customer shall ensure compliance with CCPA/CPRA provisions regarding profiling and automated decision-making rights.

6.3 Disclosure Requirements. AI-generated Content must be labeled or disclosed where required by law or where non-disclosure would be materially misleading.

7. DATA PROTECTION AND PRIVACY COMPLIANCE (CALIFORNIA-SPECIFIC)

7.1 CCPA/CPRA Compliance. Authorized Users processing Personal Information of California Consumers through the Service shall:

• (a) Comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.);
• (b) Not sell or share Personal Information unless authorized by the applicable agreement and compliant with CCPA/CPRA requirements;
• (c) Respect Consumer rights to know, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information;
• (d) Not retaliate against Consumers who exercise their privacy rights;
• (e) Implement reasonable security procedures and practices appropriate to the nature of the Personal Information, consistent with Cal. Civ. Code § 1798.81.5; and
• (f) Comply with the California Privacy Protection Agency's implementing regulations (Cal. Code Regs. tit. 11, § 7000 et seq.).

7.2 California Age-Appropriate Design Code Act. If the Service is likely to be accessed by Minors under 18:

• (a) Privacy settings must be set to "high" by default;
• (b) Data protection impact assessments are required for features likely to be accessed by children;
• (c) Profiling of children is prohibited by default unless necessary for the Service and with appropriate safeguards;
• (d) Dark patterns that encourage children to provide Personal Information or weaken privacy protections are prohibited; and
• (e) Enforcement: Civil penalties of up to $2,500 per affected child for negligent violations and $7,500 per affected child for intentional violations, enforced by the California Attorney General.

7.3 COPPA. For children under 13, verifiable parental consent is required per 15 U.S.C. § 6502.

7.4 Data Breach Response. In the event of a breach of the security of the system (Cal. Civ. Code § 1798.82):

• (a) Notify affected California residents without unreasonable delay;
• (b) If more than 500 California residents are affected, notify the California Attorney General;
• (c) Breaches involving unencrypted Personal Information trigger the private right of action under Cal. Civ. Code § 1798.150, with statutory damages of $100 to $750 per consumer per incident; and
• (d) Implement and maintain reasonable security measures — note that post-breach implementation does not cure the breach (Cal. Civ. Code § 1798.150(b)).

7.5 Cal. Civ. Code § 1798.81.5 — Security. Any business that owns, licenses, or maintains Personal Information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, use, modification, or disclosure.

8. NETWORK AND SYSTEM SECURITY

8.1 Security Requirements. Authorized Users shall:

• (a) Maintain credential confidentiality and use MFA where available;
• (b) Report suspected compromise immediately;
• (c) Keep client-side software current; and
• (d) Comply with Provider's security policies and API rate limits.

8.2 Vulnerability Testing. Prohibited without written authorization from Provider.

8.3 Reverse Engineering. Prohibited except as permitted by applicable law, including Cal. Civ. Code § 1798.100(e) (consumer's right to know specific data) and 17 U.S.C. § 1201(f) (interoperability).

9. EMAIL AND COMMUNICATION STANDARDS

9.1 Federal CAN-SPAM. Full compliance required per 15 U.S.C. § 7701 et seq.

9.2 California Anti-Spam Law (Cal. Bus. & Prof. Code § 17529 et seq.). In addition to federal CAN-SPAM:

• (a) It is unlawful to initiate or advertise in unsolicited commercial email from California or to a California email address;
• (b) Emails shall not contain falsified, misrepresented, or forged header information;
• (c) Subject lines shall not be deceptive or misleading;
• (d) Emails shall include a valid opt-out mechanism; and
• (e) Penalties: Actual damages or liquidated damages of $1,000 per unsolicited email, up to $1,000,000 per incident under § 17529.5(b).

9.3 TCPA Compliance. Prior express written consent for automated calls and texts per 47 U.S.C. § 227.

9.4 Anti-Spam. No Spam. Authorized Users shall not use the Service for unsolicited bulk messaging in any format.

10. MONITORING AND ENFORCEMENT

10.1 Monitoring. Provider may monitor Service use for AUP compliance as permitted by law.

10.2 Investigation. Provider may investigate suspected violations and cooperate with law enforcement.

10.3 Content Removal. Provider may remove violating Content with or without prior notice.

10.4 Preservation. Provider may preserve Content pursuant to valid legal process.

11. VIOLATION CONSEQUENCES

11.1 Graduated Enforcement.

11.2 Immediate Suspension. Without prior notice for imminent threats, criminal activity, or CSAM.

11.3 Customer Liability. Customer responsible for fees during violation-caused suspension.

11.4 California Attorney General. Violations involving California Consumers may be reported to the California Attorney General for enforcement under CCPA/CPRA, UCL, or other applicable statutes.

12. REPORTING VIOLATIONS

12.1 Contact.

• Email: [________________________________]
• Online: [________________________________]
• DMCA Agent: [________________________________]

12.2 Report Contents. Description, evidence, dates, user information, and any actions taken.

12.3 Response. Acknowledgment within [____] Business Days; initial assessment within [____] Business Days.

12.4 No Retaliation. Provider shall not retaliate against good-faith reporters.

13. CALIFORNIA-SPECIFIC LEGAL PROVISIONS

13.1 Governing Law. This AUP is governed by the laws of the State of California.

13.2 Unfair Competition Law. Provider and Authorized Users shall comply with Cal. Bus. & Prof. Code § 17200 et seq. Violations of this AUP that constitute unfair, unlawful, or fraudulent business practices may be prosecuted under the UCL by the California Attorney General, district attorneys, or private plaintiffs.

13.3 Consumer Protection. This AUP shall be interpreted consistently with California consumer protection standards. Enforcement actions shall comply with applicable due process requirements.

13.4 Unruh Civil Rights Act. The Service shall be provided without discrimination in violation of Cal. Civ. Code § 51.

13.5 California Constitutional Privacy. Provider acknowledges the California constitutional right to privacy (Cal. Const. Art. I, § 1) and shall not use monitoring or enforcement mechanisms that unreasonably infringe upon the privacy interests of Authorized Users.

13.6 Section 230 Acknowledgment. Provider may qualify for protection under 47 U.S.C. § 230 for good-faith actions taken to restrict access to Content that Provider considers to be objectionable, regardless of whether such Content is constitutionally protected.

14. AMENDMENTS AND UPDATES

14.1 Right to Amend. Provider may modify this AUP at any time.

14.2 Notice. Not less than [____] days' notice for material changes.

14.3 Continued Use. Continued use after the effective date constitutes acceptance.

15. ACKNOWLEDGMENT AND ACCEPTANCE

Customer Acknowledgment:

Organization: [________________________________]
Authorized Representative: [________________________________]
Title: [________________________________]
Signature: [________________________________]
Date: [__/__/____]

☐ I confirm that I have read and understood this Acceptable Use Policy.
☐ I agree to communicate this AUP to all Authorized Users.
☐ I accept responsibility for Authorized User compliance.
☐ I acknowledge the California-specific obligations in this AUP, including CCPA/CPRA, Cal. Penal Code § 502, and the California Anti-Spam Law.

EXHIBIT A — PROHIBITED CONTENT EXAMPLES (CALIFORNIA)

EXHIBIT B — VIOLATION REPORTING FORM

Report Date: [__/__/____]

Reporter Information:
☐ Anonymous report

Name: [________________________________]
Email: [________________________________]
Phone: [________________________________]

Violation Type:
☐ Cal. Penal Code § 502 — Computer fraud/unauthorized access
☐ Non-consensual intimate images
☐ Deepfake / synthetic media misuse
☐ Spam (California Anti-Spam Law)
☐ CCPA/CPRA privacy violation
☐ Children's privacy violation (COPPA/AADC)
☐ Intellectual property infringement (DMCA)
☐ Harassment or cyberbullying
☐ Security violation
☐ Other: [________________________________]

Description: [________________________________]

Date/Time: [__/__/____] at [____]

Evidence: ☐ Screenshots ☐ Logs ☐ Email headers ☐ Other

Severity: ☐ Low ☐ Medium ☐ High ☐ Critical

☐ I certify this report is made in good faith.

Signature: [________________________________]
Date: [__/__/____]

This Acceptable Use Policy template is provided for informational purposes only and does not constitute legal advice. Have this document reviewed by a qualified California attorney before use.