Unauthorized data access, use or transfer all refer to misuse of personal and sensitive data. Unauthorized data access occurs when a user accesses personal data that is not allowed by policy and not pertinent to their organizational responsibilities. Unauthorized data use is similar, in that a user in the organization has exceeded his permissions in using data, but can also refer to the organization using personal data without the proper consent of the data subject. Unauthorized data transfer refers to information transferred to organizations that are not allowed by privacy regulations or covered by a privacy shield or another appropriate binding agreement. In the case of CCPA, it could also refer to a customer’s information sale where the customer has exercised their do-not-sell right.