California Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
The first state to pass a formal privacy law was California, which entered the arena in 2018 with the California Consumer Privacy Act (CCPA) (California Consumer Privacy Act of 2018). In 2020, California voters approved the California Consumer Privacy Rights Act (CPRA), which amended and expanded the rights and obligations under the CCPA. Enforcement of the CPRA starts in 2023. The law authorized the state Attorney General to adopt regulations regarding consumer privacy (here).
Obligations under the California law are placed on any business selling to consumers in the state that collects defined “personal” information and meets any of the following:
Company has gross annual revenues in excess of $25M;
Company buys, receives or sells personal information of at least 50,000 (100,000 upon implementation of the CPRA) California residents; or
Company derives 50% or more of its revenue from selling personal data.
The rules do not apply to information publicly available from the government. Likewise, until the beginning of 2023, the privacy rules do not apply to data held about employees or business-to-business information.
When an entity collects personal information it must, among other things, disclose the categories that are collected and the business purposes for the collection.
If an entity sells the personal information, it must offer every consumer whose data might be sold the option to opt-out of that sale in a clear and conspicuous manner.
A consumer can get information concerning what data is collected and what is sold. The consumer may also have all personal information deleted.
The CPRA added the right of a consumer to both correct inaccurate personal information and to limit the use and disclosure of certain defined “sensitive” information.
Certain entities will also have to perform cybersecurity audits and/or risk assessments.
Currently, there is a 30-day cure period once an entity is formally notified of a violation. This period disappears upon the implementation of the CPRA in 2023.
Consumers have the right to bring claims relating to data breaches.
The CPRA created the California Privacy Protection Agency to implement and enforce (along with the state Attorney General) state privacy laws.
Other claims are brought by the state and penalties can run from $2,500 (negligence) to $7,500 (willful) per occurrence.
California Age-Appropriate Design Code Act (CAADC)
On September 15, 2022, California Governor Gavin Newsome signed the California Age-Appropriate Design Code Act (CAADC) into law. The CAADC has the goal of protecting the wellbeing, data, and privacy of children using online platforms. Compliance with CAADC, including documentation and privacy by design obligations, is required by July 1, 2024, for online products and services that are “likely to be accessed by children” under the age of 18.
A product is “likely to be accessed by children” if it is reasonable to expect that children would access the online service, product, or feature (collectively, Online Content) based on a number of indicators listed in the statute, including advertising, the presence of cartoons and games, and the audience of the Online Content.
Businesses that provide Online Content that is “likely to be accessed by children” must complete and maintain a “Data Protection Impact Assessment” before launching any new Online Content that is “likely to be accessed by children.” This Data Protection Impact Assessment shall identify the purpose of the Online Content, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. There are number of explicit topics that the Data Protection Impact Assessment must address listed in the statute.
Businesses shall make the Data Protection Impact Assessment available to the Attorney General pursuant to a written request within five days.
Additional obligations under the CAADC include:
- Estimating the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business
- Configuring all default privacy settings provided to children by the Online Content to settings that offer a high level of privacy
- Providing any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the Online Content
The CAADC also contains prohibited conduct which businesses providing Online Content shall not engage in, which includes profiling children and using children’s data in a manner that is materially detrimental to a child’s physical or mental health or well-being. Penalties for violating the CAADC include fines of $2,500 per affected child for negligent violations and $7,500 for intentional violations.
California Privacy Protection Agency Releases CPRA Regulations
On March 29, 2023, the California Office of Administrative Law approved the California Privacy Protection Agency’s (the Agency) first final rulemaking package which has now become a part of the California Consumer Privacy Act (CCPA) and includes the regulations (Regulations) and a final statement of reasons for them.
The Regulations took effect on March 29, 2023, and are available (currently only in redline form) here. Now that the Agency has provided guidance on the CCPA, businesses covered by the CCPA should be aware of the following key provisions:
- Restrictions on the collection and use of California consumers’ personal information (including expanded requests to deletion and new requests to correct).
- Requirements for methods for submitting consumer requests and obtaining consumer consent (including prohibitions on the use of “dark patterns”).
- Additional information requirements in privacy notices.
- Expanded opt-out requirements (including opt-out preference signals and requests to opt-out of sale/sharing).
- The new California consumer right to limit the use of “sensitive personal information.”
- The expansion of indirect coverage over “contractors” and “third parties” (beyond “service providers,” including data processing contractual requirements).
These Regulations are the first set in what will be an ongoing rulemaking process. The next rulemaking package from the Agency is expected to cover automated decision-making, cybersecurity audits, and risk assessments, based on a Feb. 3, 2023, Agency meeting.