California Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
The first state to pass a formal privacy law was California, which entered the arena in 2018 with the California Consumer Privacy Act (CCPA) (California Consumer Privacy Act of 2018). In 2020, California voters approved the California Consumer Privacy Rights Act (CPRA), which amended and expanded the rights and obligations under the CCPA. Enforcement of the CPRA starts in 2023. The law authorized the state Attorney General to adopt regulations regarding consumer privacy (here).
Obligations under the California law are placed on any business selling to consumers in the state that collects defined “personal” information and meets any of the following:
Company has gross annual revenues in excess of $25M;
Company buys, receives or sells personal information of at least 50,000 (100,000 upon implementation of the CPRA) California residents; or
Company derives 50% or more of its revenue from selling personal data.
The rules do not apply to information publicly available from the government. Likewise, until the beginning of 2023, the privacy rules do not apply to data held about employees or business-to-business information.
When an entity collects personal information it must, among other things, disclose the categories that are collected and the business purposes for the collection.
If an entity sells the personal information, it must offer every consumer whose data might be sold the option to opt-out of that sale in a clear and conspicuous manner.
A consumer can get information concerning what data is collected and what is sold. The consumer may also have all personal information deleted.
The CPRA added the right of a consumer to both correct inaccurate personal information and to limit the use and disclosure of certain defined “sensitive” information.
Certain entities will also have to perform cybersecurity audits and/or risk assessments.
Currently, there is a 30-day cure period once an entity is formally notified of a violation. This period disappears upon the implementation of the CPRA in 2023.
Consumers have the right to bring claims relating to data breaches.
The CPRA created the California Privacy Protection Agency to implement and enforce (along with the state Attorney General) state privacy laws.
Other claims are brought by the state and penalties can run from $2,500 (negligence) to $7,500 (willful) per occurrence.