California Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
The first state to pass a formal privacy law was California, which entered the arena in 2018 with the California Consumer Privacy Act (CCPA) (California Consumer Privacy Act of 2018). In 2020, California voters approved the California Consumer Privacy Rights Act (CPRA), which amended and expanded the rights and obligations under the CCPA. Enforcement of the CPRA starts in 2023. The law authorized the state Attorney General to adopt regulations regarding consumer privacy (here).
Obligations under the California law are placed on any business selling to consumers in the state that collects defined “personal” information and meets any of the following:
Company has gross annual revenues in excess of $25M;
Company buys, receives or sells personal information of at least 50,000 (100,000 upon implementation of the CPRA) California residents; or
Company derives 50% or more of its revenue from selling personal data.
The rules do not apply to information publicly available from the government. Likewise, until the beginning of 2023, the privacy rules do not apply to data held about employees or business-to-business information.
When an entity collects personal information it must, among other things, disclose the categories that are collected and the business purposes for the collection.
If an entity sells the personal information, it must offer every consumer whose data might be sold the option to opt-out of that sale in a clear and conspicuous manner.
A consumer can get information concerning what data is collected and what is sold. The consumer may also have all personal information deleted.
The CPRA added the right of a consumer to both correct inaccurate personal information and to limit the use and disclosure of certain defined “sensitive” information.
Certain entities will also have to perform cybersecurity audits and/or risk assessments.
Currently, there is a 30-day cure period once an entity is formally notified of a violation. This period disappears upon the implementation of the CPRA in 2023.
Consumers have the right to bring claims relating to data breaches.
The CPRA created the California Privacy Protection Agency to implement and enforce (along with the state Attorney General) state privacy laws.
Other claims are brought by the state and penalties can run from $2,500 (negligence) to $7,500 (willful) per occurrence.
California Age-Appropriate Design Code Act (CAADC)
On September 15, 2022, California Governor Gavin Newsome signed the California Age-Appropriate Design Code Act (CAADC) into law. The CAADC has the goal of protecting the wellbeing, data, and privacy of children using online platforms. Compliance with CAADC, including documentation and privacy by design obligations, is required by July 1, 2024, for online products and services that are “likely to be accessed by children” under the age of 18.
A product is “likely to be accessed by children” if it is reasonable to expect that children would access the online service, product, or feature (collectively, Online Content) based on a number of indicators listed in the statute, including advertising, the presence of cartoons and games, and the audience of the Online Content.
Businesses that provide Online Content that is “likely to be accessed by children” must complete and maintain a “Data Protection Impact Assessment” before launching any new Online Content that is “likely to be accessed by children.” This Data Protection Impact Assessment shall identify the purpose of the Online Content, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. There are number of explicit topics that the Data Protection Impact Assessment must address listed in the statute.
Businesses shall make the Data Protection Impact Assessment available to the Attorney General pursuant to a written request within five days.
Additional obligations under the CAADC include:
- Estimating the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business
- Configuring all default privacy settings provided to children by the Online Content to settings that offer a high level of privacy
- Providing any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the Online Content
The CAADC also contains prohibited conduct which businesses providing Online Content shall not engage in, which includes profiling children and using children’s data in a manner that is materially detrimental to a child’s physical or mental health or well-being. Penalties for violating the CAADC include fines of $2,500 per affected child for negligent violations and $7,500 for intentional violations.