California Privacy Law: What You Need to Know
California State pioneered digital privacy laws in the U.S. starting with limited regulations in the early 2000s. But the landmark California Privacy Law Act (CCPA) effective January 2020 established sweeping new standards for protecting and empowering consumers.
Additional laws like the California Privacy Rights Act (CPRA) expanded rights further in 2023. Ongoing revisions aim to adapt to emerging technologies and threats to personal data. California privacy regulations often form templates for other states and national legislation.
For companies doing business in California, compliance is mandatory and complex across IT systems, business processes, and service providers. Individuals benefit from unprecedented visibility and control over the use of their personal information. Understanding the scope, rights, obligations, and evolution of California privacy law is essential today.
History of California Privacy Law
California privacy statutes originated in early 2000s with limited sector-specific laws, including:
- Financial Information Privacy Act (FIPA) protecting financial data – 2003
- Data Security Breach Notification law requiring timely reporting of breaches – 2003
- Online Privacy Protection Act (OPPA) mandating website privacy policies – 2004
- Privacy Rights for California Minors in the Digital World safeguarding underage users – 2013
But the landmark California Consumer Privacy Act (CCPA), effective January 2020, implemented sweeping obligations on companies handling consumer data. It embodied the most comprehensive digital privacy rights in the U.S. at the time.
The CCPA spawned additional reforms like the California Privacy Rights Act (CPRA) which amended and expanded consumer protections starting January 2023. Ongoing revisions through legislation and regulations continue to shape privacy compliance in California.
Who is Subject to California Privacy Law?
California privacy statutes like the CCPA and CPRA apply to “businesses” defined broadly as:
- For-profit entities doing business in California
- Collecting or processing personal information on state residents
- Exceeding thresholds of $25+ million annual revenue OR 50,000+ users/devices/households
Non-profits may have partial obligations. Employees and contractors acting on the business’s behalf are also subject.
Key factors are having significant economic activity in the state or interacting with California resident data. Most medium/large companies nationwide fall under CCPA/CPRA scope due to California’s vast economy.
Key Provisions of California Privacy Laws
California privacy laws like CCPA and CPRA grant consumers strong rights to access, delete, and control personal data held by businesses:
Consumer Rights
- Information – Clear disclosures on data collection, sharing, and use in privacy policies and notices
- Access – Ability to request details on specific personal information held, sources, uses, etc.
- Deletion – Right to request deletion of personal data (with some exceptions)
- Opt-out – Opting out of sales/sharing of personal data
- Non-discrimination – No discrimination for exercising privacy rights
Business Obligations
- Compliance measures – Implement systems, processes, training to enable consumer rights
- Secure handling – Reasonable data security protections against breaches or misuse
- Limited uses – No secondary unauthorized purposes, only use disclosed and reasonably expected
- Data minimization – Only collect/retain personal data needed for operational purposes
- Contractual duties – Ensure service providers/partners also comply with duties
- No retaliation – No discrimination based on privacy right exercises
- Remedies for consumers – Facilitate submission of requests and disputes, provide two-way communication
Businesses must implement comprehensive privacy programs addressing these interlocking requirements across systems, operations, and vendors.
Key Definitions
California privacy law definitions shape entities covered and consumer rights granted:
- Personal information – Broadly encompasses any data tied to an identified or reasonably identifiable person. IP addresses, browsing history, geolocation, biometrics, demographics, behavior data, and more.
- Consumer – California residents as defined in law. Includes employees and business contacts.
- Sale of personal information – Exchanging data for monetary or other valuable consideration. Includes advertising auctions, data broker transfers, etc.
- Deidentified information – Data rendered anonymous by removing all direct/indirect identifiers with no reasonable link back to identity. Not covered by privacy laws.
- Dark patterns – Manipulative interfaces steering users to give up more data or weaken privacy. Illegal in California.
- Sensitive information – Extra protected categories like race, health data, finances, exact geolocation, etc. Children’s data also falls into this class.
Nuances in these definitions create complexity in law application. But broadly they encompass informational privacy rights of California residents regarding businesses handling or profiting from their personal data.
Key Exemptions
Several categories exempt certain data uses from California privacy laws:
- Employee information used for regular internal employment purposes is excluded provided safeguards exist against unauthorized external uses.
- Business-to-business data held for providing products/services to other businesses is exempt (but remains protected by contracts).
- Deidentified and aggregated consumer information with all direct identifiers removed and no reasonable links back to identity.
- Publicly available data sourced from government records, news reports, social media, etc. However, restrictions apply once collected into databases.
- Health research is covered by sector-specific confidentiality laws like HIPAA.
But these exemptions are parsed narrowly by regulators. Responsible controls are still expected even on exempt data.
Penalties for Violating California Privacy Law
Failing to comply with CCPA/CPRA mandates carries steep civil penalties imposed by the California Attorney General upon enforcement actions:
- Up to 2,500 dollars per violation
- Up to 7,500 dollars for intentional violations
- Injunctions ordering compliance and further monitoring/auditing
Class action lawsuits are also authorized seeking 750 dollars minimum statutory damages per consumer per breach, on top of other damages.
Reputational harm from privacy violations can also be severe. Non-compliance risks significant financial liability especially for larger consumer companies and data brokers. Penalties incentivize investments into compliance.
California Privacy Law Recent Changes and Proposed Reforms
California continuously evolves privacy laws through new statutes, regulations, and guidance:
- CPRA passed – Strengthening the CCPA with additional consumer rights, oversight, and protections – Effective 1/2023
- Employee protections expanded – Limiting the use of personal information collected in workplace contexts
- Sensitive data rules strengthened – Tightening protections for minors, location traces, health data, and more
- Algorithmic disclosures – Requiring disclosures around automated decision systems impacting consumers
- Data minimization duties – Restricting collection and retention to what is adequately necessary
- Remote health expanded – Broadening telehealth and mHealth privacy obligations
- Data broker registry – Proposed centralized registry of commercial data trading/profiling practices
Ongoing revisions aim to address emerging technologies like digital health apps, data brokerages, microtargeting, biometrics, and surveillance infrastructure.
Controversies and Challenges
California privacy laws generate compliance challenges and debates:
- Costs of compliance – Major investments are needed in systems, processes, and training across organizations handling consumer data. Potential barriers for smaller companies.
- Overlapping laws – CCPA, CPRA, sector laws, children’s regulations create complex intersecting obligations demanding specialized legal guidance.
- Consumer understanding – Individuals struggle to exercise privacy rights without sufficient awareness of protections. More education is needed.
- Service providers and vendors – Coordinating third party management and contractual duties adds complexities to compliance.
- Advertising impacts – Opt-out rights and data use limits threaten digital ad targeting models, stirring pushback.
- Pre-emption arguments – Some claim state laws should be pre-empted by weaker federal rules. So far California is standing firm to keep its standards.
Balancing meaningful privacy and consumer rights with functional digital ecosystems requires delicately evolving regulations and responsible industry adaptation.
CCPA/CPRA Compliance Best Practices
Effectively operationalizing California privacy law involves comprehensive measures:
- Gap assessment – Map data flows, uses, and systems against requirements to identify compliance gaps.
- Privacy policy update – Revise website privacy disclosures for transparency.
- Data inventories and mapping – Catalog personal data holdings, uses, and risks.
- Response plan development – Document processes to validate, and fulfill consumer requests within legal timelines.
- Opt-out mechanisms – Build user interfaces and controls to consistently record privacy choices.
- Service provider oversight – Update contracts to document privacy duties and prohibit unauthorized data sharing.
- Security controls – Ensure reasonable administrative, technical, and physical safeguards against data breaches or misuse.
- Training – Educate staff on legal duties, acceptable/unacceptable uses, and incident protocols.
- Auditing – Monitor practices via internal/external audits to identify and correct gaps over time.
Dedicated resources and oversight are ideal to manage ongoing privacy programs addressing evolving regulations.
Consumer Rights Under California Privacy Law
California residents have powerful rights to access and control their personal information:
- Right to know – Ability to request details on what personal data a business holds, sources, uses, disclosures, etc.
- Right to delete – Option to require a business delete personal data upon request (with some exceptions).
- Right to opt-out – Choice to direct a business not to sell or share personal data.
- Right to non-discrimination – Exercising privacy rights cannot result in unfair denial of services or differences in price/quality.
- Right to remedy – Violations can be pursued through regulatory complaints and class action lawsuits.
- Right to human review – Right to appeal and have a person (not just an algorithm) review decisions/disputes around privacy rights.
Consumers must submit formal requests to trigger access, deletion, and opt-out rights. But otherwise, rights are granted automatically under the law.
Frequently Asked Questions California Privacy Law
Interpreting expansive California privacy law generates many specific questions:
