Support Centre

California

Summary

Law: California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA') and California Privacy Rights Act of 2020 ('CPRA'). The CPRA will enter into force on 1 January 2023

Regulator: The California Attorney General ('AG')

Summary: The right to pursue and obtain privacy is specifically protected by the California Constitution. California was the first US State to introduce a comprehensive data privacy law; the CPPA which entered into effect on 1 January 2020. The CCPA creates obligations for businesses and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt-out of the sale of their personal information. The CCPA was subsequently amended by the CPRA which introduces new requirements associated with data sharing, sensitive data, and contractors and service providers responsibility, among other things. The CPRA also creates enhanced as well as new consumer rights including a right to correction, an expanded right to access, and additional disclosure and transparency requirements.

In addition to the CCPA and CPRA, §1798.82 of the California Civil Code stipulates that businesses that own or license computerised data that includes personal information shall disclose a breach of the security of the system to any affected Californians and, if data of more than 500 residents was breached, to the AG. Other key privacy laws in California include the California Online Privacy Protection Act, the Shine the Light Law, the California Invasion of Privacy Act, and the recently enacted California: Age-Appropriate Design Code Act which will enter into effect on 1 July 2024.

Finally, the California Privacy Protection Agency ('CPPA') released a revised version of the proposed regulations under the CCPA, comments for which has since closed. OneTrust DataGuidance confirmed, with David Stauss, Partner at Husch Blackwell, that the Board's General Counsel explained that the CPPA hopes to have final rules submitted to the Office of Administrative Law for review by the end of the year. If that timeframe holds, the regulations will become effective in late January or early February.

You can follow legislative developments in US States through the USA State Law Tracker.

Insights

On 1 January 2023, the California Consumer Privacy Act of 2018 ('CCPA') became applicable to the personal information of employees, job applicants, subcontractors, contractors, and others in work roles who are California residents ('Employee Personal Information'). Since it went into effect on 1 January 2020, the CCPA (through a series of legislative actions) had exempted Employee Personal Information from its provisions. With the revisions to the CCPA made by the referendum on 3 November 2020 that enacted the California Privacy Rights Act of 2020 ('CPRA') as a revision to the CCPA (and the failure of the California legislature to continue the exemption), employees and others in the workforce now have the rights granted other California consumers by the CCPA. Enforcement for the amended CCPA provisions will begin on 1 July 2023 through the newly established California Privacy Protection Agency ('CPPA'). Timothy J. Toohey, Partner at Greenberg Glusker Fields Claman & Machtinger LLP, discusses the news rights extended to Employee Personal Information under the CCPA and what businesses can do in order to comply.

Two years into compliance with the California Consumer Privacy Act of 2018 ('CCPA'), the expiration of Assembly Bill 25 An act to amend Sections 1798.130 and 1798.145 of the Civil Code, relating to consumer privacy ('AB 25') ushers in new challenges. As businesses grapple with their new compliance obligations under the California Privacy Rights Act of 2020 ('CPRA') and the expiration of AB 25, proportionality is becoming an important consideration. However, what is the test for proportionality? One possible framework comes from the 2015 amendments to the Federal Rules of Civil Procedure ('FRCP'). Scott J. Hyman and Genevieve Walser-Jolly, from Severson & Werson, compare the CCPA to the FRCP and examine the utility of that existing test.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

The California Privacy Protection Agency ('CPPA') released, on 3 November 2022, a revised version of the proposed regulations ('the Revised Proposed Regulations')1 under the California Consumer Privacy Act of 2018 ('CCPA'). In particular, the Revised Proposed Regulations make amendments in regard to the collection and use of personal information as well as sensitive personal information, requirements surrounding opt-out preference signals and the right to opt-out of sales, and obligations of service providers and contractors. OneTrust DataGuidance breakdowns the key amendments since the Draft Proposed Regulations were released on 8 July 2022.

On 15 September 2022, Governor Gavin Newsom signed Assembly Bill 2273 for the California Age-Appropriate Design Code Act1, establishing the California Age-Appropriate Design Code Act ('the Act'). This landmark legislation dramatically expands the privacy protections afforded to California residents under the age of 18 and brings California even closer to its UK and European counterparts on privacy legislation. Lily Li, Founder of Metaverse Law, provides a background and overview of the Act, its provisions, and how it compares with similar legislation in the UK.

After years of unsuccessful attempts to enact nationwide data privacy legislation, the American Data Privacy and Protection Act ('ADPPA'), a proposed US federal online privacy bill that would regulate how organisations keep and use consumer data, is the furthest a federal privacy bill has managed to go so far. If enacted, the ADPPA would be the country's first comprehensive federal consumer privacy framework. Paul Lanois, Director at Fieldfisher, provides a brief comparison between specific provisions under the ADPPA and those under the California Consumer Protection Act of 2018 ('CCPA').

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

The California Consumer Privacy Act of 2018 ('CCPA') was signed into law on 28 June 2019 before entering into effect on 1 January 2020. The Final CCPA Regulations were approved on 14 August 2020, which provided further requirements and clarifications on the application of the CCPA.

The CCPA is one of the most comprehensive privacy laws in the US and has introduced significant compliance challenges for organisations. In particular, the CCPA established a new set of consumer rights, additional protections for children's data, and specific rules on the selling of personal information.

The framework provided by the current version of the CCPA is, though, set to change following the passing of the California Privacy Rights Act of 2020 ('CPRA') on 3 November 2020. The CPRA stipulates several amendments to be made to the CCPA, including new consumer rights, provisions for a state privacy authority, and further obligations relating to children's data. Although the CPRA will not become operative until 1 January 2023, many of its provisions will be applicable to personal information collected from 1 January 2022.

On 21 April 2022, rulemaking authority under the California Consumer Privacy Act of 2018 ('CCPA') had been formally transferred to the California Privacy Protection Agency ('CPPA'). Shortly after, on 5 May 2022, the existing CCPA Final Regulations were transferred to Title 11, Division 6 of the California Code of Regulations, bringing them within a part of the Code of Regulations under the jurisdiction of the CPPA. Finally, on 27 May 2022, the CPPA announced that it will hold a board meeting on 8 June 2022 in which it will discuss, among other things its own draft proposed regulations under the CCPA ('the CPPA Draft Proposed Regulations') which were released alongside the meeting notice and agenda.

In this article, OneTrust DataGuidance provides an overview of the CPPA Draft Proposed Regulations, key additions and deletions compared to the original CCPA Final Regulations, and what businesses can anticipate next.

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.