Support Centre

California

Summary

Law: California Consumer Privacy Act of 2018 (last amended in 2020) ('CCPA') as amended by the California Privacy Rights Act of 2020 ('CPRA'), (consolidated version available here) ('CCPA as amended')

Regulator: The California Privacy Protection Agency ('CPPA') 

Summary: The right to pursue and obtain privacy is specifically protected by the California Constitution. California was the first US State to introduce a comprehensive data privacy law; the CPPA which entered into effect on 1 January 2020. The CCPA creates obligations for businesses and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt-out of the sale of their personal information. The CCPA was subsequently amended by the CPRA which introduces new requirements associated with data sharing, sensitive data, and contractors and service providers responsibility, among other things. The CPRA also creates enhanced as well as new consumer rights including a right to correction, an expanded right to access, and additional disclosure and transparency requirements.

In addition to the CCPA as amended, §1798.82 of the California Civil Code stipulates that businesses that own or license computerised data that includes personal information shall disclose a breach of the security of the system to any affected Californians and, if data of more than 500 residents was breached, to the AG. Other key privacy laws in California include the California Online Privacy Protection Act, the Shine the Light Law, the California Invasion of Privacy Act, and the recently enacted California: Age-Appropriate Design Code Act which will enter into effect on 1 July 2024.

Finally, the CPPA published the revised CCPA Regulations which became effective on 29 March 2023.

You can follow legislative developments in US States through the US State Law Tracker.

Insights

Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S. Anderson, from Greenberg Glusker Fields Claman & Machtinger LLP, discuss the background of such claims under the California Invasion of Privacy Act (CIPA) and provide best practices for staying compliant to avoid costly litigation.

California is on the verge of shaking up the privacy space again with rules on automated decision-making technology (ADMT). On February 23, 2024, California's dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released an updated draft of ADMT rules that builds on the Agency's December 2023 draft. Josh Hansen, Associate at Shook, Hardy & Bacon L.L.P., outlines the key points of the rules, their scope, and their requirements.

On December 1, 2023, the California Privacy Protection Agency (CPPA) unveiled Proposed Revisions to the California Consumer Privacy Act (CCPA) regulations (the Proposed Revisions). The Proposed Revisions build on the CCPA regulations finalized on March 29, 2023, which operationalized the CCPA as amended by California Privacy Rights Act (CPRA) (collectively the CCPA as amended). The Proposed Revisions make amendments to the definition of sensitive personal information, monetary thresholds and fines, consent architecture, and third-party disclosures. In this Insight article, OneTrust DataGuidance breakdowns the key aspects of these Proposed Revisions and their implications. 

California's Senate Bill 362 for an act relating to data brokers (DELETE Act) was signed into law by Governor Gavin Newsom on October 10, 2023. Once it goes into effect in 2026, the DELETE Act will require registered data brokers to comply with deletion requests made by California residents through a single, universally adopted deletion mechanism that will be developed by the newly formed California Privacy Protection Agency (CPPA). This deletion mechanism will allow California residents to delete their information with all registered data brokers through a single mechanism (instead of being required to submit a deletion request with each data broker individually). The DELETE Act will be enforced by the CPPA, which also has enforcement authority under California's comprehensive privacy law (that applies to all California businesses of a certain size, regardless of whether they are data brokers).

In this Insight article, Kirk Nahra, Ali Jessani, and Roma Gujarathi, from Wilmer Cutler Pickering Hale and Dorr LLP, provide a breakdown of the law's applicability, key definitions, and key provisions.

The California Privacy Protection Agency (CPPA) has released suggested draft regulations for discussion by the CPPA board before its scheduled meeting on September 8, 2023. These draft regulations address both cybersecurity audit regulations and risk assessment regulations, the latter generally known as Data Protection Risk Assessment or Data Protection Impact Assessment (DPIA). While this is only a draft for discussion, certain sections have been distinctly marked as open "for additional discussion." Notwithstanding the preliminary nature of the document, the general approach and direction of these regulations are evident.

In this Insight article, Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides an in-depth exploration of the draft DPIA draft regulations.

The use of generative artificial intelligence (AI) and large language models (LLMs) has grown exponentially in recent years. In this article, Lily Li, Founder of Metaverse Law, discusses the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.

On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced. The Board of the CPPA voted to adopt and approve the CPPA's rulemaking package, including the revised CCPA regulations on February 3, 2023, and the CPPA filed its rulemaking package with California's Office of Administrative Law for review on February 14, 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights, part two of this series explored the scope of the CCPA as amended by the CPRA, and part three of this series focused on some of the considerations for businesses in regards to vendors. In part four of this series, Shelby Dolen & TK Lively, from Husch Blackwell LLP, examine how the CCPA, as amended by the CPRA, treats sensitive personal information and the compliance challenges businesses need to consider.

In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020. The CPRA went into effect on 1 January 2023 (with a look-back period to 1 January 2022), and enforcement of the new provisions of the CPRA will be effective 1 July 2023. The CPRA amends the CCPA in many significant ways, including how businesses must address their vendor relationships.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights and part two of this series explored the scope of the CCPA as amended by the CPRA. In part three, Diana Iketani Iorlano, Founder and Managing Attorney, Iketani Law Corporation, focuses on some of the considerations for businesses in regards to vendors.

The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information. The CCPA was amended by the California Privacy Rights Act of 2020 ('CPRA'), which became fully operative on 1 January 2023, and which also created the California Privacy Protection Agency ('CPPA'), a new regulatory body dedicated exclusively to privacy regulation. The CPPA released its revised CCPA Regulations on 4 April 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changed consumer rights. In Part two, Jennifer Guerrero, Senior Counsel at Buchalter PC, explores the scope of the CCPA as amended by the CPRA.

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA'). The CPRA changes the scope of the CCPA, expands the rights afforded to consumers under the law, and introduces a new regulatory agency, the California Privacy Protection Agency ('CPPA'), to be responsible for enforcement.

In part one of this series, Operationalising CPRA, Emily S. Tabatabai and Alyssa Wolfington, from Orrick Herrington & Sutcliffe LLP, discuss how the CPRA has changed consumer rights under the CCPA and what companies may need to consider regarding these changes.

In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended'). Other states are adopting similar legislation: on 7 July 2021, the Colorado Governor, Jared Polis, signed Senate Bill 21-190 for the Colorado Privacy Act1 ('CPA') into law.

Lothar Determann, Helena Engfeldt, Jonathan Tam, and Tom Tysowksy, from Baker & McKenzie LLP, draw comparisons between the CPA and the CPPA as amended, focusing on who and what data is protected, compliance, and enforcement.