Support Centre

California

Summary

Law: California Consumer Privacy Act of 2018 (last amended in 2020) ('CCPA') by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended')

Regulator: The California Attorney General ('AG')

Summary: The right to pursue and obtain privacy is specifically protected by the California Constitution. California was the first US State to introduce a comprehensive data privacy law; the CPPA which entered into effect on 1 January 2020. The CCPA creates obligations for businesses and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt-out of the sale of their personal information. The CCPA was subsequently amended by the CPRA which introduces new requirements associated with data sharing, sensitive data, and contractors and service providers responsibility, among other things. The CPRA also creates enhanced as well as new consumer rights including a right to correction, an expanded right to access, and additional disclosure and transparency requirements.

In addition to the CCPA as amended, §1798.82 of the California Civil Code stipulates that businesses that own or license computerised data that includes personal information shall disclose a breach of the security of the system to any affected Californians and, if data of more than 500 residents was breached, to the AG. Other key privacy laws in California include the California Online Privacy Protection Act, the Shine the Light Law, the California Invasion of Privacy Act, and the recently enacted California: Age-Appropriate Design Code Act which will enter into effect on 1 July 2024.

Finally, the California Privacy Protection Agency ('CPPA') published the revised CCPA Regulations which became effective on 29 March 2023.

You can follow legislative developments in US States through the US State Law Tracker.

Insights

The California Privacy Protection Agency (CPPA) has released suggested draft regulations for discussion by the CPPA board before its scheduled meeting on September 8, 2023. These draft regulations address both cybersecurity audit regulations and risk assessment regulations, the latter generally known as Data Protection Risk Assessment or Data Protection Impact Assessment (DPIA). While this is only a draft for discussion, certain sections have been distinctly marked as open "for additional discussion." Notwithstanding the preliminary nature of the document, the general approach and direction of these regulations are evident.

In this Insight article, Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides an in-depth exploration of the draft DPIA draft regulations.

The use of generative artificial intelligence (AI) and large language models (LLMs) has grown exponentially in recent years. In this article, Lily Li, Founder of Metaverse Law, discusses the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.

On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced. The Board of the CPPA voted to adopt and approve the CPPA's rulemaking package, including the revised CCPA regulations on February 3, 2023, and the CPPA filed its rulemaking package with California's Office of Administrative Law for review on February 14, 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights, part two of this series explored the scope of the CCPA as amended by the CPRA, and part three of this series focused on some of the considerations for businesses in regards to vendors. In part four of this series, Shelby Dolen & TK Lively, from Husch Blackwell LLP, examine how the CCPA, as amended by the CPRA, treats sensitive personal information and the compliance challenges businesses need to consider.

In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020. The CPRA went into effect on 1 January 2023 (with a look-back period to 1 January 2022), and enforcement of the new provisions of the CPRA will be effective 1 July 2023. The CPRA amends the CCPA in many significant ways, including how businesses must address their vendor relationships.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights and part two of this series explored the scope of the CCPA as amended by the CPRA. In part three, Diana Iketani Iorlano, Founder and Managing Attorney, Iketani Law Corporation, focuses on some of the considerations for businesses in regards to vendors.

The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information. The CCPA was amended by the California Privacy Rights Act of 2020 ('CPRA'), which became fully operative on 1 January 2023, and which also created the California Privacy Protection Agency ('CPPA'), a new regulatory body dedicated exclusively to privacy regulation. The CPPA released its revised CCPA Regulations on 4 April 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changed consumer rights. In Part two, Jennifer Guerrero, Senior Counsel at Buchalter PC, explores the scope of the CCPA as amended by the CPRA.

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA'). The CPRA changes the scope of the CCPA, expands the rights afforded to consumers under the law, and introduces a new regulatory agency, the California Privacy Protection Agency ('CPPA'), to be responsible for enforcement.

In part one of this series, Operationalising CPRA, Emily S. Tabatabai and Alyssa Wolfington, from Orrick Herrington & Sutcliffe LLP, discuss how the CPRA has changed consumer rights under the CCPA and what companies may need to consider regarding these changes.

In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended'). Other states are adopting similar legislation: on 7 July 2021, the Colorado Governor, Jared Polis, signed Senate Bill 21-190 for the Colorado Privacy Act1 ('CPA') into law.

Lothar Determann, Helena Engfeldt, Jonathan Tam, and Tom Tysowksy, from Baker & McKenzie LLP, draw comparisons between the CPA and the CPPA as amended, focusing on who and what data is protected, compliance, and enforcement.

The California Privacy Protection Agency ('CPPA') released its highly anticipated revised California Consumer Privacy Act of 2018, as amended ('CCPA') Regulations1 ('the revised CCPA Regulations') on 4 April 2023. In particular, the revised CCPA Regulations update the existing CCPA Regulations to harmonise them with the amendments adopted pursuant to the CCPA, as amended by the California Privacy Rights Act of 2020 ('CPRA')2 ('the CCPA as amended'). Furthermore, the CPPA confirmed that the revised CCPA Regulations aim to operationalise new rights and concepts introduced by the CCPA as amended and reorganise and consolidate requirements to make the CCPA Regulations easier to follow and understand. OneTrust DataGuidance outlines the key amendments introduced in the revised CCPA Regulations.

On 1 January 2023, the California Consumer Privacy Act of 2018 ('CCPA') became applicable to the personal information of employees, job applicants, subcontractors, contractors, and others in work roles who are California residents ('Employee Personal Information'). Since it went into effect on 1 January 2020, the CCPA (through a series of legislative actions) had exempted Employee Personal Information from its provisions. With the revisions to the CCPA made by the referendum on 3 November 2020 that enacted the California Privacy Rights Act of 2020 ('CPRA') as a revision to the CCPA (and the failure of the California legislature to continue the exemption), employees and others in the workforce now have the rights granted other California consumers by the CCPA. Enforcement for the amended CCPA provisions will begin on 1 July 2023 through the newly established California Privacy Protection Agency ('CPPA'). Timothy J. Toohey, Partner at Greenberg Glusker Fields Claman & Machtinger LLP, discusses the news rights extended to Employee Personal Information under the CCPA and what businesses can do in order to comply.

Two years into compliance with the California Consumer Privacy Act of 2018 ('CCPA'), the expiration of Assembly Bill 25 An act to amend Sections 1798.130 and 1798.145 of the Civil Code, relating to consumer privacy ('AB 25') ushers in new challenges. As businesses grapple with their new compliance obligations under the California Privacy Rights Act of 2020 ('CPRA') and the expiration of AB 25, proportionality is becoming an important consideration. However, what is the test for proportionality? One possible framework comes from the 2015 amendments to the Federal Rules of Civil Procedure ('FRCP'). Scott J. Hyman and Genevieve Walser-Jolly, from Severson & Werson, compare the CCPA to the FRCP and examine the utility of that existing test.

Feedback