California
Summary
Law: California Consumer Privacy Act of 2018 (last amended in 2020) ('CCPA') as amended by the California Privacy Rights Act of 2020 ('CPRA'), (consolidated version available here) ('CCPA as amended')
Regulator: The California Privacy Protection Agency ('CPPA')
Summary: The right to pursue and obtain privacy is specifically protected by the California Constitution. California was the first US State to introduce a comprehensive data privacy law; the CPPA which entered into effect on 1 January 2020. The CCPA creates obligations for businesses and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt-out of the sale of their personal information. The CCPA was subsequently amended by the CPRA which introduces new requirements associated with data sharing, sensitive data, and contractors and service providers responsibility, among other things. The CPRA also creates enhanced as well as new consumer rights including a right to correction, an expanded right to access, and additional disclosure and transparency requirements.
In addition to the CCPA as amended, §1798.82 of the California Civil Code stipulates that businesses that own or license computerised data that includes personal information shall disclose a breach of the security of the system to any affected Californians and, if data of more than 500 residents was breached, to the AG. Other key privacy laws in California include the California Online Privacy Protection Act, the Shine the Light Law, the California Invasion of Privacy Act, and the recently enacted California: Age-Appropriate Design Code Act which will enter into effect on 1 July 2024.
Finally, the CPPA published the revised CCPA Regulations which became effective on 29 March 2023.
You can follow legislative developments in US States through the US State Law Tracker.