Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California - Sectoral Privacy Overview
Back
Flag - under review

Under Review

California - Sectoral Privacy Overview

October 2020

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

§1 of Article 1 of the California Constitution ('the Constitution') provides individuals with an inalienable right to pursue and obtain privacy. This right to privacy can be enforced against private entities.1 To enforce this constitutional right, an individual can bring a claim in court, where he or she must prove that:

  • they had a reasonable expectation to privacy in the given situation;
  • the privacy interest is one that society recognises; and
  • the breach of the plaintiff's privacy is an "egregious breach of social norms."2

Notably, this California Constitutional right can be enforced by an employee against their employer. In the case of employee privacy rights violations, determining the reasonableness of an employee's expectation of privacy must consider community norms, notice to the employee, and whether the employee had the opportunity to consent.3 Therefore, for example, any employee's expectation of privacy in relation to electronic or other communications at work might be defeated by an employee policy that provides that the employer reserves the right to monitor such communications.

2. KEY PRIVACY LAWS

2.1. CCPA

Introduction

The California Consumer Privacy Act of 2018 (as amended) ('CCPA'), under Part 4 of Division 3 of the California Civil Code ('Cal. Civ. Code') and the California Consumer Privacy Act Regulations ('CCPA Regulations')4, comprise the most comprehensive general data privacy legal framework in the United States.

The CCPA went into effect on 1 January 2020 and became enforceable by the California Attorney General ('AG') on 1 July 2020. The CCPA Regulations went into effect on 14 August 2020 and have the same force of law as the CCPA. Violations of the CCPA Regulations, therefore, constitute a violation of the CCPA subject to the same remedies in the CCPA (California Code of Regulations (Cal. Code Regs.) Title 11, §999.300(b)). On 12 October 2020, the AG released a third set of Proposed Modifications to the CCPA Regulations.

The CCPA introduces new obligations for covered organisations that collect 'personal information' about 'consumers' and grants new rights to those individuals, with respect to their personal information collected by such organisations. 'Consumers' are defined as natural persons who are California residents:

  • currently living in California (on more than a temporary basis); or
  • outside of the state for a temporary purpose, as under §17014 of Title 18 of the California Code of Regulations ('Cal. Code Regs.') (Cal. Civ. Code §1798.140(g) and Cal. Code Regs. Title 18 §17014).

Assembly Bill ('AB') 25 for an Act to amend §§ 1798.130 and 1798.145 of the Civil Code, relating to consumer privacy and AB 1355 for an Act to amend §§ 1798.100, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.140, 1798.145, 1798.150, and 1798.185 of the Civil Code, relating to consumer privacy amended the CCPA to exclude personal information about employees (and job applicants) and personal information about employees (and other representatives) of entities collected in a business context (i.e., business-to-business personal information), respectively, from most of the obligations of the CCPA, although not all. In relation to personal information about employees and job applicants, the general obligations of transparency (see section 2.1.4. below) remain, in relation to business-to-business personal information, the obligations arising out of 'selling' personal information (see section 2.1.3.3 on opt-out and key provision below) remain, and, in both cases, the private right of action arising out of certain security breaches (see section 2.1.5. below) remains. These amendments were originally set to expire after 12 months from 1 January 2020, i.e., on 1 January 2021. AB 1281 for an Act to amend §§ 1798.145 of the Civil Code, relating to privacy, extends each exemption until 1 January 2022, in the event that the California Privacy Rights Act ('CPRA') ballot initiative does not pass during California's 3 November 2020 general election. If the CPRA is passed, these exemptions would be extended until January 1, 2023. Once expired, personal information about these categories of individual will be fully back in scope of the CCPA from then on.

'Personal information' is defined in similarly broad terms and means 'information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.' Personal information includes, but is not limited to, the following, if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household (Cal. Civ. Code §1798.140):

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
  • any categories of personal information under Cal. Civ. Code §1798.80(e), including, any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their names, signature, social security number, physical characteristics or descriptions, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information, medical information, or health insurance information;
  • characteristics of protected classifications under California or federal law, such as, race, color, religion, sex/gender, gender identity, gender expression, sexual orientation, marital status, medical conditions, military or veteran status, national origin, citizenship status, ancestry, disability, genetic information, AIDS/HIV status, political affiliations or activities, status as a victim of domestic violence, assault or stalking, requests for family care leave, requests for leave for own illness, request for pregnancy disability leave, retaliation for reporting patient abuse in tax-supported institutions, aged 40 and above;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; or
  • biometric information; or
  • other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet web site, application, or advertisement;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory, or similar information;
  • professional or employment-related information;
  • education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act of 1974 ('FERPA'), including those records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by a federally funded educational agency or institution or by a person acting for such agency or institution (§1232g(a)(2) of FERPA); and
  • inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes (Cal. Civ. Code §1798.140(o)).

'Personal information' does not include personal information that is 'publicly available'. 'Publicly available' is defined to mean 'information that is lawfully made available from federal, state, or local government records' and explicitly excludes biometric information collected by a business about a consumer without the consumer's knowledge.' It also explicitly does not include information that is deidentified or aggregated. Notably, the CCPA sets a specific standard for deidentification that businesses must meet to take advantage of this exception.

Additionally, on 25 September 2020, AB 713 for an Act to amend § 1798.130 and to add §§ 1798.146 and 1798.148 of the Civil Code, relating to consumer privacy, amended the CCPA and, amongst other things, created a new healthcare related exemption for information that is deidentified in accordance with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy Rule and the information is derived from patient information originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, California's Confidentiality of Medical Information Act ('CMIA') or the Federal Policy for the Protection of Human Subjects ('Common Rule'). AB 713 also prohibits the reidentification of previously deidentified health information, subject to certain exceptions. However, as described below, if a business sells, licenses or discloses information subject to this new exception, AB 713 imposes new contract and notice requirements.

Further, the CCPA does not include personal information that is already subject to certain existing data privacy laws. The CCPA specifically excludes from its scope personal information covered by:

The result of these exceptions is that, where relevant to a covered business, certain types of personal information handled by a business may be out of scope of the CCPA, while other personal information handled by the same business may nevertheless remain in scope of the CCPA. In addition, the CCPA is to be 'liberally construed to effectuate its purposes' and supplements (rather than replaces) existing laws relating to consumers' personal information with the laws with the greatest privacy protections controlling in the event of a conflict. (Cal. Civ. Code §§1798.175 and 1798.194.) Therefore covered businesses also continue to be subject to existing California data privacy laws such as the California Online Privacy Protection Act of 2003 (see section 6.1. below), the Shine the Light law (see section 2.2 below) and the Eraser Law (see section 6.2 below).

Applicability

An organisation is subject to the CCPA if it is a 'business', defined as a for profit entity (including a sole proprietorship, partnership, limited liability company, association, or other legal entity) that:

  • does business in California;
  • collects a consumer's personal information (directly or on its behalf);
  • determines the means of processing (alone or jointly with others); and
  • meets one of the following thresholds:
    • has annual gross revenues in excess of $25.00.000 dollars, as adjusted pursuant to §1798.185(a)(5) of the Cal. Civ. Code;
    • alone or in combination annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
    • derives 50% or more of its annual revenues from selling consumers' personal information (Cal. Civ. Code §1798.140(c)(1)).

Businesses that control or are controlled by covered businesses, or share common branding with covered businesses are also subject to the CCPA (Cal. Civ. Code §1798.140(c)(2)).

The CCPA expressly excludes certain business activities, including:

  • collecting consumer personal information, with every aspect of the commercial conduct taking place outside of California;
  • completing one time transactions and not retaining or selling personal information;
  • selling personal information as part of a larger merger or acquisition;
  • complying with other laws; and
  • collecting, using, retaining, or otherwise disclosing consumer information that is deidentified or aggregated (Cal. Civ. Code §§1798.100(e) and 1798.145).

Consumer rights

Access5

A consumer has the right to request (and receive) disclosure from a business regarding the:

  • specific pieces of personal information collected about that consumer;
  • categories of personal information collected about that consumer;
  • categories of the sources from which the information was collected; and
  • categories of personal information that the business sold or disclosed for a business purpose about the consumer;
  • categories of third parties with whom the personal information was sold or disclosed;
  • the business or commercial purpose for collecting or selling personal information.

A business that receives a verifiable request (meaning, that the business can reasonably ascertain that the consumer making the request is the same consumer the request is being made for,6 see also section 2.1.3.4 below) relating to a consumer's right of access is obligated (no more than twice in a 12 month period per consumer) to make the disclosure free of charge, within 45 days.

This disclosure is limited to information collected, sold, or disclosed in the past 12 months. The disclosure should be made in writing and delivered either:

  • through the consumer's account with the business, if they have one (if not they should not be asked to create one);
  • by mail; or
  • electronically, at the consumer's option if they do not have an account (in which case the information must be provided in a readily useable format that allows the consumer to easily transmit the information to another entity) (Cal. Civ. Code §1798.130 (a)(2)).

However, under the CCPA Regulations, businesses are not permitted to disclose sensitive information in response to a request to know, including a consumer's Social Security number, driver's license number, account password or financial account numbers. In addition, businesses are not required to search for personal information if the business:

  • does not maintain the personal information in a searchable or reasonably accessible format;
  • maintains the personal information solely for legal or compliance purposes;
  • does not sell the personal information and does not use it for any commercial purpose; and
  • describes to the consumer the categories of records that may contain personal information that it did not search because it meets the three conditions stated above. (Cal. Code Regs. Title 11, §999.313(c)(3)).

Deletion7

A consumer has the right to request the deletion of personal information a business has collected from them. A business that receives a verifiable request for deletion must delete the consumer's personal information from its records and direct any service providers that it engages to also delete the consumer's personal information from their records. A 'service provider' is a legal entity organised for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA or CCPA Regulations, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business (Cal. Civ. Code §1798.140(v)).

Notably, neither a business nor a service provider is required to comply with a consumer's deletion request if the personal information is necessary for the business or service provider to:

  • complete a transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law,8 provide a good or service requested by the consumer, or otherwise perform a contract between the business and the consumer;
  • detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity (or prosecute those responsible);
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise or ensure the right of another to exercise free speech or another legal right;
  • comply with the California Electronic Communications Privacy Act, §§1546-1546.4 of the California Penal Code ('Cal. Pen. Code'), which compels the production of or access to electronic communication information or electronic device information with a search warrant;
  • engage in public or peer reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
  • enable solely internal uses aligned with the consumer's expectations given their relationship with the business;
  • comply with a legal obligation; or
  • otherwise use the information internally in a lawful manner compatible with the context in which the consumer provided it (Cal. Civ. Code. §1798.105).

If one of the above exceptions do not apply, the CCPA Regulations require a business to delete by permanently and completely erasing the personal information on its systems (with the exception of archived or back-up systems), deidentifying the personal information or aggregating the information. A business is permitted to use a two-step process for online requests to delete, where the consumer must first submit the request to delete and then separately confirm their intention to have their information deleted (Cal. Code Regs. Title 11, §999.312(d)). If a consumer submits a deletion request that cannot be verified, the business should treat the request as an opt-out (Cal. Code Regs. Title 11, §999.313).

Opt-out9

In relation to consumers over the age of 16, a consumer has the right to opt out of a business's sale of the consumer's personal information. Businesses are prohibited from selling the personal information of a consumer who has opted out (unless and until the business receives subsequent express authorisation from the consumer to sell that consumer's personal information, which, under Cal. Civ. Code §1798.135(a)(5), cannot be requested by the business for at least 12 months after receiving the opt-out request and, if initiated by the consumer, requires a two-step opt-in process in accordance with Cal. Code Regs. Title 11, §999.316)). The CCPA Regulations require businesses to treat 'user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information' as valid opt-out requests (Cal. Code Regs. Title 11, §999.315(c) (2020)). This additional requirement may complicate compliance for businesses operating online. Under the CCPA Regulations, a business must comply with a request to opt-out as soon as feasibly possible, but at least within 15 days from receiving the request. If a business sells personal information after receiving the request but before complying with the request, the business must also notify such third parties that the consumer exercised their right to opt-out and direct them to not sell that information (Cal. Code Regs. Title 11, §999.315(e) (2020)).

The third set of Proposed Modifications to the CCPA Regulations, if enacted, will require a business's methods for submitting requests to opt-out to be easy and require minimal steps. It prohibits businesses from using methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out, and provides illustrative examples (Cal. Code. Regs. Title 11, proposed §999.315(h)).

In relation to consumers who are under the age of 16, businesses are prohibited from selling their personal information unless:

  • for a consumer between the ages of 13 and 16, the consumer has consented or;
  • for a consumer under the age of 13, the consumer's parent or guardian has consented.

Businesses knowingly collecting personal information of consumers under 13 must establish, document, and provide a method for determining that the person authorising the sale of the child's information is, in fact, a parent or guardian (Cal. Code Regs. Title 11, §999.330). The CCPA Regulations set out several examples of methods that may be reasonably calculated to ensure this is the case (Cal. Code Regs. Title 11, §999.330(2)). Further, businesses knowingly collecting personal information of consumers aged 13 to 15 years old must establish, document and comply with a reasonable process for allowing such consumers to opt-in to the sale of their personal information (Cal. Code Regs. Title 11, §999.331(a)). Businesses that knowingly collect personal information of consumers under the age of 13 and consumers aged 13 to 15 must include a description in their privacy policy of the methods/processes used (Cal. Code Regs. Title 11, §999.332(a)). (The third set of proposed modifications to the CCPA Regulations will, if enacted, clarify that this requirement applies when a business collects personal information of consumers either under the age of 13 or between 13 and 15 (Cal. Code. Regs. Title 11, proposed §999.332(a)).

Under Cal. Civ. Code §1798.140(t)(1) , the definition of the terms 'sell,' 'selling,' 'sale,' or 'sold' means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.

According to Cal. Civ. Code §1605, 'valuable consideration' is defined as 'any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.' Therefore, several exchanges of data that would not normally be considered a 'sale' of data in the typical sense have the potential to be captured by the definition of 'sale' under the CCPA.

However, a business does not sell personal information when:

  • a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party,10 provided the third party does not also sell the personal information, unless that disclosure would be consistent with the CCPA;
  • the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information;
  • the business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
    • the business provided notice of that information being used or shared in its terms and conditions consistent with Cal. Civ. Code §1798.135; and
    • the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose; or
  • the business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Cal. Civ. Code §§1798.110 and 1798.115 (Cal. Civ. Code §1798.140(t)(2)).

Further, the opt-out right 'shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer [...] and the vehicle's manufacturer [...] if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall; and 'vehicle information' and 'ownership information' are both defined.11

Therefore, in practice the following scenarios involving transfers of personal information between entities are potentially excluded from the scope of a 'sale' of personal information under the CCPA (assuming the scenarios are structured correctly so that the relevant conditions are met):

  • the linking, at the consumer's request, of one online account to another;
  • sharing a particular device identifier with vendors to give effect to a consumer's opt-out request;
  • standard relationships with third party vendors or service providers who process data, provided appropriate contractual restrictions are in place; or
  • transfers of data on a merger, acquisition or insolvency event.

Amendments to the CCPA12 also created an obligation on businesses that knowingly collect and sell to third parties 'the personal information of a consumer with whom [they do] not have a direct relationship' ('data brokers') (Cal. Civ. Code §1798.99.80) to register with the AG on or before the 31 January following each year in which it met that definition. Registration requires a data broker to provide basic information about its business and pay a fee. The AG will also maintain on its website a publicly accessible list of data brokers. (Cal. Civ. Code §1798.99.84).

Verification

In relation to requests in relation to the above rights, a business is under an obligation to take steps to verify the identity of the requesting consumer. The CCPA Regulations require a business to establish, document and comply with a reasonable method for verifying the identity of the consumer making the request, which avoids collecting new personal information from a consumer unless necessary and takes account of the type, sensitivity and value of the personal information it collects and maintains about the consumer, amongst other matters (Cal. Code Regs. Title 11, §999.323(b)). If a business cannot verify a consumer's request based on information it already holds about the consumer, it may request additional information, but may only use such additional information for the purpose of verifying the consumer's identity, fraud-prevention or security, and shall delete such information as soon as practical after processing the consumer's request (Cal. Code Regs. Title 11, §999.323(c)).

The way in which verification is handled can depend on the type of request.

1. Access Requests and Deletion Requests.

  • With account. If a consumer already has a password-protected account with the business, the business may require the consumer to make access or deletion requests through that account. To verify the requests, it may use any existing account authentication procedures for the consumer’s account, though it must require the consumer to re-authenticate themselves prior to fulfilling any access request (Cal. Code Regs. Title 11, §999.324).
  • Without account. If a consumer does not have a password-protected account and wishes to submit a request, the business cannot require the consumer to create a password-protected account to do so (see also section 2.1.3.1. above). As described above, the CCPA Regulations require that the business use any existing pieces of personal information to verify the consumer's identity, if possible. If this is not possible, the business may collect certain information and use it for the sole purpose of verification. The CCPA Regulations provide further clarification on verification requirements for non-accountholders:
    • if a consumer requests specific pieces of personal information, the business must ascertain the consumer's identity to a 'reasonably high' degree of certainty. This may include matching at least three data points provided by the consumer with data points maintained by the business that it determines are reliable for verification purposes together with a signed declaration under penalty of perjury that the requestor is in fact the consumer to whom the personal information relates. If this method of verification is used, the business must maintain all signed declarations.
    • if a consumer requests categories of personal information, the business must ascertain the consumer's identity to a 'reasonable' degree of certainty. This may include matching at least two data points provided by the consumer with data points maintained by the business that it determines are reliable for verification purposes.
    • If a consumer requests deletion of their personal information, a business may need to verify the consumer's identity to a 'reasonable' or 'reasonably high' degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion (e.g., the deletion of family photographs may require a reasonably high degree of certainty, while deletion of browsing history may require only a reasonable degree of certainty). A business must act in good faith when determining the appropriate standard to apply when verifying the consumer's identity. (Cal. Code Regs. Title 11, §999.325(d)).

2. Opt-out Requests. Opt-out requests do not require verification unless made through an agent and the consumer provides the authorized agent with written permission signed by the consumer (see further below). However, a business may decline to fulfil an opt-out request if it has a good faith, reasonable, and documented belief that such a request is fraudulent (Cal. Code Regs. Title 11, §999.315(g)).

3. Requests Made through Authorized Agents

Consumers may also submit requests through authorized agents. To verify access and deletion requests made through an agent, a business may require the consumer to: (i) provide the authorized agent signed permission to do so; (ii) verify their own identity directly with the business; or (iii) directly confirm with the business that they provided the authorized agent with permission to submit the request on his or her behalf, unless the consumer provided the authorized agent with power of attorney pursuant to Probate Code §§ 4121 to 4130 (Cal. Code Regs. Title 11, §999.326). The third set of the Proposed Modifications to the CCPA Regulations, if enacted, will clarify that a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request (Cal. Code. Regs. Title 11, proposed §999.326(a)). A business cannot require a consumer or the consumer's authorized agent to pay a fee to verify their request to know or delete, meaning that a business cannot require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization (Cal. Code. Regs. Title 11 §999.323(d)).

Businesses must disclose their specific verification methods and instructions for how authorized agents may make requests in their applicable privacy policies and any California-specific notices (Cal. Code Regs. Title 11, §§999.308(c)(1)(c), 999.308(c)(2)(c) and 999.308)(c)(5)(a)).

Lastly, if a business is unable to adequately verify the identity of a requesting consumer, it is not obligated to fulfil deletion or access requests under §1798.100, §1798.105, §1798.110, and §1798.115. In that instance, the business must inform the requestor that their identity could not be verified. However, under the CCPA Regulations, in certain cases where a business receives a request relating to a specific rights but cannot verify the identity of the requesting consumer, it is under an obligation to treat the request as a request to exercise a different specific right, i.e., when a business receives a request for:

  • deletion, which it denies (including if the business cannot verify to the standard described in paragraph 1 above), it is obliged to treat the request as a request to opt-out of the sale of personal information and include the contents of, or a link to, the notice of right to opt-out (Cal. Code Regs. Title 11, §999.313(d)(7) (2020));
  • disclosure of specific pieces of personal information collected about the consumer, which it cannot verify to the standard described in paragraph 1 above, it is obliged to treat the request as a request for categories of personal information collected about the consumer and verify accordingly (see paragraph 1 above for verification requirements pertaining to requests for categories of personal information) (Cal. Code Regs. Title 11, §999.313(c)(1)); or
  • disclosure of categories of personal information collected about the consumer, which it cannot verify to the standard described in paragraph 1 above, it is obliged to direct the consumer to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy (Cal. Code Regs. Title 11, §999.313(c)(2)).

Disclosure / transparency13

A business subject to the CCPA must provide a notice to consumers (including its employees and job applicants), at or before the point of collection (Cal. Code Regs. Title 11, §999.304(b)). For businesses that collect personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the section of their privacy policy that contains the information required. (Cal. Code Regs. Title 11, §999.305(c)). In practice, businesses generally offer a separate notice at collection to California resident employees and job applicants.

The privacy notice generally required at collection should include the following information (Cal. Code Regs. Title 11, §999.305(b)):

  • a list of the categories of personal information about consumers to be collected.
  • a meaningful description of the business or commercial purpose for collecting or selling personal information.
  • if the business sells personal information, the link titled 'Do Not Sell My Personal Information' (or in the case of offline notices, where the webpage can be found online).
  • a link to the business's privacy policy, or in the case of offline notices, where the privacy policy can be found online.

A business does not need to include the last two requirements in relation to employment-related information (until 1 January 2022). (Cal. Code Regs. Title 11, §999.305(g); AB 1281).

The third set of Proposed Modifications to the CCPA Regulations, if enacted, would require businesses that collect personal information in the course of interacting with consumers offline to provide notice of the right to opt-out by an offline method that facilitates consumers' awareness of their right to opt-out and provides examples of how business can meet this requirement (Cal. Code. Regs. Title 11, proposed §999.306(b)(3)).

In addition to the above, if the business implements a privacy policy, it should include the following information (Cal. Code Regs. Title 11, §999.304(b)):

  • identification of the categories of personal information the business currently collects, discloses or sells, or has in the past 12 months collected, disclosed or sold, in each case described in a manner that provides meaningful understanding;
  • identification of the categories of sources from which the personal information is collected.
  • for each category of personal information identified, identification of the categories of third parties that the business has disclosed or sold personal information to;21
  • if the business sells or discloses deidentified patient information subject to the exception introduced by AB 713, identification of that fact and if so, identification of whether the patient information was deidentified pursuant to the deidentification methodology described in the HIPAA expert determination method or the HIPAA safe harbor method (AB 713);
  • notice of a consumer's right to know about the personal information collected, disclosed or sold about them, particularly:
    • the categories of personal information the business has collected about the consumer;
    • the specific pieces of personal information that the business has collected about the consumer;
    • the categories of sources from which the personal information is collected;
    • the categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
    • the business or commercial purpose for collecting or selling personal information.
  • notice of a consumer’s right to delete personal information;
  • notice of a consumer's right to opt out of the sale of personal information, if applicable. Unlike the right to know or delete, this request does not need to be verified;
  • if the business sells personal information, notice of whether the business has actual knowledge of selling personal information of consumers under 16 years old. If so, the business must disclose the process for opting-in to sale of personal information;
  • notice of a consumer's right to non- discrimination for the exercise of their privacy rights;
  • information about exercising consumer rights, including:
    • instructions for submitting a verifiable consumer request to the business. The business must include a toll-free number (unless online-only) and at least one of either an online form or email address. Businesses that operate entirely online and have a direct relationship with the consumer have the option of providing only an email address. If a consumer submits a request outside of the designated method(s) or is otherwise deficient, the business must either treat the request as properly submitted or provide specific directions on how to properly submit the request (Cal. Code Regs. Title 11, §999.312));38
    • a general description of the process the business will use to verify the consumer request, including any information the consumer provide; and
    • that the consumer can use an authorized agent to make verified request.
  • if the business knows or reasonably should know that it, alone or in combination, buys, receives or shares for commercial purposes or sells the personal information of 10,000,000 or more consumers in a calendar year, a compilation of the metrics discussed above under 'Record-keeping.';
  • identification of a contact for more information; and
  • identification of the date the privacy policy was last updated.

The privacy policy must be updated at least every 12 months (Cal. Code Regs. Title 11, §999.308).

A business that 'sells' personal information is obliged to provide two or more designated methods for submitting requests to opt-out, including a link titled 'Do Not Sell My Personal Information' that directs the consumer to an interactive form that enables the consumer (or a person authorized by the consumer) to opt-out of the sale of the consumer's personal information. Request should be complied with no later than 15 business days from the date the business receives the request (Cal. Code Regs. Title 11, §999.315).

In addition, a business must disclose a concise description of any financial incentives employed, the material terms of such incentive (including the categories of personal information implicated by the financial incentive and the value of that information), how the consumer can opt-in to the financial incentive as well as how the consumer can opt out and a description of its CCPA-compliant method for valuing consumer personal information (Cal. Code Regs. Title 11, §999.307)). A permitted denial of a consumer's request to know, delete or opt-out will not be considered discriminatory (Cal. Code Regs. Title 11, §999.336(c)).

A business cannot collect categories of personal information other than those disclosed in the notice or privacy policy and must provide a new notice if it intends to collect new categories of personal information (Cal. Code Regs. Title 11, §999.305(a)(5)). If a business collects personal information not directly from a consumer (i.e., from third party sources), the CCPA Regulations provide that the business does not need to provide a notice at the time of collection so long as it does not sell the consumer's personal information (Cal. Code Regs. Title 11, §999.305(d)). In addition, a data broker registered with the AG does not need to provide notice at collection if it has included a link to its online privacy policy in its registration submission that includes instructions on how a consumer can submit a request to opt-out. (Cal. Code Regs. Title 11, §999.305(e)).

Prohibited discriminiation14

Discriminating against a consumer who exercises their rights under the CCPA (e.g. by the business increasing prices) is prohibited, however, businesses may offer different prices, rates, levels or quality of goods or services if the difference is related to the value of the consumer's personal information. For example, under the CCPA, a business may not change an offering for a particular consumer because that consumer asked the business to delete their data. The business can, however, provide different offerings to consumers based on the business's estimate of the value to the business.15 The CCPA Regulations describe methods that businesses may utilize to assess the value of certain personal information, which include the personal information's marginal or average value to the business or the profit generated from the sale, collection, or retention of such personal information (Cal. Code Regs. Title 11, §999.337).43 Businesses are also permitted to offer financial incentives for the collection, sale, or deletion of personal information under Cal. Civ. Code §1798.125(b), but these must be reasonably tied to the assessed value of the personal information.

Personnel training / education

The CCPA requires a business to ensure that all individuals responsible for handling inquiries about the business's privacy practices or compliance with the CCPA are informed of the CCPA's obligations (Cal. Civ. Code §1798.130(a)(6)). The business should be sure to establish, document and comply with a training program to ensure that all individuals responsible can direct consumers as to how to exercise their rights (Cal. Code Regs. Title 11, §999.317(a); Cal. Code Regs. Title 11, §999.317(g)(3)).

Enforcement

Civil penalties in suits brought by the AG for breach of the CCPA may result in injunctions and fines of up to $7,500 per intentional violation and $2,500 per non-intentional violation of the CCPA (Cal. Civ. Code §1798.155(b)).

In addition to actions brought by the AG, individual consumers can bring private actions against a business in the event of a data security breach which arises out of a failure by a business to comply with its duty to implement and maintain reasonable data security procedures and practices appropriate to the nature of the information. Penalties can be any of the following:

  • damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater;
  • injunctive or declaratory relief; and
  • any other relief the court deems proper. (Cal. Civ. Code §1798.150(a)(1))

The California Data Safeguard Law limits the scope of data breaches that could give rise to a private right of action under the CCPA through its narrow definition of personal information. Under the California Data Safeguard Law, a business's obligation to protect personal data with reasonable data security procedures and practices" is limited to protecting the following two categories of data (Cal. Civ. Code §1798.81.5 (d)(1)):

  • an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) social security number; (ii) driver's license number, California identification card number or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (iv) any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a health care professional; or (v) an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records; and
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The personal information covered by the California Data Safeguard Law is but a subset of the data considered to be personal information under the CCPA, resulting in the private right of action under the CCPA only being available in relation to a security breach involving the narrower definition of personal information as set forth in the California Data Safeguard Law (rather than the CCPA's broader definition of personal information).

2.2. Shine the Light Law

The Shine the Light Law, under Cal. Civ. Code §1798.83 addresses the practice of sharing personal information with third parties who the business knows or reasonably should know will use the personal information for their directing marketing purposes. Generally, all businesses that have established business relationships with California consumers and have shared customer personal information as described above within the immediately preceding calendar year are covered. 'Business' is not defined under the law, resulting in a scope broad enough to include businesses in other U.S. states and other countries (Cal. Civ. Code §1798.83(a)). However, certain companies are exempt from the Shine the Light Law, such as businesses with fewer than 20 employees and financial institutions that are subject to the California Financial Information Privacy Act ('CFIPA') (Cal. Civ. Code §§1798.83(c)(1) and 1798.83(h)). Further, certain disclosures are exempt from this law, including disclosures of certain personal information between affiliates (Cal. Civ. Code §1798.83(d) and (f)).

Under the Shine the Light law, 'personal information' is broadly defined as any information that, at the time of disclosure, identified, described, or was able to be associated with an individual, including, but not limited to, names and addresses, email addresses, and dates of birth (Cal. Civ. Code § 1798.83(e)(6)).

The Shine the Light law specifies that, if a customer requests, businesses must inform California residents (free of charge) of:  

  • the categories of personal information disclosed; and
  • the names and addresses of all of the third parties to whom the business disclosed that customer's personal information for direct marketing purposes during the preceding calendar year. If the nature of the third party's business cannot be reasonably be determined from the third party's name, the business must provide of products or services marketed to give a reasonable indication of the nature of the third party’s business (Cal. Civ. Code §1798.83(a)).

Requests must be responded to within 30 days, but businesses are not required to comply with more than one request from a customer per calendar year (Cal. Civ. Code §1798.83(b) and (c)).

Alternatively, businesses may comply with the Shine the Light Law by adopting a policy of not disclosing personal information of customers to third parties for their direct marketing purposes: (i) unless the customer first affirmatively agrees to that disclosure; or (ii) if the customer has exercised an option that prevents the information from being disclosed to third parties. In this case, the business must disclose the policies and notify the customer of their right to prevent the disclosure of personal information (Cal. Civ. Code §1798.83(c)(2)). Waivers of the Shine the Light Law are unenforceable as against public policy (Cal. Civ. Code §1798.84(a)).

Under the Shine the Light Law, businesses are required to do at least one of the following (Cal. Civ. Code §1798.83(b)):

  • notify all employees of the designated contact information by which customers may submit requests; or
  • add a description of the customer's rights and the designated contact information by which to exercise them in the privacy policy or a separate page linked on the website; or
  • make the designated contact information available to the customer upon request at every place of business in California where there is regular contact with customers.

2.3. CIPA

The California Invasion of Privacy Act ('CIPA'), under Cal. Pen. Code §§630-338.55 grants to California individuals certain protections in their communications via telephones (both landlines and mobiles). The CIPA, with certain exceptions, prohibits companies, individuals, and government agencies from acts, including, but not limited to:

  • wiretapping (Cal. Pen. Code §631(a));
  • eavesdropping, and recording confidential communications without the consent of all parties (Cal. Pen. Code §632(a));
  • recording cell phone communications without the consent of all parties (Cal. Pen. Code §§632.5 -632.7);
  • the monitoring or recording of conversations in a subscriber's residence or the sharing of individually identifiable information on subscriber viewing habits or other personal information without written consent by cable and satellite TV operators (Cal. Pen. Code §637.5(a)); and
  • the use of electronic tracking devices (Cal. Pen. Code §637.7(a)).

State laws in this area take different approaches to consent, some requiring consent of one party only but, under the CIPA, as above, California is an all-party consent state.

When an individual is on a landline, that individual must have a reasonable expectation of privacy in the communication before the caller may be held liable under the CIPA, but for individuals using cellular or mobile telephones, strict liability applies.16 Calls made to or by California residents by both business and individuals, whether or not the caller is located in California, are subject to the CIPA.17

The CIPA is enforced through criminal penalties, either a misdemeanor or a felony, depending on the number (if any) of prior offenses. For first time violators, the fine is $2,500, but for repeat offenders the maximum fine is $10,000 (Cal. Pen. Code, §§631(a); 632(a)).  Any offender, whether first-time or repeat, can also face imprisonment (Cal. Pen. Code, §§631(a); 632(a)). Moreover, the CIPA also provides a private right of action in a civil lawsuit (despite being found in the Cal. Pen. Code) with damages of $5,000 per violation or treble actual damages (whichever is greater) (Cal. Pen. Code §637.2(a)).

3. HEALTH DATA

3.1. CMIA

The CMIA is the primary law addressing the privacy and security of medical information in California. The CMIA protects the confidentiality of medical information that is individually identifiable. 'Medical information' means any individually identifiable information, in electronic or physical form, in possession of, or derived from, a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. 'Individually identifiable' means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity (Cal. Civ. Code §56.05(j)).

Under Cal. Civ. Code §§56.10 and 56.101, covered entities are:

  • prohibited from using or disclosing medical information for any purpose not necessary to provide health care services to a patient (except as expressly authorized by the patient or required by law);
  • prohibited from engaging in many types of marketing uses and disclosure;
  • required to create, maintain, preserve, store, abandon, destroy, or dispose of medical records in a manner that preserves their confidentiality; and
  • subject to a mandate that electronic health or medical record systems protect the integrity of electronic medical information and automatically record and preserve any changes or deletions.

According to Cal. Civ. Code §56.35, penalties for failing to comply with the CMIA include:

  • compensatory damages;
  • punitive damages (with a maximum of $3,000);
  • attorneys' fees (with a maximum of $1,000); and
  • the costs of litigation.

Health care providers or other covered entities are also liable for nominal damages of $1,000 in the event of a negligent release of medical information18 (Cal. Civ. Code §56.36.) Finally, there are also administrative and civil penalties that will apply, with costs varying dependent upon whether the violation was negligent (Cal. Civ. Code §56.36).

3.2. PAHRA

The Patient Access to Health Records ('PAHRA') (§§123100-123149.5 of the California Health & Safety Code ('Cal. Health & Safety Code')) is the primary law in California governing patient access to, and amendment of, health records.

The PAHRA requires health care providers to permit California residents to (Cal. Health & Safety Code §§123110 and 123111):

  • inspect and copy their health records; and
  • submit amendments to their records if a patient believes that the records are inaccurate or incomplete.

Under the PAHRA, patients are entitled to inspect their records within five business days of making a request, and health care providers must transmit copies of records within 15 business days of a request (Cal. Health & Safety Code §§123110 and 123111).

3.3. Other Health Information Laws

  • Cal. Civ. Code §1798.91 requires companies to obtain informed consent from an individual prior to collecting his or her medical information for direct marketing purposes.
  • The Shine the Light law allows individuals to learn about how businesses sell their personal information and specifically applies to certain types of medical and health insurance information.
  • Cal. Health & Safety Code §130200 established the California Office of Health Information Integrity to support the secure health information movement in California.
  • The Cal. Health and Safety Code §§123100, 120975-121020 and 1280.18 also guarantees to individuals the following rights: to access, amend, and make copies of their health records maintained by health providers; protect the privacy of individuals subject to blood testing for HIV; and requires certain health facilities to implement administrative, technical, and physical safeguards to protect medical information.
  • The California Welfare and Institutions Code protects the confidentiality of information and records pertaining to individuals who are involuntarily detained for psychiatric evaluation or treatment.
  • The Insurance Information and Privacy Protection Act governs medical records collected in connection with insurance applications and in the process of resolving insurance claims.
  • The California Insurance Code regulates insurance underwriting on the basis of genetic testing as well as requests for, and disclosures of, genetic test information.
  • The Clinical Laboratory Improvements Amendments of 1988 require laboratories to protect test results.
  • The Americans with Disabilities Act of 1990 protects job applicants against intrusive examination requirements and interview questions regarding disabilities, and employers must treat information about applicants' disabilities confidential.
  • The Drug Abuse Prevention, Treatment and Rehabilitation Act of 1970 provides for confidentiality and privacy protection for substance use disorder information.
  • The Patient Safety & Quality Improvement Act of 2005 protects patient safety information.

4. FINANCIAL DATA

4.1. CalFIPA

Under §4053(2)(b)(1) of the CalFIPA, financial institutions are required to give clear and conspicuous notice of consumers' right to opt-out of the institution sharing the consumer's personally identifiable non-public personal information ('NPI') with affiliates and third parties prior to the actual sharing of such information. Additionally, a financial institution must provide notice, and a consumer must provide affirmative written consent (e.g., opt-in), before the financial institution may share NPI with a non-affiliated third party. Consumers must also be given the opportunity to opt-out of having their NPI shared with a financial institution's affinity marketing partners. Notice of opt-out rights must be provided annually.

5. EMPLOYMENT DATA

5.1. California Labor Code

The California Labor Code ('Cal. Lab. Code') provides several data privacy protections for employees. Firstly, under the Cal. Lab. Code, employers are prohibited from demanding passwords and accessing the personal social media accounts of employees and job applicants, except to the extent reasonably believed to be relevant to an investigation of misconduct or violations of law by employees (Cal. Lab. Code §980(b)–(c)). Employers are, however, able to request access to an employer issued electronic device that is in the employee's possession (Cal. Lab. Code §980(d)).

Furthermore, most California employees have the right to inspect and receive a copy of their personnel files, although certain records are exempt from employee access, such as the following:

  • records relating to the investigation of a possible criminal offense;
  • letters of reference; or
  • ratings, reports, or records that were:
    • obtained prior to the employee's employment;
    • prepared by identifiable examination committee members; or
    • obtained in connection with a promotional examination (Cal. Lab. Code §1198.5.)

In addition, in California, employers may not inquire into or rely on an employee's salary history to make certain employment decisions (Cal. Lab. Code §432.3.)

The Cal. Lab. Code also provides several other protections, notably including the following:

  • employers may only print the last four digits of an employee's social security number or an employee identification number on an employee's wage statement (Cal. Lab. Code §226);
  • employers must not cause an audio or video recording to be made of an employee in a rest room, locker room, or room designated by an employer for changing clothes. Employee consent is not a defence (Cal. Lab. Code §435); and
  • employees of employers who regularly employ 25 or more employees have the right to be reasonably accommodated by their employers if they wish to participate in an alcohol or drug rehabilitation program (Cal. Lab. Code §1026)

Please refer to section 1 of this Guidance Note, which discusses the constitutionally protected right to privacy that can be enforced against private employers, for additional information regarding surveillance and monitoring in the workplace.

5.2. Other Employment Data Privacy Laws

Under the California Investigative Consumer Reporting Agencies Act ('ICRAA'), an employer, who obtains and uses an investigative consumer report for employment purposes must provide a written notice to that employee that provides specific information, before obtaining the report (Cal. Civ. Code §1786.16(a)(2)(b).)

In addition to regulations on background checks set forth in the ICRAA, the Consumer Credit Reporting Agencies Act ('CCRAA') also prohibits employers other than financial institutions from obtaining the consumer credit report of employees, or job applicants that are not in or applying for certain managerial positions (Cal. Lab. Code §1024.5). California employers must also give written notice to individuals prior to requesting a consumer credit report for that individual and note the statutorily provided exception for requesting the report (Cal. Lab. Code §1024.5 and Cal. Civ. Code §1785.20.5.)

No one may require, coerce, or compel any other individual to undergo the subcutaneous implanting of an identification device (e.g., a radio-frequency identification chip), in particular, not on the condition of obtaining employment, employee benefits, or promotion on consent to implantation (Cal. Civ. Code §52.7.)

6. ONLINE PRIVACY

6.1. CalOPPA

The California Online Privacy Protection Act ('CalOPPA') (§§22575-22579 of the Business and Professions Code ('Cal. Bus. & Prof. Code')) provides some protections for consumers residing in California, with respect to personal data that companies collect online about them. Under the CalOPPA, operators of commercial websites and online services that collect California residents' personally identifiable information are required to conspicuously post their privacy policies on their websites, or in the case of an operator of an online service, employ any other reasonably accessible means of making the privacy policy available for consumers of the online services (Cal. Bus. & Prof. Code §§22575–22579).

Furthermore, whilst the CalOPPA does not prohibit online tracking, it does include specific disclosure requirements for "do not track" mechanisms and online behavioral tracking across third party websites (Cal. Bus. & Prof. Code §§22575(b)(5).) Moreover, the CalOPPA applies to a broad interpretation of 'online services,' which includes mobile applications. The California AG has stated that the term 'covers any service available over the internet or that connects to the internet, including internet-enabled gaming platforms, voice over-internet protocol services, cloud services and mobile applications.19

For the purposes of the CalOPPA, personally identifiable information includes individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

  • a first and last name;
  • a home or other physical address, including street name and name of a city or town;
  • an email address;
  • a telephone number;
  • a social security number;
  • any other identifier that permits the physical or online contacting of a specific individual; and
  • any information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in the preceding list (Cal. Bus. & Prof. Code §22577.)

6.2. Eraser Law

The Privacy Rights for California Minors in the Digital World Act ('the Eraser Law') §§22580-22582 of the Cal. Bus. & Prof. Code, provides additional protections to minors in California (individuals under the age of 18), including a right to be forgotten (see also the CCPA above), which enable minors to remove their own posts (but not republications of their posts or posts about them by others) (Cal. Bus. & Prof. Code §22581.).

The Eraser Law also prohibits companies who operate websites or online services directed at minors from using the minor's personal information to market or advertise certain enumerated products and services deemed potentially harmful for minors, including tattoos (Cal. Bus. & Prof. Code §§22580(b)(2) and 22580(c)).

6.3. Student Data Laws

Student data is protected under the Student Online Personal Information Protection Act ('SOPIPA') (Cal. Bus. & Prof. Code §§22584-22585), which became effective on 1 January 2016 and seeks to protect the personal information of students. The SOPIPA applies to operators of websites, online services, or online or mobile applications (covered operators) who have actual knowledge that their services were designed, marketed, and are being used for K-12 purposes (covered services) (Cal. Bus. & Prof. Code §22584(a)).

Furthermore, the SOPIPA requires such operators to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and protect such information from unauthorized access, destruction, use, modification, or disclosure (Cal. Bus. & Prof. Code §22584(d)(1)).

Under the SOPIPA, companies must delete a student's covered information if the school or district requests deletion of data under the control of the school or district (Cal. Bus. & Prof. Code §22584(d)(2).) Companies that are subject to SOPIPA must not use covered information for the following:

  • targeted advertising;
  • use information created or gathered by their sites or services to amass a profile about a K–12 student (except in furtherance of school purposes);
  • sell student's information; or
  • disclose student information (subject to limited exceptions).

Companies may use student information for maintaining, developing, supporting, improving, or diagnosing their sites and services and for school and educational purposes (Cal. Bus. & Prof. Code §22584(b).)

In addition, the SOPIPA was expanded upon the Early Learning Personal Information Protection Act ('ELPIPA') (Cal. Bus. & Prof. Code §§22586-22587), which became effective on 1 July 2017. The ELPIPA requires operators of websites, online services, or applications used or marketed primarily to preschool or prekindergarten pupils to refrain from a variety of practices, including targeted advertising, profiling of students for other purposes, selling a pupil's information, or disclosing covered information, unless certain other disclosures are made (Cal. Bus. & Prof. Code §22586(b).) Moreover, it also requires operators to maintain reasonable security procedures and practices and delete pupil information upon request (Cal. Bus and Prof. Code §22586(d)).

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

7.1. California Anti-Spam Law

Under the California Anti-Spam Law (Cal. Bus. & Prof. Code §§17529-17529.9), most unsolicited commercial email advertisements to or from California email addresses are prohibited. The federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 pre-empts the California Anti-Spam Law for all provisions except those prohibiting falsity or deception in email messages. Therefore, the California Anti-Spam Law prohibits marketers from sending email advertisements to California email addresses that:

  • contain or accompany a third party's domain without the third party's permission;
  • contain or are accompanied by falsified, misrepresented, or forged header information; and
  • have a subject line that a person knows would be likely to mislead the recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message (Cal. Bus. & Prof. Code §17529.5(a)).

Furthermore, under Cal. Bus. & Prof. Code §17538.41, most individuals, business entities, candidates, or political committees operating in California are generally prohibited from sending (or causing to be sent) text message advertisements to California residents, except in the following circumstances:

  • where text messages are sent at the direction of a person or entity offering mobile telephony services, pager services, or two-way messaging services to a subscriber, if the subscriber may opt-out from receiving such text messages;
  • when the subscriber has an existing relationship with the business, candidate, or political committee and the subscriber may opt-out of receiving such messages from them;
  • when the subscriber has provided consent to a business with whom the subscriber has an existing relationship to receive text messages from an affiliate of that business; and
  • where emails are forwarded, without the knowledge of the sender, to a mobile telephony service's handset, pager, or two-way messaging device (Cal. Bus. & Prof. Code §17538.41.)

In addition, Cal. Bus. & Prof. Code §17538.41(a) restricts advertisements sent via text message by any person, business, candidate or political organizations. Further, Cal. Bus. & Prof. Code §17538.43, prohibits any person or entity, if they or the recipient are located within California, from sending unsolicited fax advertisements without the recipient's prior express consent to do as such.

7.2. California Robocalls Law

§§2871-2876 of the California Public Utilities Code ('Cal. Pub. Util. Code') aim to limit the use of automatic dialing announcing devices ('ADAD'), commonly referred to as 'robocalling', in California to telephones in California. The law applies to phone calls placed using an ADAD. No person operating an ADAD (i.e., a robocalling machine) may place a call 'during the hours between 9 p.m. and 9 a.m. California time.' (Cal. Pub. Util. Code §2872(c).) Calls placed using an ADAD must be preceded by a live, 'natural voice announcement' made to the recipient. The announcement must state the nature of the call, the location and phone number of the entity being represented and request the consent of the call's recipient to hear a pre-recorded message (Cal. Pub. Util. Code §2874.) The call must disconnect after either party terminates the call (Cal. Pub. Util. Code §2874.) A person or entity making robocalls may not make a telephone connection for which no person, acting as an agent or telemarketer, is available for the person called.

There are certain exceptions to the prohibition on robocalling, the restrictions do not apply in the following instances:

  • where there is a prior business or personal relationship between the caller and the recipient;
  • the recipient has requested the call; or
  • if the recipient has previously consented to receive such calls (Cal. Pub. Util. Code §2872(f).)

Public safety and law enforcement agencies providing information related to safety or emergencies are exempt from the statute's restrictions (Cal. Pub. Util. Code §2872(e).) In addition, there are several exceptions grounded in public interest. For example, the statute does not apply to schools contacting parents or guardians of pupils regarding attendance or to a public utility calling for public safety reasons (Cal. Pub. Util. Code §§2872(d)(1) and 2872(4).) A petroleum refiner, chemical processing plant, or nuclear power plant may use robocalls to warn of an actual or potential life threatening emergency (Cal. Pub. Util. Code §2872(d)(5).)

Finally, Cal. Pub. Util. Code §2891.1(a) protects unlisted residential numbers and creates affirmative consent requirements for mobile phone companies that wish to sell residential subscribers' names and numbers for the purpose of creating a database.

7.3. California Do Not Call Law

Under the California Do Not Call Law (Cal. Bus. & Prof. Code §§17590–17594), companies must respect California's do-not-call list. The Do Not Call law mostly looks to ensure that the national Do Not Call Registry ('the Do Not Call Registry') is administered properly and used for its intended purpose. A person may not interfere with a subscriber's right to have his or her number on the Do Not Call Registry or the subscriber's right to abstain from joining the list.

There are a number of exceptions to the prohibitions on calls to California numbers on the Do Not Call Registry. Several of the exceptions relate to actual consent, and other exceptions include:

  • calls made to grant an extension of credit on a delinquent debt obligation;
  • calls made to a subscriber with whom the solicitor has a pre-existing business relationship;
  • calls made by a local small-business owner to individuals within a 50-mile radius;
  • calls made to verify the cancellation of a subscription; and
  • exemptions in the public interest.

8. PRIVACY POLICIES

8.1. CCPA requirements

The CCPA, as discussed in further detail in section 2, requires covered businesses to provide consumers with specific and detailed information, including information regarding:

  • the categories (as set forth in the CCPA) of personal information collected;
  • the purposes for the collection (e.g., how the information will be used);
  • a consumer's specific rights under the CCPA;
  • processes for exercising such rights;
  • whether the business sells or discloses personal information to third parties and if so, specific information about its disclosure or selling of such information.

Under the CCPA Regulations, the CCPA requires that privacy policies or notices:

  • are printable;
  • use plain, straightforward language and avoid technical or legal jargon;
  • use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable;
  • are accessible to consumers with disabilities and/or that instructions are given for accessing the policy in an alternative format;
  • are readily available where consumers will encounter it at or before the point of collection;
  • are linked in a 'just-in-time' notice when collecting personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect; and
  • be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements and other information to consumers in California (in the case of the privacy policy only).

8.2. CalOPPA requirements

CalOPPA, as discussed in further detail in section 6, requires that privacy policies:

  • identify the personally identifiable information categories the website or online service collects;
  • identify the categories of third parties with whom personally identifiable information is shared;
  • provide a description of the process, if the operator maintains one, by which consumers may review and request changes to personally identifiable information, the website, or online service collects;
  • describe the process the operator uses to notify consumers of privacy policy changes;
  • provide the policy's effective date; and
  • disclose how web browser 'do not track' signals are treated by the operator (Cal. Bus. & Prof. Code §22575(b)(1)–(4).)

8.3. Shine the Light Law requirements

The Shine the Light law, as discussed in further detail in section 2 requires businesses to add language to their websites covering

Your Privacy Rights' or 'Your California Privacy Rights', and to provide certain notices and information to consumers in California if the businesses disclose the consumers' personal information to third parties for direct marketing purposes. Waivers of the Shine the Light law are unenforceable as against public policy.

If a company wants to avoid some of the more detailed disclosure obligations, it can seek consent from consumers via an opt-in or opt-out process up-front, i.e., before it starts sharing personal information, limit information sharing to transfers to data processors, or by sharing only certain types of personal information and only with affiliated companies that use the same brand.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

9.1. CDPA

Any business that owns or retains California residents' personal information is subject to the California Data Protection Act of 2004 ('CDPA') (§§1798.80-84 of the Cal. Civ. Code). Under the CDPA, disposal of physical or electronic records containing personal information must be by:

  • shredding;
  • erasing; or
  • otherwise modifying the personal information to make it unreadable or undecipherable through any means (Cal. Civ. Code §1798.81.)

Furthermore, covered businesses are obligated to contractually require third parties to follow the same procedures (Cal. Civ. Code §1798.81.5(c).)

The CDPA only prescribes how the records must be disposed of, it does not prescribe whether and when businesses must dispose of records. This is because the purpose of the CDPA is to ensure that discarded records do not contain personal information that could be used by identity thieves. Contractual waivers of rights are void.

9.2. Other Data Disposal Laws

In addition, §§56.10 and 56.101 of the CMIA requires covered entities that create, maintain, preserve, store, abandon, destroy, or dispose of medical records to do so in a manner that preserves their confidentiality.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

10.1. Song-Beverly Credit Card Act

The Song-Beverly Credit Card Act §§1747.08-1747.09 of the Cal. Civ. Code regulates credit cards and related transactions by prohibiting merchants from requesting or requiring personal identification information as a condition to accepting a credit card as payment, subject to certain exceptions. The act also dictates the type of debit and credit card information that can be printed on receipts. Civil penalties range in price and increase upon every violation (to a maximum of $1,000). There is a safe harbor for companies to avoid penalties, which requires a showing that the violation was intentional and happened in spite of the maintenance of preventative procedures (Cal. Civ. Code §§1747.08–1747.09).

10.2. CCRAA

Furthermore, the CCRAA, which governs credit reporting conduct and consumer rights regarding access, use, and correction of credit reports for purposes of determining creditworthiness (Cal. Civ. Code §§1785.10-1785.19.5). The FCRA largely pre-empts, but does not completely pre-empt, the CCRAA.

The CCRAA also provides that a consumer credit reporting agency that owns, licenses, or maintains personal information about California residents, or a third party that maintains that information on its behalf, is required to protect that information (Cal. Civ. Code. §§1785.10-1785.19.5).

10.3. CFIPA

Under the CFIPA, which generally provides for the confidentiality of, and restricts access to, the financial records of people who transact business with, or use the services of, financial institutions, or for whom a financial institution has acted as a fiduciary. The purpose of the act is to clarify and protect the confidential relationship between financial institutions and their customers and to balance a citizen's right of privacy with the governmental interest in obtaining information for specific purposes and by specified procedures as set out in the act. Subject to certain exceptions, financial institutions must provide notice and (depending on the circumstance) either give the consumer the right to opt out or wait for the consumer to opt in through written consent (§§4052.5 and 4053 of the CFIPA).

10.4. Data Breach Notification

California adopted a data breach notification statute, under Cal. Civ. Code §§1798.29, 1798.82 and 1798.84. The statute requires organizations to notify affected individuals of any unauthorized acquisition of unencrypted computerised data that contains California residents' personal information. This is in addition to any other specific notification obligations for data breaches contained in other statutes. AB 1130 for an Act to amend §§1798.29, 1798.81.5 and 1798.82 of the Civil Code, relating to information privacy, which became effective on January 1, 2020, expanded the definition of personal information under California's data breach notification statute to include, amongst other things, unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, and used to authenticate an individual. AB 1130 also encourages organizations that experience breaches of biometric data to provide affected individuals with instructions on how to notify other entities using the same biometric data as an authenticator to no longer rely on it for authentication purposes.


  1. See Hill v. Nat'l Collegiate Athletic Ass'n, 26 Cal. Rptr. 2d 834, 842 (Cal. 1994).
  2. Ibid 857.
  3. See TBG Ins. Services Corp. v. Superior Court, 96 Cal. App. 4th 443, 449 (2002).
  4. The CCPA Regulations were first published in draft form on 10 October 2019 and underwent several formal comment periods and modified drafts. The final version of the CCPA Regulations were approved by the Office of Administrative Law on August 14, 2020 and went into effect immediately.
  5. See Cal. Civ. Code §§1798.100, 1798.130(a)(2), 1798.140(y), 1798.115(a), 1798.115(b), and 1798.130(a)(4).
  6. A business can, in response to a request, 'require authentication of the consumer that is reasonable in light of the nature of the personal information requested'. Possible methods of verifying a request could include: (i) responding to such a consumer request through the online account of the individual for whom the request was made to confirm; (ii) request a form of government issued ID for verification; or (iii) require the requestor to answer a series of knowledge-based challenge questions.
  7. See Cal. Civ. Code §1798.105.
  8. Warranty and product recall language added by the enacted AB 1146 for An act to amend Sections 1798.105 and 1798.145 of the Civil Code, relating to privacy.
  9. See Cal. Civ. Code §§1798.120 and 1798.135.
  10. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party (Cal. Civ. Code §1798.140(t)(2)).
  11. Warranty and product recall language added by enacted amendment AB 1146.
  12. AB 1202 for An act to add Title 8.81.48 (commencing with Section 1798.99.80) to Part 4 of Division 3 of the Civil Code, relating to privacy, added the data broker registration requirement.
  13. See Cal. Civ. Code §§1798.110 and 1798.130(a)(5)(B).
  14. See Cal. Civ. Code §1798.125(a)(1).
  15. The clarification that the value is to the business was added by enacted amendment AB 1355.
  16. See Cal. Pen. Code, §632(a); see also Brown v. Defender Sec. Co., 2012 WL 5308964, at *3 (C.D. Cal. 2012).
  17. See Kearney v. Salomon Smith Barney Inc., 137 P.3d 914, 930–932 (Cal. 2006).
  18. Negligent releases of medical information may include: (i) releasing medical information to a person without verifying the identity of the requestor; (ii) not properly securing physical files; and (iii) keeping medical information on an unsecure electronic system.
  19. See State of California v. Delta Air Lines, Inc., Case No. CGC-12-52674 (California Supreme Court, Complaint Filed 6 December 2012).
  20. Businesses that operate exclusively online and have a direct relationship with consumers from whom they collect personal information are required to provide only an email address for submitting requests to know.
  21. The CCPA Regulations define 'categories of third parties' as 'types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party. They may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.' (Cal. Code Regs. Title 11, §999.301(e)).