Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California - Sectoral Privacy Overview
Back

California - Sectoral Privacy Overview

June 2024

1. Right To Privacy/ Constitutional Protection

§1 of Article 1 of the California Constitution (the Constitution) provides individuals with an inalienable right to pursue and obtain privacy. This right to privacy can be enforced against private entities.1 To enforce this constitutional right, an individual can bring a claim in court, where they must prove that:

  • they had a reasonable expectation of privacy in the given situation;
  • the privacy interest is one that society recognizes; and
  • the breach of the plaintiff’s privacy is an 'egregious breach of social norms.'2

Notably, this California Constitutional right can be enforced by an employee against their employer. In the case of employee privacy rights violations, factors to consider in determining the reasonableness of an employee's expectation of privacy include community norms, notice to the employee, and whether the employee had the opportunity to consent.3 Therefore, for example, an employee's expectation of privacy in relation to electronic or other communications at work might be defeated by an employee policy that provides that the employer reserves the right to monitor such communications.

2. Key Privacy Laws 

2.1. CCPA

Introduction

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA) (consolidated version available here) (CCPA) and the revised California Consumer Privacy Act Regulations (CCPA Regulations), under the California Code of Regulations (Cal. Code Regs.) Title 11, §7000 et seq., together comprise one of the most comprehensive general data privacy legal frameworks in the United States. The CCPA Regulations have the same force of law as the CCPA (Cal. Code Regs. Title 11 §7000(b)). Violations of the CCPA or the CCPA Regulations are enforceable by the new agency vested with administrative power, authority, and jurisdiction to implement the CCPA, the California Privacy Protection Agency (CPPA), although the California Attorney General (AG) retains its overarching authority to enforce violations of the CCPA as well.

The CCPA introduced new obligations for covered organizations that collect 'personal information' about 'consumers' and grants new rights to those individuals, with respect to their personal information collected by such organizations. 'Consumers' are defined as natural persons who are California residents (Cal. Civ. Code §1798.140(g)):

  • currently living in California (on more than a temporary basis); or
  • outside of the state for a temporary purpose, as under §17014 of Title 18 of the Cal. Code Regs.

Although personal information about employees, job applicants, and representatives of entities collected in a business context (i.e., business-to-business personal information), was previously excluded from most of the obligations of the CCPA, these exemptions expired on January 1, 2023, meaning that personal information about these categories of individuals is now fully within the scope of the CCPA (i.e., these individuals are counted as 'consumers' under the CCPA).

The CPRA's amendments build on the existing framework of the CCPA, apply to personal information collected after January 1, 2022, and have been enforceable from July 1, 2023. The CPRA revised some existing obligations, created new obligations relating to the processing and protection of personal information, and created new consumer rights, including the right to correct inaccurate personal information (see the section on record keeping below) and the right to limit the use of sensitive personal information (see the section on sensitive information below).

Under the CCPA, 'personal information' is defined in broad terms and means 'information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.' Personal information includes, but is not limited to, the following, if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular California resident or household (Cal. Civ. Code §1798.140):

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
  • any personal information under Cal. Civ. Code §1798.80(e), including, any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, social security number, physical characteristics or descriptions, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information, medical information, or health insurance information;
  • characteristics of protected classifications under California or federal law, such as race, color, religion, sex/gender, gender identity, gender expression, sexual orientation, marital status, medical conditions, military or veteran status, national origin, citizenship status, ancestry, disability, genetic information, AIDS/HIV status, political affiliations or activities, status as a victim of domestic violence, assault or stalking, requests for family care leave, requests for leave for own illness, request for pregnancy disability leave, retaliation for reporting patient abuse in tax-supported institutions, aged 40 and above;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • biometric information;
  • other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident's interaction with an internet website, application, or advertisement;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory, or similar information;
  • professional or employment-related information;
  • education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act of 1974 (FERPA), including those records, files, documents, and other materials which:
    • contain information directly related to a student; and
    • are maintained by a federally funded educational agency or institution or by a person acting for such agency or institution (§1232g(a)(2) of FERPA); and
  • inferences are drawn from any of the information identified in this subdivision to create a profile about a California resident reflecting the California resident's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes); and
  • sensitive personal information.

'Personal information' does not include personal information that is 'publicly available' or 'lawfully obtained, truthful information that is a matter of public concern.' 'Publicly available' is defined to mean 'information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the California resident or from widely distributed media, or by the California resident; or information made available by a person to whom the California resident has disclosed the information if the California resident has not restricted the information to a specific audience' and 'explicitly excludes biometric information collected by a business about a California resident without the California resident's knowledge.' 'Personal information' also explicitly does not include information that is deidentified or aggregated. Notably, the CCPA sets a specific standard for deidentification that businesses must meet to take advantage of this exception.

 The CCPA does not include personal information that is already subject to certain existing data privacy laws. The CCPA specifically excludes from its scope personal information covered by:

The result of these exceptions is that, where relevant to a covered business, certain types of personal information handled by a business may be out of the scope of the CCPA, while other personal information handled by the same business may nevertheless remain within the scope of the CCPA. In addition, the CCPA is to be 'liberally construed to effectuate its purposes' and supplements (rather than replaces) existing laws relating to California resident's personal information, with the laws with the greatest privacy protections controlling in the event of a conflict (Cal. Civ. Code §§1798.175 and 1798.194). Therefore covered businesses also continue to be subject to existing California data privacy laws such as the California Online Privacy Protection Act (§§22575-22579 of the Business and Professions Code (Cal. Bus. & Prof. Code)) (CalOPPA)  (see the section on the CalOPPA and the Shine the Light Law below).

Applicability

An organization is subject to the CCPA if it is a 'business,' defined as a for-profit entity (including a sole proprietorship, partnership, limited liability company, association, or other legal entity) that:

  • does business in California;
  • collects a California resident's personal information (directly or on its behalf);
  • determines the means of processing (alone or jointly with others); and
  • meets one of the following thresholds:
    •  as of January 1, of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year, as adjusted pursuant to Cal. Civ. Code §1798.185(a)(5);
    • alone or in combination annually buys, sells, or shares the personal information of 100,000 or more California residents or households; or
    • derives 50% or more of its annual revenues from selling or sharing California residents' personal information (Cal. Civ. Code §1798.140(d)(1)).

Businesses that control or are controlled by covered businesses or share common branding with covered businesses are also subject to the CCPA (Cal. Civ. Code §1798.140(c)(2)). Under the CCPA, 'common branding' means a shared name, servicemark, or trademark, such that the average California resident would understand that two or more entities are commonly owned (Cal. Civ. Code §1798.140(d)(2)). Additionally, the CCPA clarifies that joint ventures and partnerships composed of businesses in which each business has at least a 40% interest are also a 'business' (Cal. Civ. Code §1798.140(d)(3)). Finally, any person that does business in California and does not otherwise meet the definition of 'business' but voluntarily certifies to the CPPA that it is in compliance with, and agrees to be bound by, the CCPA, will be a 'business' (Cal. Civ. Code §1798.140(d)(4)). The CCPA expressly excludes or does not limit a business's ability to:

  • collect California resident personal information, with every aspect of the commercial conduct taking place outside of California;
  • comply with other laws; and
  • collect, use, retain, or otherwise disclose California resident information that is deidentified or aggregated (Cal. Civ. Code §§1798.100(e) and 1798.145).

Concepts Introduced by the CPRA

Certain new concepts were introduced to the CCPA through its amendment by the CPRA and through the CCPA Regulations, as discussed below.

Purpose Limitation

The CCPA imposes more expansive purpose limitation requirements that a business that controls the collection of a California resident's personal information, does not collect categories of personal information additional to those disclosed in the notice at collection or use personal information collected for additional purposes that are incompatible with the initially disclosed purpose for which the personal information was collected, without providing the California resident with notice consistent with the CCPA's requirements (Cal. Civ. Code §1798.100(a)(1)). The CCPA Regulations further state that the purposes for which personal information is collected should be consistent with the reasonable expectations of California residents whose personal information is collected or processed, which is based on factors including the following (Cal. Code Regs. Title 11, §7002(b)):

  • the relationship between the California resident(s) and the business;
  • the type, nature, and amount of personal information that the business seeks to collect or process;
  • the source of the personal information and the business's method for collecting or processing it;
  • the specificity, explicitness, prominence, and clarity of disclosure(s) to the California resident(s) about the purpose of collecting or processing their personal information, such as in the notice at collection and in the marketing materials to the California resident(s) about the business's good or service; and
  • the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the California resident(s).

Data Minimization

The CCPA also requires that a business's collection, use, retention, and sharing of a California resident's personal information should be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not processed further in a manner incompatible with those purposes (Cal. Civ. Code §1798.100(c)). The CCPA Regulations state that whether a business’s collection, use, retention, and/or sharing of a California resident’s personal information is reasonably necessary and proportionate to achieve these purposes shall depend on factors including the following (Cal. Code Regs. Title 11, §7002(d)):

  • the minimum personal information that is necessary to achieve the purposes;
  • the possible negative impacts on California residents posed by the business's collection or processing of the personal information; and
  • the existence of additional safeguards for the personal information to specifically address the possible negative impacts on California residents.

Sharing

The CCPA covers the concept of 'selling', to be the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a California resident's personal information by the business to another business or a third party for monetary or other valuable consideration.

The CCPA also covers the concept of 'sharing' as a covered type of transfer of personal information, defined broadly to mean the sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a California resident's personal information by the business to a third party for 'cross-context behavioral advertising', whether or not for monetary or other valuable consideration (Cal. Civ. Code §1798.140(ah)(1)). Pursuant to Cal. Civ. Code §1798.140(k), 'cross-context behavioral advertising' means the targeting of advertising to a California resident based on the California resident's personal information obtained from the California resident's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the California resident intentionally interacts. The key distinction in the definition is that selling requires valuable consideration, whereas sharing does not. However, 'valuable consideration' is defined very broadly as 'any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as they are at the time of consent lawfully bound to suffer, as an inducement to the promisor, is good consideration for a promise.' Therefore, several exchanges of data that would not normally be considered a 'sale' of data in the typical sense have the potential to be captured by the definition of 'sale' under the CCPA. For instance, the California Attorney General held in its 2022 enforcement and settlement against Sephora, Inc., that Sephora's transfer of personal information to ad tech and analytics companies for providing targeted advertisements, was a 'sale' under the CCPA.

The CCPA largely treats the 'sharing' of personal information like the selling of personal information, with a key difference being that the service provider exception is not available for businesses. Consequently, a business that previously determined that its disclosure of personal information for advertisement-related purposes did not constitute a sale because there was no valuable consideration or because the recipient was a service provider may need to revisit that decision and, if the disclosure constitutes 'sharing', implement additional controls or safeguards (e.g., providing California residents with the ability to opt out of such sharing).

Under the CCPA, a business does not sell or share personal information when (Cal. Civ. Code §1798.140(t)(2)):

  • a California resident uses or directs the business to intentionally:
    • disclose personal information; or
    • interact with one or more third parties;
  • the business links, at the California resident's request, from one online account to another;
  • the business uses or shares an identifier for a California resident who has opted out of the sale of their personal information for the purposes of alerting third parties that the California resident has opted out of the sale of their personal information;
  • the business transfers to a third party the personal information of a California resident as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Cal. Civ. Code §§1798.110 and 1798.115.

In addition, as described in the section 'Contractors, service providers, and third parties' below, the transfer of personal information to a service provider or contractor will not be a sale, assuming that the contractual requirements are met, and the service provider or contractor complies with those requirements. However, that will still be a share.

Sensitive personal information

The CCPA also imposes obligations on businesses and expands California resident's rights in relation to the collection, use, and disclosure of sensitive personal information. The CCPA defines 'sensitive personal information' as (Cal. Civ. Code §1798.140(ae)):

  • personal information that reveals:
    • a California resident's social security, driver's license, state identification card, or passport number;
    • a California resident's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access;
    • a California resident's precise geolocation (if derived from a device that is used or intended to be used to locate a California resident within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as otherwise allowed) (Cal. Civ. Code §1798.140(w));
    • a California resident's racial or ethnic origin, religious or philosophical beliefs, or union memberships and starting on January 1, 2024, a California resident's citizenship or immigration status;
    • the contents of a California resident's mail, email, and text messages (unless the business is the intended recipient); and
    • a California resident's genetic data; and
  • the processing of biometric information for the purpose of identifying a California resident; or
  • personal information collected and analyzed concerning a California resident's health, sex life, or sexual orientation.

Obligations relating to sensitive personal information, include:

  • a California resident's right to limit the use and disclosure of sensitive personal information;
  • a business's obligation to provide a conspicuous link or button (if applicable) to opt out of, or limit, the use of sensitive personal information; and
  • a business's obligation to provide certain disclosures (e.g., in privacy policies and notices at or before the point of collection) such as the categories of personal information, including the categories of sensitive personal information collected and the purposes for which the categories of personal information (including categories of sensitive personal information) are collected and used.

Contractors, service providers, and third parties

The CPRA amended the definition of 'service provider' and requires additional provisions to be included in the contract between the service provider and the business. A 'service provider' is a person who processes personal information on behalf of a business and receives from or on behalf of the business a California resident's personal information for a business purpose pursuant to a written contract that prohibits the service provider from (Cal. Civ. Code §1798.140(ag)):

  • selling or sharing personal information;
  • retaining, using, or disclosing the personal information for any purpose other than for the business purpose specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the contract, or as otherwise permitted by the CCPA;
  • retaining, using, or disclosing the information outside of the direct business relationship between the service providers and the business; and
  • combining the personal information that the service provider receives from or on behalf of the business, with personal information it receives from or on behalf of another person or persons or collects from its own interaction with the California resident, subject to certain permissible uses.16

While the CCPA previously only imposed contractual requirements on service providers, the CPRA's amendments only imposed contractual requirements on 'third parties' and 'contractors,' concepts that the CPRA introduces (and brings within the CCPA's scope). A 'contractor' is defined as a person to whom the business makes available a California resident's personal information for a business purpose pursuant to a written contract, provided that the contract (Cal. Civ. Code §1798.140(j)(1)(C)):

  • prohibits the contractor from:
    • selling or sharing the personal information;
    • retaining, using, or disclosing the information for any purpose other than for the business purpose specified in the contract;
    • retaining, using, or disclosing the information outside of its direct business relationship with the business;
    • combining the personal information received pursuant to the written contract with personal information it receives from or on behalf of another person(s), or collects from its own interaction with the California resident, subject to certain exceptions;
  • includes a certification that the contractor understands and will comply with the above restrictions; and
  • permits the business to monitor the contractor's compliance with the contract (e.g., through ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months).

The CCPA Regulations also provide additional detail regarding what a contract between a business and a service provider or contractor must contain (Cal. Civ. Code §1798.100(d), Cal. Code Regs. Title 11, §7051(a)):

  • prohibit the service provider or contractor from selling or sharing personal information it collects pursuant to the written contract with the business;
  • identify the specific business purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with the business, and specify that the personal information is disclosed by the business only for the limited and specified business purposes set forth in the contract;
  • prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with the business for any purpose other than the business purpose(s) specified in the contract or as otherwise permitted by the CCPA and the CCPA Regulations;
  • prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with the business for any commercial purpose other than the business purpose(s) specified in the contract unless expressly permitted by the CCPA and the CCPA Regulations;
  • prohibit the service provider or contractor from retaining, using, or disclosing the personal information it collected pursuant to the written contract with the business outside the direct business relationship between the service provider or contractor and the business unless expressly permitted by the CCPA or the CCPA Regulations;
  • obligate the service provider to comply with all applicable obligations under the CCPA and the CCPA Regulations, and provide the same level of privacy protection as required by the same;
  • grant the business rights to take reasonable and appropriate steps to help ensure that the service provider uses the personal information in a manner consistent with the business's obligations under the CCPA and the CCPA Regulations;
  • require the service provider to notify the business if it makes a determination that it can no longer meet its obligations under the CCPA and the CCPA Regulations;
  • grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of personal information; and
  • require the service provider or contractor to enable the business to comply with California resident requests made pursuant to the CCPA or require the business to inform the service provider or contractor of any California resident request made pursuant to the CCPA that they must comply with and provide the information necessary for the service provider or contractor to comply with the request.

Apart from the above requirements under a contract with a business, a service provider or contractor has obligations to:

  • cooperate with the business in responding to a verifiable California resident request, and at the direction of the business, delete, or enable the business to delete and to notify any of its own service providers or contractors to delete personal information about the California resident collected, used, processed, or retained by the service provider or contractor (Cal. Civ. Code §1798.105(c)(3)); and
  • if it engages any other person to assist it in procuring personal information for a business purpose on behalf of the business (or if any other person engaged by the service provider engages another person to assist in processing information for that business purpose), notify the business of that engagement, and ensure that the engagement is pursuant to a written contract binding the other person to all the requirements that bind the service provider or contractor under its contract with the business (Cal. Civ. Code §1798.140(ag)(2)).

A key difference between service providers and contractors is that contractors must certify that they will abide by restrictions on the processing of personal information, as provided in their contract with the business.

A business that discloses personal information to a service provider or contractor in compliance with the CCPA is not liable for the service provider's or contractor's non-compliance with the CCPA, provided that, at the time of the disclosure, the business does not have actual knowledge (or reason to believe) that the service provider or contractor intends to commit such a violation. Likewise, a service provider or contractor is not liable for the obligations of a business for which it provides services, provided that the service provider or contractor will be liable for its own violations (Cal. Civ. Code §1798.145(i)(1)).

Separate from service providers and contractors, as discussed above, the CCPA has a specific definition for 'third party', defined as a person who is not any of the following (Cal. Civ. Code §1798.140(ai):

  • the business with whom the California resident intentionally interacts and that collects personal information from the California resident as part of the California resident's current interaction with the business;
  • a service provider to the business; or
  • a contractor.

The CCPA Regulations provide that a business that sells or shares a California resident's personal information with a third party must enter into agreements with third parties that meet the following requirements (Cal. Code Regs. Title 11, §7053(a)):

  • identify the limited and specified purpose(s) for which the personal information is made available to the third party;
  • specify that the business is making the personal information available to the third party only for the limited and specified purpose(s) set forth within the contract and require the third party to use it only for that limited and specified purpose(s);
  • require the third party to comply with all applicable sections of the CCPA and the CCPA Regulations, including providing the same level of privacy protection as required by the CCPA and the CCPA Regulations;
  • grant the business the right, with respect to the personal information that the business makes available to the third party, to take reasonable and appropriate steps to ensure that the third party uses it in a manner consistent with the business’s obligations under the CCPA and the CCPA Regulations;
  • grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of personal information made available to the third party; and
  • require the third party to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and the CCPA Regulations.

Consumer rights

Access

A California resident has the right to request (and receive) disclosure from a business regarding:

  • specific pieces of personal information collected about that California resident;
  • categories of personal information collected about that California resident;
  • categories of the sources from which the information was collected;
  • the business or commercial purposes for collecting, selling, or sharing personal information;
  • categories of personal information that the business sold, shared, or disclosed for a business purpose about the California resident;
  • categories of third parties with whom the personal information was sold, shared, or disclosed; and
  • the business or commercial purpose for collecting, selling, or sharing personal information.

Businesses must make available two or more designated methods for submitting requests to access (and know) including, at a minimum, a toll-free number. However, pursuant to Cal. Civ. Code §1798.130(a)(1)(A), a business that operates exclusively online and has a direct relationship with a California resident from whom it collects personal information shall only be required to provide an email address for submitting requests to access (and know) their information. If a business maintains an internet website, one of the methods for submitting these requests must be through its website, such as through a web form. Other methods for submitting requests may include but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail (Cal. Code Regs. Title 11, §7020(b)).

A business that receives a verifiable request (meaning, that the business can reasonably ascertain that the California resident making the request is the same California resident the request is being made for (see also the section on verification below)) relating to a California resident's right of access is obligated (no more than twice in a 12-month period per California resident) to make the disclosure free of charge, within 45 days.

A business can, in response to a request, 'require authentication of the California resident that is reasonable in light of the nature of the personal information requested.' Possible methods of verifying a request could include:

  • responding to such a California resident request through the online account of the individual for whom the request was made to confirm;
  • request a form of government-issued ID for verification; or
  • require the requestor to answer a series of knowledge-based challenge questions.

The CPRA's amendments to the CCPA broadened the scope of the disclosure from information collected, sold, or disclosed in the past 12 months, to personal information collected, sold, shared, or disclosed beyond the 12-month period (and the business will be required to provide such personal information) unless doing so would be impossible or would involve a disproportionate effort for the business (Cal. Civ. Code §1798.130(a)(2)(B)).17 A California resident's right to request (and a business' obligation to provide) personal information beyond the 12-month period only applies to personal information collected on or after January 1, 2022. The disclosure should be made in writing and delivered either:

  • through the California resident's account with the business, if they have one (if not they should not be asked to create one);
  • by mail; or
  • electronically, at the California resident's option if they do not have an account (in which case the information must be provided in a readily useable format that allows the California resident to easily transmit the information to another entity) (Cal. Civ. Code §1798.130 (a)(2)).

The CPRA's amendments to the CCPA provide that a business may require authentication of the California resident prior to disclosure that is reasonable in light of the nature of the personal information requested (Cal. Civ. Code §1798.130(a)(2)(A)). Further, under the CCPA Regulations, businesses are not permitted to disclose sensitive information in response to a request to know, including a California resident's social security number, driver's license number, account password, or financial account numbers (Cal. Code Regs. Title 11, §7024(d)). In addition, businesses are not required to search for personal information if the business (Cal. Code Regs. Title 11, §7024(c)):

  • does not maintain the personal information in a searchable or reasonably accessible format;
  • maintains the personal information solely for legal or compliance purposes;
  • does not sell the personal information and does not use it for any commercial purpose; and
  • describes to the California resident the categories of records that may contain personal information that it did not search because it meets the three conditions stated above.

Deletion

A California resident has the right to request the deletion of personal information a business has collected from them.

A business that receives a verifiable request for deletion must delete the California resident's personal information from its records and direct any service providers and contractors that it engages to also delete the California resident's personal information from their records, and also notify all third parties to whom the business has sold or shared such personal information to delete the California resident's personal information unless this proves impossible or involves disproportionate effort.

Further, service providers and contractors have an added obligation to cooperate with the business in responding to verifiable California resident requests, and at the direction of the business, to delete or enable the business to delete the information. They also shall notify any service provider, contractor, or third party who may have accessed personal information from or through the service provider or contractor, subject to limited exceptions (Cal. Civ. Code §1798.105(c)(3)).

Notably, a business, service provider, or contractor is not required to comply with a California resident's deletion request if the personal information is necessary for the business, service provider, or contractor to (Cal. Civ. Code. §1798.105):

  • complete a transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law,6 provide a good or service requested by the California resident, or otherwise perform a contract between the business and the California resident;
  • help ensure security and integrity to the extent the use of the California resident's personal information is reasonably necessary and proportionate for those purposes);
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise free speech, ensure the right of another California resident to exercise that California resident's right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act California Penal Code §§1546-1546.4 (Cal. Pen. Code), which compels the production of or access to electronic communication information or electronic device information with a search warrant;
  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses' deletion of the information is likely to render impossible or seriously impair the achievement of such research if the California resident has provided informed consent;
  • enable solely internal uses aligned with the California resident's expectations given their relationship with the business; or
  • comply with a legal obligation.

If none of the above exceptions applies, the CCPA Regulations require a business, contractor, or service provider to delete by permanently and completely erasing the personal information on its systems (with the exception of archived or back-up systems), deidentifying the personal information or aggregating the information (Cal. Code Regs. Title 11, §7022(b)(1)). A business is permitted to use a two-step process for online requests to delete, where the California resident must first submit the request to delete and then separately confirm their intention to have their information deleted (Cal. Code Regs. Title 11, §7020(d)).

Opt-out of sale or sharing

A business that sells or shares a California resident's personal information is required to provide a clear and conspicuous link on the business's internet homepage(s) titled 'Do Not Sell or Share My Personal Information' to an internet webpage that enables a California resident (or a person authorized by the California resident) to opt out of the sale or sharing of their personal information (Cal. Civ. Code §1798.135(a)(2)). Alternatively, a business may utilize a single, clearly labeled link on the business' internet homepage(s), provided that the link easily allows the California resident to both (Cal. Civ. Code §1798.135(a)(3)):

  • opt-out of the sale or sharing of the California resident's personal information; and
  • if applicable, limit the use or disclosure of the California resident's sensitive personal information.

A business is not required to comply with the above-mentioned requirements if the business allows California residents to opt out of the sale or sharing of their personal information (and limit the use of their sensitive personal information) through an opt-out preference signal sent with the California resident's consent.

The CCPA Regulations require businesses to treat opt-out preference signals that meet certain prescribed requirements (that is, in a format commonly used and recognized by businesses, and the platform, technology, or mechanism that sends the opt-out preference makes clear to the California resident, that the use of the signal is meant to have the effect of opting the California resident out of the sale and sharing of their personal information) as valid opt-out requests (Cal. Code Regs. Title 11, §§7025(b) and (c)). A business must treat an opt-out preference signal that complies with the requirements as a valid request to opt out of sale/sharing for that browser or device (and any California resident profile associated with that browser or device, including pseudonymous profiles) (Cal. Code Regs. Title 11, §7025(c)(1)). The business must not require a California resident to provide additional information beyond what is necessary to send the signal, although it may provide the California resident with an option to provide further information if it will help facilitate the California resident’s request (Cal. Code Regs. Title 11, §7025(c)(2)). Further, if the opt-out preference signal conflicts with a California resident’s business-specific privacy setting which allows the business to sell or share their personal information, while the business must process the opt-out preference as a valid opt-out request, it may notify the California resident of the conflict and provide them with an opportunity to consent to the sale or sharing of their personal information (Cal. Code Regs. Title 11, §7025(3)). If a California resident is known to the business, the business must not interpret the absence of an opt-out preference signal (after the California resident previously sent an opt-out preference signal) as consent to opt-in to the sale or sharing of personal information (Cal. Code Regs. Title 11, §7025(c)(5)). These additional requirements may complicate compliance for businesses operating online.

Under the CCPA Regulations, a business must comply with a request to opt out as soon as feasibly possible, but at least within 15 days from receiving the request. If a business sells or shares personal information after receiving the request but before complying with the request, the business must also notify such third parties that the California resident exercised their right to opt-out and direct them to not sell or share that information (Cal. Code Regs. Title 11, §7026(f)(2)).

The CCPA Regulations require a business' methods for submitting opt-out requests to be easy for California residents to execute and require minimal steps. It prohibits businesses from using methods designed with the purpose or substantial effect, of subverting or impairing a California resident's choice to opt out and provides illustrative examples (Cal. Code. Regs. Title 11, §7004(a)). Examples include that if a California resident clicks on the 'Do Not Sell or Share My Personal Information' link provided by a business, the business must not require them to 'search or scroll through the text of a privacy policy or similar document or webpage' to find the business' opt-out mechanism; and that a business should not use confusing language such as double negatives when providing California residents with the choice to opt-out.

Businesses are prohibited from selling or sharing the personal information of a California resident who has opted out (unless and until the business receives subsequent express authorization from the California resident to sell or share that California resident's personal information, which, under Cal. Civ. Code §1798.135(a)(5), cannot be requested by the business for at least 12 months after receiving the opt-out request and, if initiated by the California resident, requires a two-step opt-in process in accordance with Cal. Code Regs. Title 11, §7028(a)).

In relation to California residents over the age of 16, a California resident has the right to opt out of a business's sale or sharing of the California resident's personal information, and a business that sells or shares personal information is required to notify the California resident of their right to opt-out (Cal. Civ. Code §1798.120). A business may not require a California resident to create an account or provide additional information beyond what is necessary to exercise their right to opt out of the selling or sharing of their personal information.

Businesses knowingly collecting personal information of California residents under 13 must establish, document, and provide a method for determining that the person authorizing the sale of the child's information is, in fact, a parent or guardian (Cal. Code Regs. Title 11, §7070(a)(1)). The CCPA Regulations set out several examples of methods that may be reasonably calculated to ensure this is the case (Cal. Code Regs. Title 11, §7070(a)(2)). Further, businesses knowingly collecting personal information of California residents aged 13 to 15 years old must establish, document, and comply with a reasonable process for allowing such California residents to opt into the sale of their personal information. (Cal. Code Regs. Title 11, §7071(a)). Businesses that knowingly collect the personal information of California residents either under the age of 13 and/or California residents aged between 13 to 15 must include a description in their privacy policy of the methods/processes used (Cal. Code Regs. Title 11, §7072(a)).

Correction

Pursuant to Cal. Civ. Code §1798.106, California residents also have a right to request a business that maintains inaccurate personal information about the California resident to correct inaccuracies in such information, taking into account the nature of the personal information and the purposes of the processing of the personal information. A business that collects personal information is required to disclose to California residents the existence of the California resident's right to request the correction of inaccurate personal information. A business that receives a verifiable California resident request to correct inaccurate personal information shall use commercially reasonable efforts to do so.

Verifiable California resident requests for the correction of inaccurate personal information are subject to substantially the same requirements and procedures as required for access and deletion requests. Businesses must make available to California residents two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, provided, however, that a business that operates exclusively online and has a direct relationship with a California resident from whom it collects personal information shall only be required to provide an email address for submitting requests for correction (Cal. Civ. Code §1798.130(a)(1)(A)).

In order to determine the accuracy of the personal information that is the subject of a California resident's request to correct, a business shall consider the totality of the circumstances relating to the contested personal information (Cal. Code Regs. Title 11, §7023(b)). Factors to be considered by a business include, but are not limited to (Cal. Code Regs. Title 11, §7023(b)(1)):

  • the nature of the personal information;
  • how the business obtained the contested personal information; and
  • documentation relating to the accuracy of the information whether provided by the California resident, the business, or another source.

However, if the business is not the source of the personal information and has no documentation in support of the accuracy of the information, the California resident's assertion of inaccuracy may not be adequate to establish that the personal information is inaccurate (Cal. Code Regs. Title 11, §7023(b)(2)). As per the CCPA Regulations, a business that complies with a California resident's request to correct shall correct the personal information at issue on its existing systems, and shall also instruct all service providers and contractors that maintain the personal information at issue to make the necessary corrections in their respective systems (Cal. Code Regs. Title 11, §7023(c)). Service providers and contractors must comply with the business's instructions to correct the personal information or enable the business to make the corrections. A business, service provider, or contractor may delay compliance with the California resident's request to correct if it stores any personal information that is the subject of the request on archived or backup systems until the archived or backup system relating to the data is restored to an active system or is next accessed or used (Cal. Code Regs. Title 11, §7023(c)).

A business is required to accept, review, and consider any documentation that a California resident provides in relation to their right to correct, and a business may require the California resident to provide documentation if needed to rebut its own documentation that the personal information is accurate, taking into consideration factors such as the nature of the personal information at issue, the nature of the documentation upon which the business considers the personal information to be accurate, and the purposes for which the business collects, maintains, or uses the personal information (Cal. Code Regs. Title 11, §§7023(d)(1) and (2)).

If the deletion of the personal information does not negatively impact the California resident, a business may delete the contested personal information instead of correcting it (for example, if deleting the personal information would make it more difficult for the California resident to obtain a job, housing, or credit) (Cal. Code Regs. Title 11, §7023(e)). Further, in responding to a request to correct, a business must inform the California resident whether it has complied with the request, and if the request has been denied, it must provide the California resident with certain information, including an explanation of the basis for the denial (Cal. Code Regs. Title 11, §7023(f)).

A business may deny a California resident's request to correct if it has denied the California resident's request to correct the same alleged inaccuracy within the past six months of receiving the request, and alternatively, if it has a good-faith, reasonable, and documented belief that a request to correct is fraudulent or abusive (Cal. Code Regs. Title 11, §§7023(g) and (h)). Upon a California resident's request, a business must disclose specific pieces of personal information that it maintains and has collected about the California resident to enable the California resident to confirm that the business has corrected the inaccurate information that was the subject of the California resident's request (Cal. Code Regs. Title 11, §7023(j)). Further, whether a business, service provider, or contractor has implemented measures to ensure that personal information that is the subject of a request to correct remains corrected, will factor into whether that business, service provider, or contractor has complied with a California resident's request to correct in accordance with the CCPA and the CCPA Regulations (Cal. Code Regs. Title 11, §7023(k)).

Verification

Under the CCPA, California resident requests relating to the above rights of access and deletion, and the newly added right to correct personal information may be made by:

  • the California resident;
  • a California resident on behalf of the California resident's minor child;
  • a natural person or a person registered with the California Secretary of State and authorized to act on the California resident's behalf; or
  • a person who has power of attorney or is acting as a conservator for the California resident (Cal. Civ. Code §1798.145(ak)).

In relation to requests associated with the above rights, a business is under an obligation to take steps to verify the identity of the requesting California resident. The CCPA Regulations require a business to establish, document, and comply with a reasonable method for verifying the identity of the California resident making the request, which avoids collecting new personal information from a California resident unless necessary and takes account of the type, sensitivity, and value of the personal information it collects and maintains about the California resident, amongst other matters (Cal. Code Regs. Title 11, §7060(c)). If a business cannot verify a California resident's request based on information it already holds about the California resident, it may request additional information, but may only use such additional information for the purpose of verifying the California resident's identity, fraud prevention, or security, and must delete such information as soon as practical after processing the California resident's request (Cal. Code Regs. Title 11, §7060(d)). In April 2024, the CPPA issued its first Enforcement Advisory asking businesses to apply data minimization principles when verifying consumer requests and to evaluate the necessity and potential risks of collecting additional information. A business cannot require the California resident to create an account with the business in order to make a verifiable California resident request. However, if the California resident does have an account with the business, the business may require the California resident to use that account to submit such a request (Cal. Civ. Code §1798.130(a)(2)(A)).

The way in which verification is handled can depend on the type of request.

Access, deletion, and correction requests

  • With account: if a California resident already has a password-protected account with the business, the business may require the California resident to make access, deletion, and correction requests through that account. To verify the requests, it may use any existing account authentication procedures for the California resident's account, though it must require the California resident to re-authenticate themselves prior to fulfilling any access, deletion, or correction request (Cal. Code Regs. Title 11, §7061).
  • Without account: If a California resident does not have a password-protected account and wishes to submit a request, the business cannot require the California resident to create a password-protected account to do so (see also the section on right to access above). As described above, the CCPA Regulations require that the business use any existing pieces of personal information to verify the California resident's identity, if possible. If this is not possible, the business may collect certain information and use it for the sole purpose of verification. The CCPA Regulations provide further clarification on verification requirements for non-accountholders:
    • If a California resident requests to know specific pieces of personal information, the business must ascertain the California resident's identity to a 'reasonably high' degree of certainty. This may include matching at least three data points provided by the California resident with data points maintained by the business that it determines are reliable for verification purposes together with a signed declaration under penalty of perjury that the requestor is in fact the California resident to whom the personal information relates. If this method of verification is used, the business must maintain all signed declarations.
    • If a California resident requests to know categories of personal information, the business must ascertain the California resident's identity to a 'reasonable' degree of certainty. This may include matching at least two data points provided by the California resident with data points maintained by the business that it determines are reliable for verification purposes.
    • If a California resident requests deletion or correction of their personal information, a business may need to verify the California resident's identity to a 'reasonable' or 'reasonably high' degree of certainty depending on the sensitivity of the personal information and the risk of harm to the California resident posed by unauthorized deletion (e.g., the deletion of family photographs or correction of contact information may require a reasonably high degree of certainty, while deletion of browsing history or correction of marital status may require only a reasonable degree of certainty). A business must act in good faith when determining the appropriate standard to apply when verifying the California resident's identity (Cal. Code Regs. Title 11, §7062).

Opt-out requests

Opt-out requests and requests to limit do not require verification of a California resident's identity. A business may ask a California resident for information necessary to complete the request, but this must not be burdensome on the California resident (Cal. Code Regs. Title 11, §7060(b)). However, a business may decline to fulfill an opt-out request if it has a good faith, reasonable, and documented belief that such a request is fraudulent (Cal. Code Regs. Title 11, §7026(e)).

Requests made through authorized agents

California residents may also submit requests through authorized agents. To verify access and deletion requests made through an agent, a business may require the California resident to:

  • provide the authorized agent with signed permission to do so;
  • verify their own identity directly with the business; or
  • directly confirm with the business that they provided the authorized agent with permission to submit the request on their behalf unless the California resident provided the authorized agent with power of attorney pursuant to §§ 4121 to 4130 of Chapter 2, of Part 2, of Division 4.5 of the Probate Code (Cal. Code Regs. Title 11, §§7063(a) and (b)).

A business may require the authorized agent to provide proof that the California resident gave the agent signed permission to submit the request (Cal. Code. Regs. Title 11, §7063(a)). A business cannot require a California resident or the California resident's authorized agent to pay a fee to verify their request to know or delete, meaning that a business cannot require a California resident to provide a notarized affidavit to verify their identity unless the business compensates the California resident for the cost of notarization (Cal. Code. Regs. Title 11 §7060(e)).

Lastly, if a business is unable to adequately verify the identity of a requesting California resident, it is not obligated to fulfill deletion, correction, or access requests under Cal. Civ. Code §1798.100, §1798.105, §1798.106, §1798.110, and §1798.115. In that instance, the business must inform the requestor that their identity cannot be verified. However, under the CCPA Regulations, in certain cases where a business receives a request relating to a specific right but cannot verify the identity of the requesting California resident, it is under an obligation to treat the request as a request to exercise a different specific right, i.e., when a business receives a request for:

  • deletion, which it denies (including if the business cannot verify to the standard described in the paragraph above), it is obliged to ask the California resident if they would like to request to opt out of the sale or sharing of personal information and include the contents of, or a link to, the notice of right to opt-out (Cal. Code Regs. Title 11, §7022(g));
  • disclosure of specific pieces of personal information collected about the California resident, which it cannot verify to the standard described above, it is obliged to treat the request as a request for categories of personal information collected about the California resident and verify accordingly (see above for verification requirements pertaining to requests for categories of personal information) (Cal. Code Regs. Title 11, §7024(a)); or
  • disclosure of categories of personal information collected about the California resident, which it cannot verify to the standard described in above, it is obliged to direct the California resident to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy (Cal. Code Regs. Title 11, §7024(c))).

Record-keeping

The CCPA Regulations require businesses to maintain records of requests made in relation to the above rights, and responses to such requests, dating back 24 months (Cal. Code Regs. Title 11, §7101(a)). As a safe harbor, the maintenance of these records will not constitute a violation of the CCPA as long as the information is not used for any other purpose (Cal. Code Regs. Title 11, §7101(c)). Further, a business is not required to maintain the information solely for the purpose of fulfilling a California resident request (Cal. Code Regs. Title 11, §7101 (e)). The records may be maintained in the ticket or log format as long as it includes the date of request, nature of the request, the manner in which the request was made, the date of the business' response, the nature of the response, and the basis for the denial of the request, if applicable (Cal. Code Regs. Title 11, §7101(b)).

Businesses that know, or reasonably should know, that they alone or in combination annually buy, receive for commercial purposes, sell, share, or otherwise make available for commercial purposes the personal information of 10 million or more California residents are under an obligation to compile and disclose by 1 July of every calendar year in their privacy policies the below metrics from the previous calendar year. These metrics are required for all California resident requests, but the business may choose to include and clearly disclose these metrics for non-California residents as well (as long as it is able to provide California resident-only numbers upon request from the AG) (Cal. Code Regs. Title 11, §7102(a)):

  • the number of requests to know that the business received, complied with in whole or in part, and denied;
  • the number of requests to delete and the number of requests to correct that the business received, complied with in whole or in part, and denied;
  • the number of requests to opt-out of sale/sharing and the number of requests to limit that the business received, complied with in whole or in part, and denied; and
  • the median or mean number of days within which the business substantively responded to requests to know, correct, delete, opt-out, and limit.

Sensitive personal information

Corresponding to California residents' expanded rights of access to categories of certain sensitive personal information collected or maintained by a business (see the section on the customer right to access above), the CCPA also provides California residents with the right to limit a business' use or disclosure of their sensitive personal information.

Pursuant to Cal. Civ. Code §1798.121(a), a California resident shall have the right, at any time, to direct a business that collects sensitive personal information about the California resident to limit its use of the California resident's sensitive personal information to what is necessary to perform the services or provide the goods reasonably expected by an average California resident who requests such goods and services. A business that receives such a direction is prohibited from using or disclosing the sensitive personal information for any other purpose after receipt of the California resident's direction unless the California resident subsequently provides consent for the use or disclosure of their sensitive personal information for additional purposes (Cal. Civ. Code §1798.121(c)).

However, sensitive personal information that is collected or processed without the purpose of inferring characteristics about a California resident is not subject to requests to limit and is to be treated as standard personal information (Cal. Civ. Code §1798.121(d)).

A business that uses or discloses a California resident's sensitive personal information for purposes other than for the enumerated purposes set out in Cal. Code Regs. Title 11, §7027(m) is required to provide a clear and conspicuous link on the business's internet homepage(s), titled 'Limit the Use of My Sensitive Personal Information'. The link should enable the California resident (or a person authorized by the California resident) to limit the use or disclosure of the California resident's sensitive personal information (Cal. Civ. Code §1798.135(a)(2)). A business that does not operate a website shall establish, document, and comply with another method by which it informs California residents of their right to limit (Cal. Code Regs. Title 11, §7014(e)(2)). A business is required to include the following information in its notice of right to limit (Cal. Code Regs. Title 11, §7014(f)):

  • a description of the California resident's right to limit; and
  • instructions on how the California resident can submit a request to limit.

Alternatively, and as described in the section on the right to opt-out above, a business may utilize a single, clearly-labeled link on the business's internet homepage(s), provided that the link easily allows the California resident to both:

  • limit the use or disclosure of the California resident's sensitive personal information; and
  • opt out of the sale or sharing of the California resident's personal information (Cal. Civ. Code §1798.135(a)(3))).

A business is not required to comply with the above requirements if the business allows California residents to limit the use of their sensitive personal information (and opt out of the sale or sharing of their personal information) through an opt-out preference signal sent with the California resident's consent. The opt-out preference signals must be processed by the business in a frictionless manner, that is, the business must not (Cal. Code Regs. Title 11, §7025(f)):

  • charge a fee or require any valuable consideration;
  • change the California resident's experience with the product or service offered by the business; or
  • display a notification, pop-up text, graphic, animation, etc. in response to the opt-out preference signal.

In these circumstances, a business may provide California residents with a link to a webpage that enables the California resident to consent to the business ignoring the opt-out preference signal provided that specific requirements are met (Cal. Civ. Code §1798.135(b)). Under the CCPA, a business may not require a California resident to create an account or provide additional information beyond what is necessary to exercise their right to limit the use or disclosure of the California resident's sensitive personal information.

Disclosure/transparency

Notice at collection

A business subject to the CCPA must provide a notice to California residents (including its employees and job applicants), at or before the point of collection (Cal. Code Regs. Title 11, §7010(b)). For businesses that collect personal information from a California resident online, the notice at collection may be given to the California resident by providing a link to the section of their privacy policy that contains the information required. If a business directs a California resident to the beginning of their privacy policy, or to another section of their privacy policy that does not contain the required information, this standard is not satisfied (Cal. Code Regs. Title 11, §7012(f))). In practice, businesses generally offer a separate notice at collection to California resident employees and job applicants, then to any customers or end users.

The privacy notice at collection is required to include the following information (Cal. Code Regs. Title 11, §7012(e)):

  • a list of the categories of personal information, including sensitive personal information, about California residents to be collected;
  • the purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used;
  • whether each category of personal information identified is sold or shared;
  • the length of time the business intends to retain each category of personal information identified, or if that is not possible, the criteria used to determine the period of time it will be retained;
  • if the business sells or shares personal information, the link to the notice of right to opt out of sale/sharing, or in the case of offline notices, where the webpage can be found online;
  • a link to the business's privacy policy, or in the case of offline notices, where the privacy policy can be found online.

Privacy policy

In addition to the above, the CCPA requires that a privacy policy include certain information (Cal. Code Regs. Title 11, §7011(e)). Please see the section on privacy policies below.

The privacy policy must be updated at least every 12 months (Cal. Code Regs. Title 11, §7062(g)).

A business cannot collect categories of personal information other than those disclosed in the notice or privacy policy and must provide a new notice if it intends to collect new categories of personal information (Cal. Code Regs. Title 11, §7002(f)). If a business collects personal information not directly from a California resident (i.e., from third-party sources), the CCPA Regulations provide that the business does not need to provide a notice at the time of collection so long as it does not sell the California resident's personal information (Cal. Code Regs. Title 11, §7012(h)). In addition, a data broker registered with the AG does not need to provide notice at collection if it has included a link to its online privacy policy in its registration submission that includes instructions on how a California resident can submit a request to opt out. (Cal. Code Regs. Title 11, §7012(i)).

Notice of right to opt-out

A business that sells or shares personal information is obliged to provide two or more designated methods for submitting requests to opt-out, including a link titled 'Do Not Sell or Share My Personal Information' that directs the California resident to an interactive form that enables the California resident (or a person authorized by the California resident) to opt out of the sale or sharing of the California resident's personal information. The request should be complied with no later than 15 business days from the date the business receives the request (Cal. Code Regs. Title 11, §7013(f)).

The CCPA Regulations require businesses that collect personal information in the course of interacting with California residents offline to provide notice of the right to opt out by an offline method that facilitates California residents' awareness of their right to opt out and provides examples of how businesses can meet this requirement (Cal. Code. Regs. Title 11, §7012 (c)(4)). Examples provided include that a business that sells personal information it collects over the phone may inform California residents of their rights to opt-out orally during the call when the information is collected.

Notice of right to limit

A business that uses or discloses a California resident's sensitive personal information for purposes other than those specified in Cal. Code. Regs. Title 11, §7027(m), must provide California residents with a notice of the right to limit on its internet webpage, which California residents are directed to after clicking on the 'Limit the Use of My Sensitive Personal Information' link (Cal. Code Regs. Title 11, §7014(e)(1)). A business that does not operate a website must establish, document, and comply with another method by which it informs California residents of their right to limit (Cal. Code Regs. Title 11, §7014(e)(2)).

Financial incentives

In addition, a business must disclose a concise description of any financial incentives employed, the material terms of such incentives (including the categories of personal information implicated by the financial incentive and the value of that information), how the California resident can opt-in to the financial incentive as well as how the California resident can opt-out, and a description of its CCPA-compliant method for valuing California resident personal information (Cal. Code Regs. Title 11, §7016). A permitted denial of a California resident's request to know, delete, or opt-out will not be considered discriminatory (Cal. Code Regs. Title 11, §7080(c)).

Prohibited discrimination

Discriminating against a California resident who exercises their rights under the CCPA (e.g., by the business increasing prices) is prohibited, however, businesses may offer different prices, rates, levels, or quality of goods or services if the difference is related to the value of the California resident's personal information. The CPRA's amendments to the CCPA clarify that businesses are not prohibited from offering loyalty, rewards, premium features, discounts, or club card programs (Cal. Civ. Code §1798.125(a)(3)). A business may offer financial incentives, including payments to California residents, for the collection, sale, sharing, or retention of personal information, provided that financial incentives are not unjust, unreasonable, coercive, or usurious in nature. For example, under the CCPA, a business may not change an offering for a particular California resident because that California resident asked the business to delete their data, but the business can provide different offerings to California residents based on the business' estimate of the value to the business (clarification added by enacted Assembly Bill 1355 for an Act to amend §§ 1798.100, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.140, 1798.145, 1798.150, and 1798.185 of the Civil Code, relating to consumer privacy).

If a California resident refuses to provide opt-in consent to the incentive program, the business must wait at least 12 months before next requesting that the California resident opt-in to the program (Cal. Civ. Code §1798.125(b)(3)).

Further, a business may now also not retaliate against an employee, applicant for employment, or independent contractor for exercising their rights (Cal. Civ. Code §1798.125(a)(1)(E)). The CCPA Regulations describe methods that businesses may utilize to assess the value of certain personal information, which include the personal information's marginal or average value to the business or the profit generated from the sale, collection, or retention of such personal information (Cal. Code Regs. Title 11, §7081). Businesses are also permitted to offer financial incentives for the collection, sale, or deletion of personal information under Cal. Code Regs. Title 11, §7080(a), but these must be reasonably tied to the assessed value of the personal information.

Personnel education/training

The CCPA requires a business to ensure that all individuals responsible for handling inquiries about the business's privacy practices or compliance with the CCPA are informed of the CCPA's obligations (Cal. Civ. Code §1798.130(a)(6)). Businesses should be sure to establish, document, and comply with a training policy to ensure that all individuals responsible can direct California residents as to how to exercise their rights (Cal. Code Regs. Title 11, §7100(b)).

Audits

The CPPA may audit a business, service provider, contractor, or person to ensure compliance with the CCPA (Cal. Code Regs. Title 11, §7304(a)). The CPPA may conduct audits to investigate possible violations of the CCPA if the subject's collection or processing of personal information presents a significant risk to consumer privacy or security, or if the subject has a history of non-compliance with the CCPA or any other privacy protection law (Cal. Code Regs. Title 11, §7304(b)). These audits may be announced or unannounced as determined by the CPPA (Cal. Code Regs. Title 11, §7304(c)). If the subject fails to cooperate during the CPPA's audit, it may result in the CPPA issuing a subpoena, seeking a warrant, or otherwise exercising its powers to ensure compliance with the CCPA (Cal. Code Regs. Title 11, §7304(d)).

Enforcement

The CPPA (along with the AG) is responsible for enforcing the CCPA and has the authority to promulgate regulations, initiate investigations, subpoena witnesses, hold hearings, and levy administrative fines for violations of the CCPA (Cal. Civ. Code §§1798.199.40, 1798.199.45, 1798.199.55, and 1798.199.65).

The CPPA is actively developing new regulations on cybersecurity audits and regulations on businesses’ use of automated decision-making technology and artificial intelligence. In its December 2023 and March 2024 board meetings, the CPPA board voted to prepare the Draft Cybersecurity Audit Regulations, the Draft Risk Assessment & ADMT Regulations, and the Draft Update to Existing Regulations, for formal rulemaking.

In an action brought by the CPPA, a business, service provider, contractor, or other person in violation of the CCPA may be liable for an administrative fine of up to $2,500 for each non-intentional violation, or $7,500 for each intentional violation or violation involving the personal information of a California resident under the age of 16, provided that the offending business, service provider, contractor, or other person had actual knowledge of the California resident's age (Cal. Civ. Code §1798.155(a)). Any fines assessed by the CPPA will be deposited in the Consumer Privacy Fund, to be used, first, to offset the costs incurred by the courts and the AG in carrying out their duties under the CCPA, and then, to establish an investment fund to be used to further the purposes of the CCPA when the amount of funds available exceeds $300,000 (Cal. Civ. Code §1798.160(a)). In a fiscal year in which the amount of funds available for grants are equal to or less than $300,000, the funds should be reserved.

The CPRA's amendments to the CCPA eliminate the prior 30-day cure period, meaning that businesses, service providers, contractors, or other persons in violation of the CCPA are subject to enforcement as soon as the violation has occurred. However, as part of the CPPA's decision to pursue investigations of possible or alleged violations of the CCPA, it may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of these requirements, and good-faith efforts to comply with these requirements (Cal. Code Regs. Title 11, §7301(b)).

California residents have the right to bring private actions against a business in the event of certain data security breaches resulting from the business's failure to implement and maintain reasonable security procedures and practices (see the section on enforcement above, and the section on the types of data breaches subject to the private right of action below). The definition of personal information within the scope of this right is expanded to include a California resident's email address in combination with a password or security question and answer that would permit access to the account. There is also now a new, affirmative obligation to implement security procedures and practices appropriate to the nature of the personal information to protect against unauthorized or illegal access, destruction, use, modification, or disclosure (Cal. Civ. Code §1798.100(3)(e)). Finally, as clarified by the CPRA, the implementation and maintenance of reasonable security procedures and practices following a security breach does not 'cure' the breach (Cal. Civ. Code §1798.150(2)(b)).

2.2 Shine the Light Law

The Shine the Light Law Cal. Civ. Code §1798.83, which addresses the practice of sharing personal information with third parties whom the business knows or reasonably should know will use the personal information for their directing marketing purposes. Generally, all businesses that have established business relationships with California consumers and have shared customer personal information as described above within the immediately preceding calendar year are covered. 'Business' is not defined under the Shine the Light Law, resulting in a scope broad enough to include businesses in other U.S. states and other countries (Cal. Civ. Code §1798.83(a)). However, certain companies are exempt from the Shine the Light law, such as businesses with fewer than 20 employees and financial institutions that are subject to the California Financial Information Privacy Act (Cal. Civ. Code §§1798.83(c)(1) and 1798.83(h)) (CFIPA). Further, certain disclosures are exempt from this law, including disclosures of certain personal information between affiliates (Cal. Civ. Code §1798.83(d) and (f)).

Under the Shine the Light Law, 'personal information' is broadly defined as any information that, at the time of disclosure, identified, described, or was able to be associated with an individual, including, but not limited to, names and addresses, email addresses, and dates of birth (Cal. Civ. Code § 1798.83(e)(6)).

The Shine the Light Law specifies that, if a customer requests, businesses must inform California residents (free of charge) of:

  • the categories of personal information disclosed; and
  • the names and addresses of all of the third parties to whom the business disclosed that customer's personal information for direct marketing purposes during the preceding calendar year. If the nature of the third parties' business cannot be reasonably determined from the third parties' name, the business must provide information on the products or services marketed to give a reasonable indication of the nature of the third party's business (Cal. Civ. Code §1798.83(a)).

Requests must be responded to within 30 days, but businesses are not required to comply with more than one request from a customer per calendar year (Cal. Civ. Code §1798.83(b) and (c)).

Alternatively, businesses may comply with the law by adopting a policy of not disclosing the personal information of customers to third parties for their direct marketing purposes (i) unless the customer first affirmatively agrees to that disclosure or (ii) if the customer has exercised an option that prevents the information from being disclosed to third parties. In this case, the business must disclose the policies and notify the customer of their right to prevent the disclosure of personal information (Cal. Civ. Code §1798.83(c)(2)). Waivers of the Shine the Light Law are unenforceable as against public policy (Cal. Civ. Code §1798.84(a)).

Under the Shine the Light Law, businesses are required to do at least one of the following ((Cal. Civ. Code §1798.83(b)):

  • notify all employees of the designated contact information by which customers may submit requests; or
  • add a description of the customer's rights and the designated contact information by which to exercise them in the privacy policy or a separate page linked on the website; or
  • make the designated contact information available to customers upon request at every place of business in California where there is regular contact with customers.

2.3 CIPA

The California Invasion of Privacy Act (CIPA), under Cal. Pen. Code §§630-338.55 grants California individuals certain protections in their communications via telephones (both landlines and mobiles). The CIPA, with certain exceptions, prohibits companies, individuals, and government agencies from acts, including, but not limited to:

  • wiretapping (Cal. Pen. Code §631(a));
  • eavesdropping, and recording confidential communications without the consent of all parties (Cal. Pen. Code §632(a));
  • recording cell phone communications without the consent of all parties (Cal. Pen. Code §§632.5 -632.7);
  • the monitoring or recording of conversations in a subscriber's residence or the sharing of individually identifiable information on subscriber viewing habits or other personal information without written consent by cable and satellite TV operators (Cal. Pen. Code §637.5(a)); and
  • the use of electronic tracking devices (Cal. Pen. Code §637.7(a)).

State laws in this area take different approaches to consent, some requiring consent of one party only but, under the CIPA, as above, California is an all-party consent state.

When an individual is on a landline, that individual must have a reasonable expectation of privacy in the communication before the caller may be held liable under the CIPA, but for individuals using cellular or mobile telephones, strict liability applies.13 Calls made to or by California residents by both businesses and individuals, whether or not the caller is located in California, are subject to the CIPA.14 There are currently hundreds of pending class actions alleging that the use of chatbots, cookies, tracking pixels, and other data analytics software violates CIPA.

The CIPA is enforced through criminal penalties, either a misdemeanor or a felony, depending on the number (if any) of prior offenses. For first-time violators, the fine is $2,500, but for repeat offenders, the maximum fine is $10,000 (Cal. Pen. Code, §§631(a); 632(a)). Any offender, whether first-time or repeat, can also face imprisonment (Cal. Pen. Code, §§631(a); 632(a)). Moreover, the CIPA also provides a private right of action in a civil lawsuit (despite being found in the Cal. Pen. Code) with damages of $5,000 per violation or treble actual damages (whichever is greater) (Cal. Pen. Code §637.2(a)).

3. Health Data

3.1. CMIA

The CMIA is the primary law addressing the privacy and security of medical information in California. The CMIA protects the confidentiality of medical information that is individually identifiable. 'Medical information' means any individually identifiable information, in electronic or physical form, in possession of, or derived from, a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental health application information, mental or physical condition, or treatment. 'Individually identifiable' means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity (Cal. Civ. Code §56.05(j)).

Under Cal. Civ. Code §§56.10 and 56.101, covered entities are:

  • prohibited from using or disclosing medical information for any purpose not necessary to provide health care services to a patient (except as expressly  authorized by the patient or required by law);
  • prohibited from engaging in many types of marketing uses and disclosure;
  • required to create, maintain, preserve, store, abandon, destroy, or dispose of medical records in a manner that preserves their confidentiality; and
  • subject to a mandate that electronic health or medical record systems protect the integrity of electronic medical information and automatically record and preserve any changes or deletions.

Under Cal. Civ. Code §56.107, additional privacy protections are provided for patients receiving sensitive services, including health care services related to mental or behavioral health, sexual, and reproductive health, sexually transmitted infections, and gender-affirming care. These include that a health care service plan will not require a protected individual to obtain the policyholder, primary subscriber, or other enrollee's authorization to receive sensitive services or to submit a claim for sensitive services (Cal. Civ. Code §56.107(a)(1)); and specific requirements for communications from a health care service plan regarding a protected individual's receipt of sensitive services (Cal. Civ. Code §56.107(a)(3)).

According to Cal. Civ. Code §56.35, penalties for failing to comply with the CMIA include:

  • compensatory damages;
  • punitive damages (with a maximum of $3,000);
  • attorneys' fees (with a maximum of $1,000); and
  • the costs of litigation.

Health care providers or other covered entities are also liable for nominal damages of $1,000 in the event of a negligent release of medical information even without actual damages19 (Cal. Civ. Code §56.36) Finally, there are also administrative and civil penalties that will apply, with costs varying dependent upon whether the violation was negligent (Cal. Civ. Code §56.36).

3.2. PAHRA

The Patient Access to Health Records (California Health & Safety Code §§123100-123149.5 (Cal. Health & Safety Code) (PAHRA) is the primary law in California governing patient access to, and amendment of, health records.

The PAHRA requires health care providers to permit California residents to (Cal. Health & Safety Code §§123110 and 123111):

  • inspect and copy their health records; and
  • submit amendments to their records if a patient believes that the records are inaccurate or incomplete.

Under the PAHRA, patients are entitled to inspect their records within five business days of making a request, and healthcare providers must transmit copies of records within 15 business days of a request (Cal. Health & Safety Code §§123110 and 123111).

3.3. Other health information laws

  • Cal. Civ. Code §1798.91 requires companies to obtain informed consent from an individual prior to collecting their medical information for direct marketing purposes.
  • The Shine the Light law allows individuals to learn about how businesses sell their personal information and specifically applies to certain types of medical and health insurance information.
  • Cal. Health & Safety Code §130200 established the California Office of Health Information Integrity to support the secure health information movement in California.
  • Cal. Health and Safety Code §§123100, 120975-121020 and 1280.18 also guarantee individuals the following rights: to access, amend, and make copies of their health records maintained by health providers; protect the privacy of individuals subject to blood testing for HIV; and requires certain health facilities to implement administrative, technical, and physical safeguards to protect medical information.
  • The California Welfare and Institutions Code protects the confidentiality of information and records pertaining to individuals who are involuntarily detained for psychiatric evaluation or treatment.
  • The Insurance Information and Privacy Protection Act governs medical records collected in connection with insurance applications and in the process of resolving insurance claims.
  • The California Insurance Code regulates insurance underwriting on the basis of genetic testing as well as requests for, and disclosures of, genetic test information.
  • The Clinical Laboratory Improvements Amendments of 1988 require laboratories to protect test results.
  • The Americans with Disabilities Act of 1990 protects job applicants against intrusive examination requirements and interview questions regarding disabilities, and employers must treat information about applicants' disabilities as confidential.
  • The Drug Abuse Prevention, Treatment and Rehabilitation Act of 1970 provides for confidentiality and privacy protection for substance use disorder information.
  • The Patient Safety & Quality Improvement Act of 2005 protects patient safety information.
  • The Genetic Information Privacy Act establishes certain requirements for direct-to-consumer genetic testing companies to follow with respect to data collection, use, security, and disclosure, and also provides consumers with access and deletion rights.

4. Financial Data

4.1. CALFIPA

Under CalFIPA §4053(2)(b)(1), financial institutions are required to give clear and conspicuous notice of consumers' right to opt out of the institution sharing the consumer's personally identifiable non-public personal information (NPI) with affiliates and third parties prior to the actual sharing of such information. Additionally, a financial institution must provide notice, and a consumer must provide affirmative written consent (e.g., opt-in), before the financial institution may share NPI with a non-affiliated third party. Consumers must also be given the opportunity to opt out of having their NPI shared with a financial institution's affinity marketing partners. Notice of opt-out rights must be provided annually.

5. Employment Data

5.1. The California Labor Code

The California Labor Code (Cal. Lab. Code) provides several data privacy protections for employees. Firstly, under the Cal. Lab. Code, employers are prohibited from demanding passwords and accessing the personal social media accounts of employees and job applicants, except to the extent reasonably believed to be relevant to an investigation of misconduct or violations of law by employees (Cal. Lab. Code §§980(b)–(c)). Employers are, however, able to request access to an employer-issued electronic device that is in the employee's possession (Cal. Lab. Code §980(d)).

Furthermore, most California employees have the right to inspect and receive a copy of their personnel files, although certain records are exempt from employee access, such as the following (Cal. Lab. Code §1198.5):

  • records relating to the investigation of a possible criminal offense.
  • letters of reference; or
  • ratings, reports, or records that were:
    • obtained prior to the employee's employment;
    • prepared by identifiable examination committee members; or
    • obtained in connection with a promotional examination In addition, in California, employers may not inquire into or rely on an employee’s salary history to make certain employment decisions.

The Cal. Lab. Code also provides several other protections, notably including the following:

  • employers may only print the last four digits of an employee's social security number or an employee identification number on an employee's wage statement (Cal. Lab. Code §226);
  • employers must not cause an audio or video recording to be made of an employee in a restroom, locker room, or room designated by an employer for changing clothes. Employee consent is not a defense (Cal. Lab. Code §435); and
  • employees of employers who regularly employ 25 or more employees have the right to be reasonably accommodated by their employers if they wish to participate in an alcohol or drug rehabilitation program (Cal. Lab. Code §1026)

Please refer to the section on the right to privacy and constitutional protections above, which discusses the constitutionally protected right to privacy that can be enforced against private employers, for additional information regarding surveillance and monitoring in the workplace.

5.2. Other employment data privacy laws

Under California's Investigative Consumer Reporting Agencies Act (ICRAA), an employer, who obtains and uses an investigative consumer report for employment purposes must provide a written notice to that employee that provides specific information, before obtaining the report (Cal. Civ. Code §1786.16(a)(2)(b))

In addition to regulations on background checks set forth in the ICRAA, the Consumer Credit Reporting Agencies Act (CCRAA) also prohibits employers other than financial institutions from obtaining the consumer credit report of employees, or job applicants who are not in or applying for certain managerial positions (Cal. Civ. Code §1024.5). California employers must also give written notice to individuals prior to requesting a consumer credit report for that individual and note the statutorily provided exceptions for requesting the report (Cal. Civ. Code §§1024.5 and 1785.20.5)

No one may require, coerce, or compel any other individual to undergo the subcutaneous implanting of an identification device (e.g., a radio-frequency identification chip), in particular, not on the condition of obtaining employment, employee benefits, or promotion on consent to implantation (Cal. Civ. Code §52.7)

Finally, the CCPA applies to information about California employees, contractors, and job applicants of covered businesses.

6. Online Privacy

6.1. The CalOPPA

The CalOPPA provides some protections for consumers residing in California, with respect to personal data that companies collect online about them. Under the CalOPPA, operators of commercial websites and online services that collect California residents' personally identifiable information are required to conspicuously post their privacy policies on their websites, or in the case of an operator of an online service, employ any other reasonably accessible means of making the privacy policy available for consumers of the online services (Cal. Bus. & Prof. Code §§22575–22579).

Furthermore, whilst the CalOPPA does not prohibit online tracking, it does include specific disclosure requirements for 'do not track' mechanisms and online behavioral tracking across third-party websites (Cal. Bus. & Prof. Code §§22575(b)(5) Moreover, the CalOPPA applies to a broad interpretation of 'online services', which includes mobile applications. The California AG has stated that the term covers any service available over the internet or that connects to the internet, including internet-enabled gaming platforms, voice-over-internet protocol services, cloud services, and mobile applications.20

For the purposes of the CalOPPA, personally identifiable information includes individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

  • a first and last name;
  • a home or other physical address, including street name and name of a city or town;
  • an email address;
  • a telephone number;
  • a social security number;
  • any other identifier that permits the physical or online contact of a specific individual; and
  • any information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in the preceding list (Cal. Bus. & Prof. Code §22577).

6.2. The Eraser Law

The Privacy Rights for California Minors in the Digital World Act Cal. Bus. & Prof. Code §§22580-22582 (the Eraser Law) provides additional protections to minors in California (individuals under the age of 18), including a right to be forgotten (see also the CCPA above), which enables minors to remove their own posts (but not republications of their posts or posts about them by others) (Cal. Bus. & Prof. Code §22581).

The Eraser Law also prohibits companies who operate websites or online services directed at minors from using the minor's personal information to market or advertise certain enumerated products and services deemed potentially harmful for minors, including tattoos (Cal. Bus. & Prof. Code §§22580(b)(2) and 22580(c)).

6.3. Student data laws

Student data is protected under the Student Online Personal Information Protection Act (Cal. Bus. & Prof. Code §§22584-22585) (SOPIPA), which became effective on January 1, 2016, and seeks to protect the personal information of students. The SOPIPA applies to operators of websites, online services, or online or mobile applications (covered operators) who have actual knowledge that their services were designed, marketed, and are being used for K-12 purposes (covered services) (Cal. Bus. & Prof. Code §22584(a)).

Furthermore, the SOPIPA requires such operators to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and protect such information from unauthorized access, destruction, use, modification, or disclosure (Cal. Bus. & Prof. Code §22584(d)(1)).

Under the SOPIPA, companies must delete a student's covered information if the school or district requests the deletion of data under the control of the school or district (Cal. Bus. & Prof. Code §22584(d)(2)) Companies that are subject to SOPIPA must not use covered information for the following:

  • targeted advertising;
  • use information created or gathered by their sites or services to amass a profile about a K–12 student (except in furtherance of school purposes);
  • sell student's information; or
  • disclose student information (subject to limited exceptions).

Companies may use student information for maintaining, developing, supporting, improving, or diagnosing their sites and services and for school and educational purposes (§22584(b) of the Cal. Bus. & Prof. Code)

In addition, the SOPIPA was expanded upon the Early Learning Personal Information Protection Act (Cal. Bus. & Prof. Code §§22586-22587) (ELPIPA), which became effective on July 1, 2017. The ELPIPA requires operators of websites, online services, or applications used or marketed primarily to preschool or pre-kindergarten pupils to refrain from a variety of practices, including targeted advertising, profiling of students for other purposes, selling a pupil's information, or disclosing covered information, unless certain other disclosures are made (Cal. Bus. & Prof. Code §22586(b)) Moreover, it also requires operators to maintain reasonable security procedures and practices and delete pupil information upon request (Cal. Bus. & Prof. Code §22586(d)).

7. Unsolicited Commercial Communications

7.1. California Anti-Spam Law

Under the California Anti-Spam Law (Cal. Bus. & Prof. Code §§17529-17529.9), most unsolicited commercial email advertisements to or from California email addresses are prohibited. CAN-SPAM pre-empts the California Anti-Spam Law for all provisions except those prohibiting falsity or deception in email messages. Therefore, the California Anti-Spam Law prohibits marketers from sending email advertisements to California email addresses that (Cal. Bus. & Prof. Code §17529.5(a)):

  • contain or accompany a third party's domain without the third party's permission;
  • contain or are accompanied by falsified, misrepresented, or forged header information; and
  • have a subject line that a person knows would be likely to mislead the recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.

Furthermore, under Cal. Bus. & Prof. Code §17538.41, most individuals, business entities, candidates, or political committees operating in California are generally prohibited from sending (or causing to be sent) text message advertisements to California residents, except in the following circumstances (Cal. Bus. & Prof. Code §17538.41):

  • where text messages are sent at the direction of a person or entity offering mobile telephony services, pager services, or two-way messaging services to a subscriber, if the subscriber may opt-out from receiving such text messages;
  • when the subscriber has an existing relationship with the business, candidate, or political committee and the subscriber may opt out of receiving such messages from them;
  • when the subscriber has provided consent to a business with whom the subscriber has an existing relationship to receive text messages from an affiliate of that business; and
  • where emails are forwarded, without the knowledge of the sender, to a mobile telephony service's handset, pager, or two-way messaging device.

In addition, Cal. Bus. & Prof. Code §17538.41(a) restricts advertisements sent via text message by any person, business, candidate, or political organization. Further, Cal. Bus. & Prof. Code §17538.43 prohibits any person or entity, if they or the recipient are located within California, from sending unsolicited fax advertisements without the recipient's prior express consent to do so.

7.2. California Robocalls Law

§§2871-2876 of the California Public Utilities Code (Cal. Pub. Util. Code) aims to limit the use of automatic dialing announcing devices (ADAD), commonly referred to as 'robocalling,' in California to telephones in California. The law applies to phone calls placed using an ADAD. No person operating an ADAD (i.e., a robocalling machine) may place a call 'during the hours between 9 p.m. and 9 a.m. California time' (Cal. Pub. Util. Code §2872(c)). Calls placed using an ADAD must be preceded by a live, 'natural voice announcement' made to the recipient. The announcement must state the nature of the call, the location and phone number of the entity being represented, and request the consent of the call's recipient to hear a pre-recorded message (Cal. Pub. Util. Code §2874). The call must disconnect after either party terminates the call (Cal. Pub. Util. Code §2874). A person or entity making robocalls may not make a telephone connection for which no person, acting as an agent or telemarketer, is available for the person called.

There are certain exceptions to the prohibition on robocalling, the restrictions do not apply in the following instances:

  • where there is a prior business or personal relationship between the caller and the recipient;
  • the recipient has requested the call; or
  • if the recipient has previously consented to receive such calls (Cal. Pub. Util. Code §2872(f)).

Public safety and law enforcement agencies providing information related to safety or emergencies are exempt from the statute's restrictions (Cal. Pub. Util. Code §2872(e)). In addition, there are several exceptions grounded in the public interest. For example, the statute does not apply to schools contacting parents or guardians of pupils regarding attendance or to a public utility calling for public safety reasons (Cal. Pub. Util. Code §§2872(d)(1) and 2872(4)). A petroleum refiner, chemical processing plant, or nuclear power plant may use robocalls to warn of an actual or potentially life-threatening emergency (Cal. Pub. Util. Code §2872(d)(5)).

Finally, Cal. Pub. Util. Code §2891.1(a) protects unlisted residential numbers and creates affirmative consent requirements for mobile phone companies that wish to sell residential subscribers' names and numbers for the purpose of creating a database.

7.3. California Do Not Call Law

Under the California Do Not Call Law (Cal. Bus. & Prof. Code §§17590–17594), companies must respect California's do-not-call list. The Do Not Call law mostly looks to ensure that the national Do Not Call Registry ('the Do Not Call Registry') is administered properly and used for its intended purpose. A person may not interfere with a subscriber's right to have their number on the Do Not Call Registry or the subscriber's right to abstain from joining the list.

There are a number of exceptions to the prohibitions on calls to California numbers on the Do Not Call Registry. Several of the exceptions relate to actual consent, and other exceptions include:

  • calls made to grant an extension of credit on a delinquent debt obligation;
  • calls made to a subscriber with whom the solicitor has a pre-existing business relationship;
  • calls made by a local small-business owner to individuals within a 50-mile radius;
  • calls made to verify the cancellation of a subscription; and
  • exemptions in the public interest.

7.4. California's Content Moderation Requirements for Internet Terms of Service

California's Content Moderation Requirements for Internet Terms of Service bill (AB 587) went into effect on January 1, 2024. The law requires covered social media companies to disclose specific information in their online terms of service (TOS), as well as submit quarterly TOS reports to the California Attorney General.  

AB 587 defines a 'social media company' as a person or entity that owns or operates one or more social media platforms, which are public or semipublic internet-based services or applications that have users in California and meet both of the following criteria:  

  • a substantial function of the service or application is to connect users to allow users to interact socially with each other within the service or application (email or direct messaging services do not meet this criterion on the basis of that function alone); and
  • the service or application allows users to do all of the following: 
    • construct a public or semi-public profile for purposes of signing into and using the service or application;
    •  populate a list of other users with whom an individual shares a social connection within the system; and
    • create or post content viewable by other users, including, but not limited to, on message boards, in chat rooms, or through a landing page or main feed that presents the user with content generated by other users. 

 

AB 587 requires covered entities' TOS to be available in all Medi-Cal threshold languages, and include the following:  

  • contact information for the purpose of allowing users to ask questions about the terms of services; 
  • a description of the process that users must follow to flag content, groups, or other users that they believe violate the terms of service; and  
  • a list of potential actions that social media companies may take against an item of content or a user, including, but not limited to, removal, demonetization, deprioritization, or banning.  

Additionally, the TOS reports to the California AG must include: 

  • the current TOS for each social media platform owned or operated by the company;  
  • a description of changes made to the TOS since the prior report;  
  • a statement of whether the current TOS defines enumerated categories of content;  
  • detailed descriptions of content moderation practices; and  
  • information on content flagged by the company as belonging to certain categories like hate speech, racism, extremism, harassment, and disinformation, disaggregated into certain specified categories.  

The California AG can seek a $15,000 fine per day a social media company fails to post a TOS, fails to timely submit its required reports, or materially omits or misrepresents material information in a report to the AG regarding its TOS. This law has been challenged on First Amendment grounds. The plaintiff’s request for a preliminary injunction was denied by the Eastern District of California, and at the time of writing in April 2024, the lawsuit is still underway. 

8. Privacy Policies

8.1. CCPA requirements

The CCPA, as discussed in further detail in the section on the CCPA above, requires covered businesses to provide consumers with specific and detailed information, on the categories of information described below.

Under the CCPA Regulations, the CCPA requires that privacy policies or notices:

  • are printable;
  • posted online and accessible through a conspicuous link, using the word 'privacy' on the business's website homepage(s) or on the download or landing page of a mobile application, or if a business does not operate a website, it shall make the privacy policy conspicuously available to consumers; and
  • must include:
    • a comprehensive description of the business's online and offline information practices, which includes the following:
      • identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described using the specific terms set forth in Cal. Civ. Code §§1798.140(v)(1)(A) to (K) (categories of personal information including identifiers, characteristics of protected classifications, commercial information, biometric information, and geolocation data) and Cal. Civ. Code §§1798.140(ae)(1) to (2) (sensitive personal information). To the extent that the business has discretion in its description, the business shall describe the category in a manner that provides consumers with a meaningful understanding of the information being collected;
      • identification of the categories of sources from which the personal information is collected;
      • identification of the specific business or commercial purpose for collecting personal information from consumers. The purpose shall be described in a manner that provides consumers with a meaningful understanding of why the information is collected;
      • identification of the categories of personal information, if any, that the business has sold or shared with third parties in the preceding 12 months. If the business has not sold or shared consumers’ personal information in the preceding 12 months, the business shall disclose that fact;
      • for each category of personal information, the categories of third parties to whom the information was sold or shared;
      • identification of the specific business or commercial purpose for selling or sharing consumers' personal information. The purpose shall be described in a manner that provides consumers with a meaningful understanding of why the information is sold or shared;
      • a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age;
      • identification of the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months. If the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact;
      • for each category of personal information, the categories of third parties to whom the information was disclosed;
      • identification of the specific business or commercial purpose for disclosing the consumer's personal information. The purpose shall be described in a manner that provides consumers with a meaningful understanding of why the information is disclosed; and
      • a statement regarding whether the business uses or discloses sensitive personal information for purposes other than those specified in Cal. Code Regs. Title 11, §7027(m).
    • an explanation of the rights that the CCPA confers on consumers regarding their personal information, which includes all of the following:
      • the right to know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer;
      • the right to delete personal information that the business has collected from the consumer is subject to certain exceptions;
      • the right to correct inaccurate personal information that a business maintains about a consumer;
      • if the business sells or shares personal information, the right to opt-out of the sale or sharing of their personal information by the business;
      • if the business uses or discloses sensitive personal information for reasons other than those set forth in Cal. Code Regs. Title 11, §7027(m), the right to limit the use or disclosure of sensitive personal information by the business; and
      • the right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.
    • an explanation of how consumers can exercise their CCPA rights and what consumers can expect from that process, which includes all of the following:
      • an explanation of the methods by which the consumer can exercise their CCPA rights;
      • instructions for submitting a request under the CCPA, including any links to an online request form or portal for making such a request, if offered by the business;
      • if the business sells or shares personal information and is required to provide a notice of right to opt-out of sale/sharing, the contents of the notice of right to opt-out of sale/sharing, or a link to that notice in accordance with Cal. Code Regs. Title 11, §7013(f);
      • if the business uses or discloses sensitive personal information for purposes other than those specified in Cal. Code Regs. Title 11, §7027(m), and is required to provide a notice of right to limit, the contents of the notice of right to limit, or a link to that notice in accordance with Cal. Code Regs. Title 11, §7014(f);
      • a general description of the process the business uses to verify a consumer request to know, request to delete, and request to correct, when applicable, including any information the consumer must provide;
      • explanation of how an opt-out preference signal will be processed for the consumer (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the consumer can use an opt-out preference signal;
      • if the business processes opt-out preference signals in a frictionless manner, information on how consumers can implement opt-out preference signals for the business to process in a frictionless manner;
      • instructions on how an authorized agent can make a request under the CCPA on the consumer's behalf;
      • if the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by Cal. Code Regs. Title 11, § Cal. Code Regs. Title 11, §§7070 and 7071; and
      • a contact for questions or concerns about the business’s privacy policies and information practices using a method reflecting the manner in which the business primarily interacts with the consumer.
    • date the privacy policy was last updated.

8.2. CalOPPA requirements

The CalOPPA as discussed in further detail in the section on online privacy requires that privacy policies (Cal. Bus. & Prof. Code §22575(b)(1)–(4)):

  • identify the personally identifiable information categories the website or online service collects;
  • identify the categories of third parties with whom personally identifiable information is shared;
  • provide a description of the process, if the operator maintains one, by which consumers may review and request changes to personally identifiable information, the website, or online service collects;
  • describe the process the operator uses to notify consumers of privacy policy changes;
  • provide the policy's effective date; and
  • disclose how web browsers 'do not track' signals are treated by the operator.

8.3. Shine the Light Law requirements

The Shine the Light law, as discussed above, requires businesses to add language to their websites covering 'Your Privacy Rights' or 'Your California Privacy Rights', and to provide certain notices and information to consumers in California if the businesses disclose the consumers' personal information to third parties for direct marketing purposes. Waivers of the Shine the Light law are unenforceable as against public policy.

If a company wants to avoid some of the more detailed disclosure obligations, it can seek consent from consumers via an opt-in or opt-out process up-front, i.e., before it starts sharing personal information, limit information sharing to transfers to data processors, or by sharing only certain types of personal information and only with affiliated companies that use the same brand.

9. Data Disposal/Cybersecurity/Data Security

9.1. The CDPA

Any business that owns or retains California residents' personal information is subject to the California Data Protection Act of 2004 (CDPA) (Cal. Civ. Code §§1798.80-84). Under the CDPA, disposal of physical or electronic records containing personal information must be by (Cal. Civ. Code §1798.81):

  • shredding;
  • erasing; or
  • otherwise modifying the personal information to make it unreadable or undecipherable through any means.

Furthermore, covered businesses are obligated to contractually require non-affiliated third parties to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect it from unauthorized access, destruction, use, modification, or disclosure. (Cal. Civ. Code §1798.81.5(c))

The CDPA only prescribes how the records must be disposed of, it does not prescribe whether and when businesses must dispose of records. This is because the purpose of the CDPA is to ensure that discarded records do not contain personal information that could be used by identity thieves. Contractual waivers of rights are void.

9.2. Other Data Disposal Laws

In addition, CMIA §§56.10 and 56.101 require covered entities that create, maintain, preserve, store, abandon, destroy, or dispose of medical records to do so in a manner that preserves their confidentiality.

10. Other Specific Jurisdictional Requirements

10.1. Song-Beverly Credit Card Act

The Song-Beverly Credit Card Act (Cal. Civ. Code §§1747.08-1747.09) regulates credit cards and related transactions by prohibiting merchants from requesting or requiring personal identification information as a condition to accepting a credit card as payment, subject to certain exceptions. The act also dictates the type of debit and credit card information that can be printed on receipts. Civil penalties range in price and increase upon every violation (to a maximum of $1,000). There is a safe harbor for companies to avoid penalties, which requires a showing that the violation was intentional and happened in spite of the maintenance of preventative procedures (Cal. Civ. Code §§1747.08–1747.09).

10.2. CCRAA

Furthermore, the CCRAA governs credit reporting conduct and consumer rights regarding access, use, and correction of credit reports for purposes of determining creditworthiness (Cal. Civ. Code §§1785.10-1785.19.5). The FCRA largely pre-empts, but does not completely pre-empt, the CCRAA.

The CCRAA also provides that a consumer credit reporting agency that owns, licenses, or maintains personal information about California residents or a third party that maintains that information on its behalf, is required to protect that information (Cal. Civ. Code §§1785.10-1785.19.5).

10.3. CFIPA

Under the CFIPA, which generally provides for the confidentiality of, and restricts access to, the financial records of people who transact business with, or use the services of, financial institutions, or for whom a financial institution has acted as a fiduciary. The purpose of the act is to clarify and protect the confidential relationship between financial institutions and their customers and to balance a citizen's right to privacy with the governmental interest in obtaining information for specific purposes and by specified procedures as set out in the act. Subject to certain exceptions, financial institutions must provide notice and (depending on the circumstance) either give the consumer the right to opt out or wait for the consumer to opt in through written consent (CFIPA §§4052.5 and 4053).

10.4. Data Breach Notification

California adopted a data breach notification statute, under Cal. Civ. Code §§1798.29, 1798.82, and 1798.84. The statute requires organizations to notify affected individuals of any unauthorized acquisition of unencrypted computerized data that contains California residents' personal information. This is in addition to any other specific notification obligations for data breaches contained in other statutes. AB 1130 for an Act to amend Cal. Civ. Code §§1798.29, 1798.81.5, and 1798.82 relating to information privacy, which became effective on January 1, 2020, expanded the definition of personal information under California's data breach notification statute. Personal information under California's data breach notification statute means either of the following:

  • an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
    • social security number;
    • driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
    • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
    • medical information;
    • health insurance information;
    • unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual; unique biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes;
    • information or data collected through the use or operation of an automated license plate recognition system, as defined in Cal. Civ. Code §1798.90.5; and
    • genetic data; and
  • a username or email address, in combination with a password or security question and answer that would permit access to an online account.

AB 1130 also encourages organizations that experience breaches of biometric data to provide affected individuals with instructions on how to notify other entities using the same biometric data as an authenticator to no longer rely on it for authentication purposes.

Finally, as outlined above in the section on the CCPA, California residents have the right to bring private actions against a business in the event of certain data security breaches resulting from the business' failure to implement and maintain reasonable security procedures and practices.

10.5 California Delete Act

California adopted the Delete Act in 2023 to regulate data brokers operating within California under Section 1798.99.82 of the California Civil Code. 'Data brokers' are defined as 'businesses that knowingly collect and sell to third parties, the personal information of a consumer with whom the business does not have a direct relationship.' The 'sale' of data under the Delete Act mirrors the definition under the CCPA and refers to the exchange of personal information for monetary or other valuable consideration. 

The Delete Act requires that data brokers must register with the CPPA instead of the AG Office before January 31, 2024, and annually going forward. Data brokers are also required to disclose additional information in their registration, including whether they collect personal information of minors, precise geolocation, and/or reproductive health care data.  

Additionally, data brokers will be required to do the following:  

  • July 1, 2024 (and every July 1 thereafter): Include metrics regarding the processing of CCPA requests in the data broker's website privacy policy: 
    • how many CCPA requests to know, delete, opt out of selling/sharing, and the right to limit the use/disclosure of sensitive personal information the data broker received, complied with in whole or in part, and denied during the previous calendar year; and
    • the median and mean number of days within which the data broker took to provide substantive responses to such requests during that calendar year. 
  • January 1, 2026:  
    • process verified deletion requests submitted through the CPPA's mechanism within 45 days and treat any unverified deletion requests as opt-out requests (prohibiting the data broker from selling and sharing personal information about the consumer); 
    • purge all personal information relating to the consumer at least once every 45 days unless the consumer opts out or deletion is otherwise not required by the law; and 
    • after deletion, refrain from selling and sharing new personal information of the consumer unless expressly authorized by the consumer or otherwise permissible by law.  
  • July 1, 2026: Update metrics in the website privacy policy to include metrics relating to the CPPA’s deletion mechanism.  
  • January 31, 2027: Include metrics relating to the CPPA deletion mechanism when registering as a data broker. 
  • January 1, 2028 (and every 3 years thereafter): Undergo independent third-party audits to confirm compliance with the Delete Act, keep records of such audits for six years, and upon request from the CPPA, disclose such audit findings within five business days. 

The Delete Act includes exemptions where certain existing federal or state data privacy laws are already in place. In the case of the Delete Act, these include exemptions from the definition of a 'data broker' for entities regulated by the FCRA (consumer reporting agencies), GLBA, or IIPPA. Entities or business associates of covered entities processing 'medical information' under the CMIA, or 'protected health information' under HIPAA or the Health Information Technology for Economic and Clinical Health Act (HITECH), are also excluded. Companies that sell only 'publicly available' data are not subject to the new law, because such data is explicitly exempted from the CCPA definition of 'personal information.'  

Failure to register with the CPPA by January 31 each year and failure to comply with the CPPA deletion mechanism requirements will result in administrative fines. These penalties include a daily administrative fine of $200 for each day a data broker remains unregistered or a request goes unfulfilled. Furthermore, costs borne by the agency during the investigation and handling of such cases can be recouped, as determined by the court. 

The Delete Act's penalties work in tandem with existing penalties under the CCPA, which can range anywhere from $2,500 per non-intentional violation to $7,500 per intentional violation. This cumulative effect further underscores the importance of adherence to data privacy regulations in California.


  1. See Hill v. Nat'l Collegiate Athletic Ass'n, 26 Cal. Rptr. 2d 834, 842 (Cal. 1994).
  2. Ibid 857.
  3. See TBG Ins. Services Corp. v. Superior Court, 96 Cal. App. 4th 443, 449 (2002).
  4. See Cal. Civ. Code §§1798.100, 1798.130(a)(2), 1798.140(y), 1798.115(a), 1798.115(b), and 1798.130(a)(4).
  5. See Cal. Civ. Code §1798.105.
  6. Warranty and product recall language added by the enacted AB 1146 for An act to amend Sections 1798.105 and 1798.145 of the Civil Code, relating to privacy.
  7. See Cal. Civ. Code §§1798.120 and 1798.135.
  8. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party (Cal. Civ. Code §1798.140(t)(2)).
  9. Warranty and product recall language added by enacted amendment AB 1146.
  10. See Cal. Civ. Code §§1798.110 and 1798.130(a)(5)(B).
  11. The CCPA Regulations define 'Categories of third parties' as 'types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party. They may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.' (Cal. Code Regs. Title 11, §7001(f)).
  12. See Cal. Civ. Code §1798.125(a)(1).
  13. See Cal. Pen. Code, §632(a); see also Brown v. Defender Sec. Co., 2012 WL 5308964, at *3 (C.D. Cal. 2012).
  14. See Kearney v. Salomon Smith Barney Inc., 137 P.3d 914, 930–932 (Cal. 2006).
  15. the CPRA revises the deidentification standard in the CCPA and allows the AG's office to update the standard as appropriate (Cal. Civ. Code § 1798.140(m)). Specifically, 'deidentified' means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, provided that the business that possesses the information: (a) takes reasonable measures to ensure that the information cannot be associated with a consumer or household; (b) publicly commits to maintain and use the information in a de-identified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements set forth in §1798.140(m); and (c) contractually obligates any recipients of the information to comply with all provisions of §1798.140(m).
  16. to be determined pursuant to regulations adopted under Cal. Civ. Code §1798.185(a)(10).
  17. Negligent releases of medical information may include: (i) releasing medical information to a person without verifying the identity of the requestor; (ii) not properly securing physical files; and (iii) keeping medical information on an unsecure electronic system
  18. See State of California v. Delta Air Lines, Inc., Case No. CGC-12-52674 (California Supreme Court, Complaint Filed 6 December 2012).