The Definitive Guide to California Privacy Laws
The complexion of California privacy laws changed dramatically with the 2018 passing of the California Consumer Privacy Act (CCPA). As the first comprehensive privacy law in the US, the CCPA marked the dawn of a new age of privacy laws across the United States and led to other states introducing similar consumer privacy laws. The introduction of the CCPA has meant covered businesses are now required to operate under strict obligations as to how they handle, sell, and share the personal information of Californian residents, who themselves have been prescribed a number of rights relating to how their data is used.
In 2020, the California Privacy Rights Act (CPRA) was passed adding further obligations for businesses that sell or share personal information as well as additional rights for consumers. The CPRA will become effective on January 1, 2023 and will add to the current requirements set out under the CCPA.
In addition to the CCPA and the CPRA, there are a number of sectoral laws in California that cover the protection of personal information and the privacy of California residents including the Shine the Light law and the California Invasion of Privacy Act.
In this guide, we aim to deliver a complete look at privacy laws in California, how we got here and what’s next, as well as noting consumer rights under the CCPA, and explanations of other key terms.
Keep up-to-date with developments to California Privacy Laws: OneTrust DataGuidance California Consumer Privacy Act Portal
Table of Contents
- Timeline of California privacy laws
- Who does the CCPA apply to?
- What does ‘Personal information’ mean?
- What are Businesses and Service Providers under the CCPA?
- How does the CCPA define Children?
- What are my rights under the CCPA?
- Can businesses be fined for not complying with the CCPA?
- How does the CCPA compare with the CPRA
- Other Privacy Related Laws and bills in California
In October 2017, 16 months after the adoption of the GDPR, the initial ballot initiative for the CCPA was filed by Alastair Mactaggart, Rick Arney, and Mary Stone Ross. This ballot initiative contained the preliminary language of the CCPA. Two months later, Californians for Consumer Privacy were cleared to collect the required number of signatures to allow the initiative to appear on the ballot during the 2018 legislative session in California.
- October 12, 2017: The CCPA ballot initiative is filed
- December 18, 2017: Californians for Consumer Privacy are cleared to begin collecting petition signatures
Download the infographic: California Privacy Laws: The Key Dates
In February 2018, Senate Bill 1121 (SB 1121) was introduced to the California Senate Committee on Rules, eventually being approved by the California Senate, and subsequently referred to the California Assembly in May 2018. Californians for Consumer Privacy withdrew their ballot as part of a deal that saw SB 1121 being signed into law.
Governor Jerry Brown signed the CCPA into law on June 28, 2018. Shortly after, Governor Brown approved the first round of amendments to the CCPA which included clarifying the definition of personal information and revising some of the initial exemptions to the law.
- February 13, 2018: S.B. 1121 is introduced
- May 25, 2018: S.B. 1121 is passed with a vote of 5-2
- May 30, 2018: S.B. 1121 is approved by the California Senate
- June 25, 2018: The CCPA ballot initiative qualifies for the November 6, 2018, General Election ballot
- June 28, 2018: Governor Brown signs the CCPA into law following Californians for Consumer Privacy withdrawing their ballot initiative
- September 23, 2018: Governor Brown approves the first round of CCPA amendments
In January 2019, Gavin Newsom was sworn in as the Governor of California. Over the next nine months, several bills passed through the California Legislature amending the CCPA, until Governor Newsom signed the second set of amendments into law in October 2019. These amendments included changes to certain definitions, amendments to consumer notices, record-keeping, and consumer requests. Meanwhile, in September of the same year, Alastair Mactaggart announced the ballot initiative for the California Privacy Rights and Enforcement Act of 2020 (CPREA). Among other things, the CPREA would create a new classification for sensitive data and establish a California Privacy Protection Agency. The CPREA would later become the CPRA and on December 17, the California AG published the title and summary for the CPRA. The CPRA was opened for signatures from California residents in order to qualify for the November 2020 ballot.
- January 7, 2019: Governor Newsom is sworn in
- September 25, 2019: Alastair Mactaggart announces the CPREA ballot initiative
- October 2, 2019: Alastair Mactaggart submits the second draft of the CPREA ballot initiative
- October 11, 2019: Governor Newsom signs the second round of CCPA amendments into law
- December 17, 2019: California AG published the title and summary for the CPRA and is opened for California residents' signatures to qualify for the November 2020 ballot.
January 1, 2020 was a milestone moment for California privacy laws as the CCPA officially entered into effect, with covered entities given six months to become compliant before the enforcement date of July 1, 2020. A month later the California Attorney General’s Office (AG) issued the first set of modifications to the CCPA, with the second set of modifications issued in March 2020. These sets of modifications covered the removal of the ‘opt-out’ icon and modified many definitions set out in the original text. Also in March, the Coronavirus pandemic created a major impact on global business leading to many calling for a postponement in the enforcement date for the CCPA. However, these concerns were vetoed, and the July 1, 2020 enforcement date remained.
- January 1, 2020: CCPA goes into effect
- February 10, 2020: The AG issues first set of modifications to the proposed CCPA enforcement regulations
- March 11, 2020: The AG issues second set of proposed modifications to the CCPA
Californians for Consumer Privacy announced that they had secured the 900,000 signatures required for the CPRA to feature on the November ballot in May. In June, concerns were raised by Californians for Consumer Privacy over the timeliness of the verification of the signatures and on June 25, after counties were ordered to accelerate their verification efforts, the CPRA was officially certified to feature on the November ballot.
Enforcement of the CCPA began on July 1, 2020. At the time, the AG requested a review of the final proposed regulations be complete within 30 business days. In August, it was announced that the second set of CCPA regulations had been approved. In particular, the regulations included changes such as the deletion of the phrase ‘Do Not Sell My Info’ and the change of the terms ‘minors’ and ‘minor’ to ‘consumers’ and ‘consumer.’ A third set of proposed modifications to the regulations under the CCPA were issued by the AG for public comment in October. The proposed modifications introduce a provision stating that submitting requests to opt-out shall be easy for consumers to execute and require minimal steps to allow opt-out.
On November 4, 2020, the CPRA passed with 56% of the vote with an effective date of January 1, 2023. The CPRA would apply only to personal information collected after January 1, 2022.
Alistair Mactaggart highlighted at the time, “With tonight’s historic passage of Prop 24, the [CPRA], we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data. I’m looking forward to the work ahead and the next steps in implementing this law, including setting up a commission that is dedicated to protecting consumers online.”
- May 4, 2020: Californians for Consumer Privacy announce they can submit over 900,000 signatures to qualify the CPRA for the upcoming November ballot
- June 25, 2020: The CPRA ballot initiative is certified to appear on the November ballot
- July 1, 2020: Enforcement of the CCPA begins
- August 14, 2020: AG announces the second set of amendments to the CCPA regulations have been approved
- October 12, 2020: The third set of proposed modifications to the regulations under the CCPA are released for public comment
- November 4, 2020: The CPRA passes with 56% of the vote
A further, fourth set of proposed modifications to the regulations under the CCPA were launched for public consultation in December 2020 by the AG. The proposed modifications re-introduced the image of an opt-out button along with several stipulations for its use.
Some months later in March 2021, the California Attorney General announced the approval of additional regulations to the CCPA banning ‘dark patterns’ that delay or obscure the process for opting out of the sale of personal information and prohibited burdening consumers with confusing language or unnecessary steps, such as forcing them to click through multiple screens, or presenting reasons why they should not opt out.
Two days after the announcement of the additional CCPA amendments, the AG announced the establishment of the five-member board for the California Privacy Protection Agency (CPPA), which will oversee, implement, and enforce the CCPA as well as the CPRA.
- December 10, 2020: The AG issues fourth set of proposed modifications to CCPA regulations for public consultation
- March 15, 2021: The OAG announces approval of additional regulations to the CCPA
- March 17, 2021: The California Attorney General announces the establishment of the five-member board for the California Privacy Protection Agency
Download the infographic: California Privacy Laws: The Key Dates
The CCPA protects Californian consumers and requires businesses to meet certain obligations regarding the processing of personal information. A business is defined as a for-profit entity that determines the purpose and means of the processing of consumer's personal information, doing business in California. Under the CCPA, a business must also meet one of the following thresholds:
- has annual gross revenues in excess of $25,000,000;
- alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling consumers' personal information.
The territorial scope of the CCPA applies to companies ‘doing business in California’, however, this term is not explicitly defined in the official text of the CCPA. Furthermore, obligations imposed on businesses under the CCPA do not restrict a business's ability to collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California.
Commercial conduct is said to be taking place wholly outside of California if the business had collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold.
The CCPA generally covers the processing of consumer personal information which is defined as any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means. Furthermore, some of the obligations under the CCPA refer to collecting or selling personal information.
- Collecting under the CCPA is "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means."
- Selling includes "renting, disclosing, releasing, disseminating, making available, transferring, or otherwise communicating personal information for monetary or other valuable consideration."
Notably, when a business uses or shares with a service provider, the personal information of a consumer that is necessary to perform a business purpose this will not be said to be selling personal information as long as the following conditions are met:
- the business has provided notice of that information being used or shared in its terms and conditions; and
- the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
There are a number of exemptions from the CCPA’s scope, these include:
- CCPA obligations do not apply to ‘aggregate consumer information’, which is defined as information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
- ‘Deidentified’ information is also exempt from the scope of the CCPA. This is information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to an individual consumer. Businesses that use de-identified information should ensure there are technical and organizational measures in place to prevent reidentification.
- The scope of the CCPA specifically excludes the collection and sharing of certain categories of personal information, including:
- Employee data, including information collected from a person in the course of acting as an employee or job applicant;
- Medical information and protected health information that are covered by the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act;
- Information collected as part of a clinical trial;
- Sale of information to or from consumer reporting agencies;
- Personal information under the Gramm-Leach-Bliley Act;
- Personal information under the Driver's Privacy Protection Act;
- Publicly available personal information, defined as information that is lawfully made available from federal, state, or local government records.
- The CCPA also excludes several specific processing activities from the definition of "selling", including:
- where a consumer uses or directs a business to intentionally disclose personal information to a third party, via one or more deliberate interactions. "Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party";
- sharing an identifier that signals a consumer opted-out from selling data to a third-party;
- where a business shares personal information with a service provider that is necessary for a "business purpose" as defined in the CCPA; and
- where the business transfers the personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction. However, if the third party alters how it uses the personal information in a manner that is inconsistent with the promises made at the time of collection, the right to opt-out still applies.
Read the Blog: 5 Steps to CCPA Compliance Checklist
The CCPA broadly defines personal information as any "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Furthermore, the CCPA clarifies that some categories of information are not always personal information, but can become personal information if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
The CCPA provides specific categories of information that may be considered as personal information, which include, but are not limited to:
- identifiers e.g., real name, alias, postal address, email address, social security number, driver's license number, or other similar identifiers;
- commercial information e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming history;
- biometric information e.g., DNA, fingerprints, and iris scans. Note, the CCPA does not prescribe special conditions for this category of data;
- internet or other electronic network activity information e.g., browsing history, search history, and information regarding a consumer's interaction with a website;
- geolocation data;
- audio, electronic, visual, thermal, or similar information;
- professional or employment-related information;
- education information provided that it is not publicly available; and
- inferences drawn from any of the aforementioned information to create a profile about a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
A covered business under the CCPA is a for-profit entity doing business in California that determines the purposes and means of the processing of consumers' personal information and bears similarities to the GDPR’s definition of a controller.
A service provider is a for-profit entity that processes information on behalf of a CCPA-covered business. A service provider is liable for civil penalties if it uses the personal information received from CCPA-covered businesses in violation of the CCPA.
Read the Blog: CCPA Compliance: Your Most Frequent CCPA Questions Answered
Although the CCPA does not explicitly define a child, it does outline specific obligations for businesses dealing with the data of minors. The CCPA outlines that minors between age 16 and 13 must provide opt-in consent for businesses to sell their personal information. Furthermore, a parent or guardian must affirmatively authorize the sale of the personal information of minors under 13.
The CCPA outlines several rights for consumers that help to raise awareness and greater control over how their data is processed, shared, or sold by covered businesses. The following consumer rights are provided for residents of California under the CCPA;
- Right to Know/Access
- Right to Delete
- Right to Opt-out of Sale
- Right to Non-Discrimination
There are additional rights afforded to consumers under the incoming CPRA – See ‘How does the CCPA compare with the CPRA’ section of this guide for further details.
Read the Blog: CCPA Do Not Sell Requirement
There are monetary penalties for covered businesses that are found to be non-compliant with the CCPA. These range from $2500 per unintentional violation to $7500 per intentional violation with no maximum penalty outlined by the law. Penalties for violations of the CCPA are assessed and recovered through civil action brought by the California Attorney General and issued in court.
Individuals are also provided with a cause of action to seek damages for CCPA violations but only those that are violations of security measures or data breaches. In the case of civil remedies, damages can range from $100 to $750 per consumer per incident or actual damages, whichever is greater. It is also important to note that civil remedies are only permitted in cases where non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of security obligations.
On March 17, 2021, the establishment of the five-member board for the California Privacy Protection Agency (CPPA) was announced. The board will oversee, implement, and enforce the CCPA and the CPRA, a role previously fulfilled by the California Attorney General.
The CPRA was passed on November 3, 2020 and will become operative January 1, 2023. Many of its provisions will be applicable to personal information collected from January 1, 2022. There are several key differences between the provisions of the CCPA and the CPRA as well as a number of new requirements under the CPRA that you should be aware of. There is also a new definition of consent that the CPRA introduces:
A (1) Freely Given, (2) Specific, and (3) Informed and Unambiguous indication of the consumer's wishes, such as by a Statement or by a Clear Affirmative Action, that signifies agreement to the processing of PI for a Narrowly defined particular purpose.
The tables below highlight some of these key differences side-by-side.
For-profit businesses that collect personal information from California residents, determines the purposes in California, and meet any of the following:
For-profit businesses that collect personal information from California residents, determines the purposes in California, and meet any of the following:
The following rights are afforded to consumers under the CCPA;
All rights under the CCPA, plus:
Covered Personal Information
|“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.||Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin.|
|“Service Provider” – an entity that processes personal information on behalf of a business pursuant to a written contract.||Also includes “Contractor” – an entity ‘to whom a business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business|
Attorney General can pursue violations
Consumers have a private right of action for a breach of certain information
Businesses have a 30-day cure period before being fined for a violation by the AG
Creation of the California Privacy Protection Agency for enforcement and guidance
Consumers have a private right of action for a breach of certain information
Businesses no longer have a 30-day cure period before being fined for a violation by the CPPA
Sell vs. Share
|“Sell” – for monetary or other valuable consideration||
“Sell” – for monetary or other valuable consideration
“Share” – shared by a business to a third party for cross-context behavioral advertising for the benefit of a business where no money is exchanged
Private Right of Action
|Available when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures.||In addition to unredacted and unencrypted personal information, a private right of action is available if an email address and password or security question and answer that would allow access to the account is breached.|
|N/A||Collection, retention, and use should be limited to what is necessary to provide goods or service.|
Personal Information of Minors
|N/A||Automatic $7,500 fine for a violation involving the personal information of minors|
Required Cybersecurity Audits
|N/A||Annual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security|
Required Risk Assessments
|N/A||Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA|
Profiling and Automatic Decision Making
“Profiling” – any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, such as work performance, health, reliability, etc.
Regulations are expected to give additional information on access and opt-out rights for the use of automated decision making
The following information is taken from the ‘California – Sectoral Privacy Overview’ Guidance Note authored by Robert Blamires, Michael Rubin, and Jennifer Howes of Latham & Watkins.
In California, a data breach notification statute was adopted, requiring organizations to notify affected individuals of any unauthorized acquisition of unencrypted computerized data that contains California residents' personal information.
Assembly Bill 1130 (‘AB 1130’) was passed on September 6, 2019, and expanded the definition of personal information under California's data breach notification statute to include, amongst other things unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, and used to authenticate an individual.
AB 1130 also encourages organizations that experience breaches of biometric data to provide affected individuals with instructions on how to notify other entities using the same biometric data as an authenticator to no longer rely on it for authentication purposes.
While CalOPPA does not prohibit online tracking, it does include specific disclosure requirements for "do not track" mechanisms and online behavioral tracking across third party websites. CalOPPA also applies to a broad interpretation of online services, which includes mobile applications, the California Attorney General has stated that the term “covers any service available over the internet or that connects to the internet, including internet-enabled gaming platforms, voice over-internet protocol services, cloud services and mobile applications.”
Under CalOPPA, personally identifiable information includes information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
- a first and last name;
- a home or other physical address, including street name and name of a city or town;
- an email address;
- a telephone number;
- a social security number;
- any other identifier that permits the physical or online contacting of a specific individual; and
- any information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with any identifier
The Shine the Light Law addresses the practice of sharing personal information with third parties who the business knows or reasonably should know will use the personal information for their direct marketing purposes. Business is not defined under the law, resulting in a scope broad enough to include businesses in other US states and other countries. Certain companies are exempt from the Shine the Light Law, such as businesses with fewer than 20 employees and financial institutions that are subject to the California Financial Information Privacy Act (CFIPA).
The Shine the Light law broadly defines 'personal information' as any information that, at the time of disclosure, identified, described, or was able to be associated with an individual, including, but not limited to, names and addresses, email addresses, and dates of birth.
The Shine the Light law specifies that, if a customer, who is a California resident, requests businesses must inform them of:
- the categories of personal information disclosed; and
- the names and addresses of all of the third parties to whom the business disclosed that customer's personal information for direct marketing purposes during the preceding calendar year. If the nature of the third party's business cannot be reasonably be determined from the third party's name, the business must provide of products or services marketed to give a reasonable indication of the nature of the third party’s business
Requests must be responded to within 30 days, but businesses are not required to comply with more than one request from a customer per calendar year.
Alternatively, businesses may comply with the Shine the Light Law by adopting a policy of not disclosing personal information of customers to third parties for their direct marketing purposes: (i) unless the customer first affirmatively agrees to that disclosure; or (ii) if the customer has exercised an option that prevents the information from being disclosed to third parties.
Under the Shine the Light Law, businesses are also required to do at least one of the following:
- notify all employees of the designated contact information by which customers may submit requests; or
- make the designated contact information available to the customer upon request at every place of business in California where there is regular contact with customers
The California Invasion of Privacy Act (CIPA) grants individuals in California certain protections over telephone communications, both landlines and mobile, prohibiting companies, individuals, and government agencies from acts, including, but not limited to:
- eavesdropping, and recording confidential communications without the consent of all parties
- recording cell phone communications without the consent of all parties
- the monitoring or recording of conversations in a subscriber's residence or the sharing of individually identifiable information on subscriber viewing habits or other personal information without written consent by cable and satellite TV operators
- the use of electronic tracking devices
In respect to landline calls, individuals must have a reasonable expectation of privacy in the communication before the caller may be held liable under the CIPA. However, for individuals using cellular or mobile telephones, strict liability applies. Calls made to or by California residents by both business and individuals, whether or not the caller is located in California, are subject to the CIPA.
Enforcement of the CIPA is delivered through criminal penalties, either a misdemeanor or a felony, depending on the number (if any) of prior offenses. For first-time violators, the fine is $2,500, but for repeat offenders, the maximum fine is $10,000. Any offender, whether first-time or repeat, can also face imprisonment. The CIPA also provides a private right of action in civil lawsuits with damages of $5,000 per violation or treble actual damages, whichever is greater.
Further Resources for California Privacy Laws:
- OneTrust DataGuidance Guidance Note: California – CCPA
- OneTrust DataGuidance Guidance Note: California – Sectoral Privacy Overview
- OneTrust DataGuidance Video: California Overview
- OneTrust Blog: Your CPRA Questions Answered
- OneTrust DataGuidance Video: Thought Leaders in Privacy: Alexandra Ross
- OneTrust Infographic: CDPA vs CCPA: Comparing US Privacy Laws
Next steps for California Privacy Laws:
- Get Started: OneTrust DataGuidance California Consumer Privacy Act Portal
- OneTrust Solutions: OneTrust for CCPA
- OneTrust Solutions: OneTrust CPRA Solutions