As the first to enact privacy protections at the state level, California privacy laws are among the US’ most robust. Legislation like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) make it more incumbent than ever on companies that do business in the Golden State to responsibly use consumer data.
Wondering about the details of the CCPA, CPRA, and other California privacy laws? Keep reading for everything you need to know.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) was signed into law in June 2018. A groundbreaking piece of legislation, it provides California residents with a set of of European-style data rights, and California businesses with obligations pertaining to how they collect, use, or disclose Californians’ data. The CCPA creates specific notice and opt-out obligations for data sales, and establishes a public registry of data brokers operating in the state .
What is the California Privacy Rights Act?
In November 2020, California voters voted in favor of the California Privacy Rights Act (CPRA). Informally referred to as “CCPA 2.0,” it largely expands and amends the provisions set forth in the CCPA.
That said, the CPRA does include several new provisions not addressed in the CCPA. Most notably, the CPRA:
- Defines a new, specially protected category of personal information—“sensitive personal information” (SPI). SPI includes government issued IDs like Social Security Numbers, precise geolocation information, communication contents, financial account numbers with access codes, and identifiable inferences from health, biometric and genetic information. (California’s notion of SPI tracks in large part ‘special category data’ defined in GDPR Article 9.)
- Establishes the California Privacy Protection Agency to assume administrative oversight responsibilities from the state’s Office of the Attorney General. (The AG retains civil enforcement powers.)
- Strengthens existing rights and introduces new rights: to correct inaccurate or incomplete consumer personal information, to limit the use or sharing of SPI, to request information about automated decision-making along with the ability to opt out of it, and to unconditionally opt-out of data being “shared” with targeted ad and related analytics providers.
What Does “Personal Information” Mean?
Understanding what constitutes “personal” is crucial to CCPA compliance. “Personal information” is expansive and covers any information that is used or could be used to identify an individual or their household, directly or indirectly Like the GDPR’s “personal data”, California’s “personal information” covers real world, online, mobile, linkable behavioral and demographic, and inferrable characteristics that are collected, compiled or generated in a way that singles out a “consumer”. PI includes data like:
- Real names
- Email addresses, IP addresses, device IDs, device fingerprints and other unique identifiers
- Internet browsing and purchase histories
- Content views and interactions
- Uniquely attributable audiovisual, biometric and genetic information
The CCPA does not consider publicly available, de-identified or aggregated information to be “personal”. Public information includes details that could be obtained freely from local, state, or federal government institutions—public records, professional licenses, and the like. To qualify as de-identified or aggregated, data needs to be taken through a robust technical process to “ensure that the information cannot be associated with a consumer or household.”
With the CRPA’s clarifying SPI categories referred to but not delineated in the CCPA, there is a GDPR-like focus on inherently riskier business activities requiring extra care. California “sensitive personal information” is itemized ase:
- Government identification numbers
- Financial information
- Precise geolocations
- Racial identity
- Membership in religious groups or unions
- Private communications
- Genetic or biometric data
- Health information
- Sexual orientation
- Analyzed and inferred sensitive information
As before, publicly available information is exempted.
What are My Rights Under the CCPA/CPRA?
The CCPA dictates that consumers have the right to:
- Know what personal information is collected and how it’s used
- Delete personal information, with certain stipulations
- Opt-out of the sale of their personal information
- Opt-in to the sale of personal information for consumers younger than 16
- Exercise legal action following data breaches
- Remain free of discrimination and retaliation for exercising CCPA rights
The CPRA adds the following new rights and expansions to existing CCPA rights:
- Opting out of the sharing of personal information with providers of “cross-context behavioral advertising” services, even if the transfer is not a “sale”.
- Requesting personal information be transferred (ported) to another entity in a common format
- Obligatory forwarding of any deletion requests to third-party entities
- Removing the 12 month cap on look-backs to respond to consumer access requests (the CPRA renames the “right to know” to “right to access”)
- Opt-in consent for consumers younger than 16 cannot be re-requested for 12 months
- Expanding the private right of action – the ability for individuals to privately enforce certain violations through courts, including through class action lawsuits
Which Companies Must Comply with the CCPA/CPRA?
Any for-profit company that involves itself with consumer data for any business purpose falls under the CCPA’s jurisdiction, provided it meets at least one of the following conditions:
- Earns $25 million or more in annual profits
- Buys, sells, or shares data on 50,000 people or more
- Derives at least half its income from data sales each year
The CPRA upholds those qualification standards but increases the limit on collected data to 100,000 households or individuals.
When does my company need to comply with the CCPA/CPRA?
The CCPA was passed in June of 2018 and officially took effect on January 1, 2020, meaning businesses need to comply with this new privacy law now. While the CPRA effective date isn’t until January 1, 2023, the overlap in obligations and enforcement means many provisions are already active.
What happens if my company is not in compliance with the CCPA/CPRA?
Companies that do not comply with California’s privacy laws are subject to financial penalties as enforced by the California Privacy Protection Agency, which was created with the passing of the CPRA. The CRPA establishes two penalty tiers, which are based on those enforced under the CCPA:
- Up to $2,500 for unintentional violations
- Up to $7,500 for intentional violations or violations involving consumers younger than 16
Other Privacy-Related Laws in California
California has several privacy laws that came before the CCPA and the CPRA, and continues to innovate privacy protections. Here’s what companies need to know.
Data Breach Law
The California Data Breach Law states that companies must notify California residents if their personal information falls into the wrong hands.
Further, California law states that if a company has to notify 500 or more people of a breach, it must also submit a sample copy of the notification to the state attorney general.
In California, it is illegal to send unsolicited ads by email. The state defines unsolicited ads according to two criteria:
- Ads an individual has not consented to receive
- Ads that come from an advertiser with whom the individual does not have a relationship
Passed in 2004, the California Online Privacy Protection Act (CalOPPA) requires commercial websites to make a privacy notice policy available to consumers. In 2013, the act was updated to state that privacy policies must include visit-tracking policies.
Shine the Light Law
According to this 2003 law, companies must inform consumers what specific personal information has been shared with third parties and who those third parties are. However, consumers have to request this information first.
California Invasion of Privacy Act
The California legislature has made it illegal to record conversations unless everyone involved is aware and has given consent. This includes in-person and telephone conversations.
*New* Age-Appropriate Design Code Act
This 2022 law includes several regulations directed at websites that provide products, services, or features for children. It states that privacy settings on these sites must be very high and that privacy policies must use language that children can understand, among other provisions.
Final Thoughts / Conclusion
California’s consumer privacy protections are extensive, comprehensive and innovative. Understanding them all and how they may apply is a big task for any company. But if you plan on doing business with California residents, you need to acquaint yourself with how these laws overlap. Nuances matter, so please consult with legal counsel where needed.
DataGrail helps you comply with the CCPA/CPRA, GDPR and more. Get in touch to find out how we can help you:
- Process privacy requests in minutes
- Automatically find & inventory personal data
- Achieve 100% ROI on privacy investment
Ready to make your business stand out? Find out more today.
Baker Data Counsel. California’s Landmark Age-Appropriate Design Code Act: What You Need to Know. https://www.bakerdatacounsel.com/coppa/californias-landmark-age-appropriate-design-code-act-what-you-need-to-know/
Baker Law. California Consumer Privacy Act FAQs. https://www.bakerlaw.com/webfiles/Privacy/2019/Briefs/California-Consumer-Privacy-Act-FAQs.pdf
Bloomberg Law. What’s the Difference Between CCPA & CPRA? https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/
CCPA. Frequently Asked Questions (FAQs). https://cppa.ca.gov/faq.html
ConsumerCal. The California Online Privacy Act. https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/
Donotsell.org. CCPA: Protect Your Privacy. ConsumerCal. The California Online Privacy Act. https://www.donotsell.org/what-is-shine-the-light
IAPP. New categories, new rights: The CPRA’s opt-out provision for sensitive data. https://iapp.org/news/a/new-categories-new-rights-the-cpras-opt-out-provision-for-sensitive-data/
IAPP. Top-10 operational impacts of the CPRA: Part 10 — Enforcement and potential penalties. https://iapp.org/news/a/top-10-operational-impacts-of-the-cpra-part-10-enforcement-and-potential-penalties/
Oag.ca.gov. California Consumer Privacy Act. https://oag.ca.gov/privacy/ccpa
Oag.ca.gov. Data Security Breach Reporting. https://oag.ca.gov/privacy/databreach/reporting
Oag.ca.gov. Spam. https://oag.ca.gov/consumers/general/spam10 Todd Friedman Law. California Invasion of Privacy Act. https://www.toddflaw.com/consumer-rights/invasion-privacy-lawsuit/