California Data Law: Who Does It Affect?

when does claifornia data law apply

California has been at the forefront of data privacy laws since the early days of the modern internet. The state's privacy policy law initially focused on ensuring websites didn't deceive visitors by collecting data without a privacy notice. The California Consumer Privacy Act (CCPA) of 2018 was the first comprehensive consumer privacy law passed in the United States, giving consumers more control over their personal information.

The CCPA grants California residents several rights, including the right to know what personal data is being collected about them, whether their data is being sold or disclosed and to whom, the right to say no to the sale of their personal data, the right to access and delete their personal data, and the right to not be discriminated against for exercising their privacy rights.

The CCPA applies to for-profit businesses that do business in California and meet at least one of the following criteria:

- Have a gross annual revenue of over $25 million

- Buy, receive, or sell the personal information of 100,000 or more consumers or households

- Earn more than half of their annual revenue from selling consumers' personal information

In 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended and expanded the CCPA. The CPRA came into force on January 1, 2023, and applies to data collected starting January 1, 2022. The CPRA provides consumers with additional rights and applies to employment data. It also established the California Privacy Protection Agency (CPPA), which is responsible for implementing and enforcing the law.

Characteristics Values
Passed by California State Legislature
Signed into law by Governor of California, Jerry Brown
Date signed into law 28 June 2018
Effective date 1 January 2020
Amended by Proposition 24, California Privacy Rights Act (CPRA)
Amended date 1 January 2023
Applies to For-profit entities that collect consumers' personal data, do business in California, and satisfy at least one of the following thresholds: annual gross revenues of over $25 million; buy, receive, or sell the personal information of 100,000 or more consumers or households; earn more than half of their annual revenue from selling consumers' personal information
Does not apply to Nonprofit organisations or government agencies
Consumer rights Know what personal data is being collected about them; know whether their personal data is sold or disclosed and to whom; say no to the sale of personal data; access their personal data; request a business to delete any personal information about a consumer collected from that consumer; not be discriminated against for exercising their privacy rights
Business responsibilities Respond to consumer requests to exercise their rights; give consumers certain notices explaining their privacy practices; implement and maintain reasonable security procedures and practices in protecting consumer data; designate methods for submitting data access requests, including a toll-free telephone number; update privacy policies with newly required information, including a description of California residents' rights; avoid requesting opt-in consent for 12 months after a California resident opts out
Sanctions Companies, activists, associations, and others can be authorised to exercise opt-out rights on behalf of California residents; companies that become victims of data theft or other data security breaches can be ordered to pay statutory damages of between $100 and $750 per California resident and incident; a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation

lawshun

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state statute that enhances privacy rights and consumer protection for California residents. The CCPA was passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018.

The CCPA gives consumers more control over their personal information and provides guidance on how to implement the law. It secures the following new privacy rights for California consumers:

  • The right to know about the personal information a business collects about them and how it is used and shared.
  • The right to delete personal information collected from them (with some exceptions).
  • The right to opt out of the sale or sharing of their personal information.
  • The right to non-discrimination for exercising their CCPA rights.
  • The right to correct inaccurate personal information that a business has about them.
  • The right to limit the use and disclosure of sensitive personal information collected about them.

The CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:

  • Have a gross annual revenue of over $25 million.
  • Buy, sell, or share the personal information of 100,000 or more California residents or households.
  • Derive 50% or more of their annual revenue from selling California residents' personal information.

The CCPA does not generally apply to nonprofit organizations or government agencies.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise their rights and providing certain notices explaining their privacy practices. They must also comply with the law's purpose limitation and data minimization rules. This means businesses must limit the collection, use, and retention of personal information to only those purposes that are reasonably necessary and proportionate to serve those purposes.

California residents can exercise their rights under the CCPA by submitting requests to businesses. Businesses are required to designate at least two methods for submitting requests, such as an email address, website form, or hard copy form. One of those methods must be a toll-free phone number, and if the business has a website, one method must be through its website.

The CCPA provides sanctions and remedies for violations, including civil class action lawsuits and fines for intentional and unintentional violations.

Contract Law: Where and How It Applies

You may want to see also

lawshun

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA, strengthening data privacy rights for California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA).

The CPRA was passed into law in the General Election of 2020 and came into effect on January 1, 2023, with a lookback period from January 1, 2022. Enforcement of the CPRA is scheduled to begin on July 1, 2023.

The CPRA establishes the California Privacy Protection Agency (CPPA) as the lead enforcer and supervisor of the CPRA/CCPA data privacy regime. It changes the definition of a business to exclude smaller businesses and include bigger businesses that generate large incomes from the collection, sharing and/or selling of Californians' personal information (PI).

The CPRA empowers California residents with four brand-new rights and modifies five existing rights. The four new rights are:

  • Right to correction: Users can request to have their PI and SPI corrected if it is inaccurate.
  • Right to opt out of automated decision-making: California residents can say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioural advertisement online.
  • Right to know about automated decision-making: California residents can request access to and knowledge about how automated decision technologies work and what their probable outcomes are.
  • Right to limit the use of sensitive personal information: California residents can make businesses restrict their use of this separate category of personal information, particularly around third-party sharing.

The CPRA also makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place. It adds GDPR-like provisions to the CCPA and expands the requirement for consent to cover more scenarios.

lawshun

Data brokers

California's new data broker law, S.B. 362, or the Delete Act, is a wide-reaching piece of legislation that regulates data brokers and could significantly alter the data-sharing ecosystem. The law was signed by California Governor Gavin Newsom on October 10, 2023, and represents a substantial overhaul of the state's existing data broker statute.

The key provisions of the Act include:

  • Registration Requirement: Data brokers must register annually with the California Privacy Protection Agency (CPPA) and pay a $400 fee. The CPPA has transitioned from the Attorney General's office, which previously handled registrations.
  • Accessible Deletion Mechanism: The CPPA must create a deletion mechanism that allows consumers to request the erasure of their personal information from all data brokers at once by January 1, 2026. Data brokers will be required to access this mechanism at least once every 45 days starting August 1, 2026, to process deletion requests.
  • Metrics on Consumer Rights Requests: Data brokers must disclose metrics on their responses to consumer rights requests, building on existing requirements for large businesses under the California Consumer Privacy Act (CCPA).
  • Audit Requirement: Beginning January 1, 2028, data brokers must undergo an audit by an independent third party every three years to ensure compliance with deletion requirements.
  • Penalties: The Act imposes a daily administrative fine of $200 for failure to register or respond to deletion requests, an increase from the previous fine of $100 per day.

The new law also includes exemptions for certain entities covered by specific legislation, such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act.

The California Data Broker Law has significant implications for businesses that sell the personal information of California consumers, particularly those without a direct relationship with those consumers. It is essential for businesses to understand whether they qualify as data brokers under the Act and to comply with the registration and other requirements to avoid penalties.

lawshun

Consumer rights

The California Consumer Privacy Act (CCPA) was signed into law in 2018 and came into effect on January 1, 2020. It grants California residents six major rights:

  • The right to know: Consumers can request that a business disclose the categories of personal information collected about them, the sources of this information, the purpose for collecting it, and the categories of third parties with whom this information is shared or sold. This request can be made twice a year, free of charge.
  • The right to delete: Consumers can request that businesses delete their personal information, and instruct service providers to do the same, subject to certain exceptions (e.g., if the business is legally required to retain the information).
  • The right to opt out of the sale or sharing of personal information: Consumers may request that businesses stop selling or sharing their personal information, including via a user-enabled global privacy control. Businesses cannot sell or share this information after receiving an opt-out request unless the consumer authorizes them to do so again.
  • The right to correct: Consumers may ask businesses to correct inaccurate personal information.
  • The right to limit the use and disclosure of sensitive personal information: Consumers can direct businesses to only use their sensitive personal information (e.g., social security number, financial account information, precise geolocation data, or genetic data) for limited purposes, such as providing the services requested by the consumer.
  • The right to equal treatment: Businesses cannot discriminate against consumers for exercising their rights under the CCPA. They cannot make consumers waive these rights, and any contract provision stating otherwise is unenforceable.

In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended the CCPA and added new privacy protections that came into effect on January 1, 2023. The CPRA grants consumers two additional rights:

  • The right to correct inaccurate personal information: Consumers have the right to correct inaccurate personal information that a business has about them.
  • The right to limit the use and disclosure of sensitive personal information: Consumers gained the right to limit the use and disclosure of sensitive personal information collected about them.

lawshun

Compliance and penalties

Compliance with the California Consumer Privacy Act (CCPA) is required for for-profit businesses that do business in California, collect the personal data of Californians, or have it collected for them, and fit one or more of the following criteria:

  • Buys, sells, or shares the personal information of 100,000 people or households.
  • Creates 50% or more of their revenue through the sale or sharing of personal information.
  • Had $25 million in gross revenue in the preceding calendar year.

The CCPA gives consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information. Consumers have the right to:

  • Know what personal data is being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of personal data.
  • Access their personal data.
  • Request a business to delete any personal information about a consumer collected from that consumer.
  • Not be discriminated against for exercising their privacy rights.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise their rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

The California Privacy Rights Act (CPRA) builds upon the CCPA, changing some items, adding others, and clarifying some questions around enforcement and who is covered by the law. The CPRA came into force on January 1, 2023, and also protects data collected starting January 1, 2022. The CPRA's initial enforcement date was July 1, 2023, but due to a legal challenge, it was pushed to March 29, 2024. However, on February 9, 2024, the California Privacy Protection Agency (CPPA) won its appeal, allowing for immediate enforcement of the initial CPRA regulations.

The penalties for non-compliance with the CPRA haven't changed much from the CCPA. The CPRA empowers the Attorney General, California's 62 district attorneys, and the CPPA to enforce the law. The penalties for non-compliance include:

  • $2500 per offense for negligent mistakes.
  • $7500 per offense for willful offenses.

Each person affected by a violation constitutes an offense, so fines can add up quickly, especially in cases of willful negligence. There is no grace period for compliance with the CPRA, unlike the CCPA, which offered a 30-day grace period.

Key Compliance Requirements

To comply with the CPRA, businesses must ensure that consumers can exercise their rights to control the collection and use of their personal data. This includes providing consumers with the following rights:

  • Right to Access, Deletion, and Correction: Consumers must be able to obtain, delete, and correct their personal information at any time. If they request deletion, businesses must also notify any third parties with whom the data has been shared.
  • Right to Object to Sale or Share: Consumers can prevent the sale or sharing of their information, and businesses must provide a "Do Not Sell or Share My Personal Information" link on their website.
  • Right to Opt-Out of Behavioral Profiling and Automated Decision-Making: Consumers can ask businesses to stop profiling and serving ads based on behavior and to not use automated decision-making for offers, products, or services.
  • Right to Object to the Use of Sensitive Personal Information: Consumers can stop businesses from using certain data, including data on race, religion, genetics, biometrics, sexual orientation, and the contents of communications. Businesses must provide a "Limit the Use of My Sensitive Personal Information" link for this purpose.
  • Right to Data Portability: If requested, businesses must transfer personal data to another organization in a structured, commonly used, machine-readable format.

In addition to these consumer rights, businesses must also abide by a set of "privacy principles" in their data-handling practices, including:

  • Purpose Limitation: Personal data can only be used for the purpose for which it was originally collected.
  • Protection of Children's Data: The CPRA tripled fines for violations associated with the data privacy of children under 16, and permission from a guardian is required for data collection.
  • Storage Limitation: Data should be deleted or destroyed once it has served its collected purpose.
  • Reasonable and Appropriate Security: Security measures for personal data must be appropriate based on the sensitivity of the data and the potential harm from unauthorized access.

To ensure compliance with the CPRA, businesses should appoint a responsible party to oversee compliance, establish a privacy compliance program, audit how personal information is collected and used, conduct training for employees, manage third-party relationships, and establish a means of managing consent.

Frequently asked questions

The California Consumer Privacy Act (CCPA) applies to for-profit businesses that do business in California and meet at least one of the following thresholds: annual gross revenues of over $25 million; buying, receiving, or selling the personal information of 100,000 or more consumers or households; or earning more than half of their annual revenue from selling consumers' personal information.

California residents have the right to know what personal data is being collected about them, whether their personal data is sold or disclosed and to whom, to say no to the sale of personal data, to access their personal data, and to request deletion of their personal information.

The CCPA applies to for-profit businesses that collect consumers' personal data, do business in California, and meet certain revenue or data handling thresholds. Nonprofit organizations and government agencies are generally exempt from the CCPA.

The penalties for non-compliance with the CCPA can include fines of up to $7,500 per violation, as well as the right for consumers to sue businesses in the event of a data breach. The California Privacy Protection Agency (CPPA) is responsible for enforcing the CCPA and can take legal action against non-compliant entities.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment