California Consumer Privacy Laws
Your guide to understanding the key provisions and impact of California’s comprehensive consumer privacy legislation – including enforcement, consumer rights, and how to comply
As the first comprehensive consumer privacy legislation in the U.S., the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is having a profound impact on the privacy and data security landscape and changing the way companies do business. Save time and manage compliance risks with this analysis of California’s consumer privacy laws.
Keeping you up to speed on privacy and data security law
Track the shifting policy landscape and changing privacy law requirements with step-by-step practice tools and expert insights from Bloomberg Law. From risk mitigation and compliance challenges to legislative initiatives impacting how companies do business, Bloomberg Law gives you actionable intelligence.
CHART
Consumer Rights: CCPA vs. CPRA
Download this flowchart for an at-a-glance look at the amendments and additions to California data privacy rights.
FAQ
Comparing GDPR With Privacy Laws from California, Virginia, and Colorado
Download this informative look at the consumer data privacy laws changing business practices in the U.S.
ON DEMAND
2022 In-House Forum: Managing Data and Customer Privacy
Learn to successfully manage data and privacy and find the right balance between board oversight and keeping up with rapidly changing requirements.
When the California Consumer Privacy Act (CCPA) was signed into law in 2018, it created an array of consumer privacy rights and business obligations related to the collection and sale of personal information. Less than a year after the CCPA went into effect, California voters approved the California Privacy Rights Act (CPRA), which amends the CCPA. As the first comprehensive consumer privacy laws in the U.S., the CCPA and CPRA set the standard for the way many businesses are approaching privacy and data security.
To help you navigate these significant changes to the data privacy landscape, below we provide answers to many of the most common questions about the CCPA and CPRA, covering enforcement, the rights provided to consumers, and who must comply.
What are the CCPA and CPRA?
The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, creates an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. The CCPA went into effect Jan. 1, 2020.
The California Privacy Rights Act (CPRA), also known as Proposition 24, was a ballot measure approved by California voters on Nov. 3, 2020. It significantly amended and expanded the CCPA, and it is sometimes referred to as “CCPA 2.0.”
Where is the CCPA codified?
The CCPA is codified at Cal. Civ. Code § 1798.100 et seq.
Are there accompanying regulations?
Yes, the regulations are found at 11 CCR §§ 7000 et seq. The CCPA authorizes the California attorney general to adopt regulations pursuant to Cal. Civ. Code § 1798.185.
When did the CPRA take effect?
The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA didn’t become “operative” until Jan. 1, 2023.
Does the CPRA replace the CCPA?
Not exactly. The CPRA is more accurately described as an amendment of the CCPA. The CPRA specifically states that it “amends” existing provisions of Title 1.81.5 of the California Civil Code (currently known as the CCPA) and “adds” new provisions (related to the establishment of the California Privacy Protection Agency).
Who enforces the CCPA and CPRA?
The CCPA vests the California attorney general with enforcement authority. Although the CPRA grants the California Privacy Protection Agency “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA, the attorney general still retains enforcement powers. Cal. Civ. Code § 1798.199.90 provides that the California Privacy Protection Agency “may not limit the authority of the attorney general to enforce this title.”
When will enforcement of the CPRA begin?
Enforcement of the CPRA begins July 1, 2023, and enforcement will apply only to violations occurring on or after that date. It should be noted, however, that the CCPA’s provisions remain in effect and enforceable until that date. The first enforcement action of the CCPA was announced in August 2022.
What is the California Privacy Protection Agency?
The California Privacy Protection Agency is a new agency created by the CPRA, which is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.
When does the California Privacy Protection Agency assume rulemaking authority?
The CPRA transferred rulemaking authority from the California attorney general to the California Privacy Protection Agency effective April 21, 2022. Final CPRA regulations were originally due by July 1, 2022, but that deadline was extended. The formal rulemaking process has continued into 2023.
What rights do consumers have?
The CCPA created six specific rights for consumers:
- the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
- the right to delete personal information collected from the consumer;
- the right to opt out of the sale of personal information (if applicable);
- the right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable);
- the right to nondiscriminatory treatment for exercising any rights; and
- the right to initiate a private cause of action for data breaches.
The CPRA created two additional rights:
- the right to correct inaccurate personal information; and
- the right to limit use and disclosure of sensitive personal information.
Who is a ‘consumer’?
A consumer is a natural person who is a California resident, as defined in the state’s tax regulations, however identified, including by any unique identifier.
What is a consumer’s ‘personal information’?
The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security Number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in Civ. Code § 1798.80(e).
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information does not include publicly available information, consumer information that is deidentified, or aggregate consumer information.
What is a consumer’s ‘sensitive personal information’?
Sensitive personal information (SPI) is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:
- a consumer’s Social Security, driver’s license, state identification card, or passport number.
- a consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- a consumer’s precise geolocation.
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
- the contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication.
- a consumer’s genetic data.
SPI also includes:
- the processing of biometric information for the purpose of uniquely identifying a consumer.
- personal information collected and analyzed concerning a consumer’s health.
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
SPI that is publicly available shall not be considered sensitive personal information or personal information.
What constitutes a ‘sale’ of personal information?
The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
What does ‘sharing’ personal information mean?
The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Who must comply with the CCPA and CPRA?
The CCPA imposes obligations on businesses, service providers, and third parties. The CPRA adds a fourth category: contractors.
Compliance for businesses
How is a ‘business’ defined?
The CPRA defines a “business” as:
- a for-profit legal entity:
- that collects consumers’ personal information on its own or by others on its behalf;
- that alone or jointly with others determines the purposes and means of the processing;
- that “does business” in California; and
- that satisfies at least one of the following thresholds:
-
-
- has annual gross revenues in excess of $25 million
- annually buys, receives, sells, or shares the personal information of 100,000 or more consumers or households
- derives 50% or more of its annual revenues from selling consumers’ personal information
-
What are the principal obligations of a business?
A business must:
- provide notice of consumer rights.
- honor consumer rights.
- fulfill disclosure and retention obligations.
- facilitate consumer requests.
- implement security safeguards.
Compliance for service providers
How is ‘service provider’ defined?
A “service provider” is an entity that receives personal information from or on behalf of a business and processes that personal information on behalf of a business pursuant to a written contract that prohibits any retention, use, or disclosure of the personal information other than as specified in the contract.
What are the principal obligations of a service provider?
A service provider must:
- use personal information only to perform services on behalf of a business as specified in a contract.
- comply with the terms of that contract.
- implement security safeguards.
- not combine personal information received from a given business with any personal information received from others.
- notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the service provider.
Compliance for third parties
How is ‘third party’ defined?
The CCPA defines a third party as a legal entity that does not meet the characteristics of a service provider or contractor and who receives personal information from the business.
What are the obligations of a third party?
A third party must:
- use personal information consistent with promises made at receipt.
- provide consumers notice of any new or changed practices.
- provide consumers with explicit notice of additional sales of personal information and provide consumers with the opportunity to opt out.
Compliance for contractors
How is ‘contractor’ defined?
Newly defined in the CPRA, a contractor is akin to a service provider, inasmuch as it is bound by the terms of a written contract that sets forth certain restrictions and prohibitions on the use of personal information. Unlike a service provider, however, the contractor includes a “certification” that it understands all of those restrictions and prohibitions and that it will comply with them.
What are the principal obligations of a contractor?
A contractor must:
- use personal information only to perform services on behalf of a business as specified in a contract.
- comply with the terms of the contract.
- implement security safeguards.
- not combine personal information received from a given business with any personal information received from others.
- notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the contractors.
What are the consequences for noncompliance?
The CCPA provides for the following options for imposing liability in the event of noncompliance:
- Civil penalties – In actions by the California attorney general, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
- Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure.
- Nonmonetary relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper.
- Businesses may also be subject to an injunction in actions brought by the attorney general.
Authoritative analysis on consumer data privacy laws from Bloomberg Law
From live events to in-depth reports, discover singular thought leadership on consumer data privacy laws around the globe. Our expert analysts are always on the case. So you can make yours.
Want to learn more? Watch the on-demand webinar from our latest In-House Forum on how to successfully manage data and privacy and find the right balance between a top-down or a bottom-up approach to rapidly changing requirements.
Ready to get started? Request a demo to learn how Bloomberg Law can help you stay on top of the dynamic field of consumer data privacy laws with expert analysis, comprehensive coverage, and practice tools.