In 2018, California enacted the most comprehensive privacy law in the US, the California Consumer Privacy Act of 2018 (CCPA).  The CCPA applies to any for-profit entity that handles data from California residents and meets one of the following three criteria: (i) has an annual gross revenue of more than $25 million; (ii) processes the personal information of 50,000 or more California individuals, households, or devices annually; or (iii) derives 50 percent or more of its annual revenue from “selling” consumers’ personal information.¹

Key requirements of the CCPA include:

• informing consumers about the categories of information collected, and the purpose of collecting it;
• allowing consumers to opt out of any “sale” of personal information;
• disclosing the categories, sources, business purpose, and specific pieces of information collected about a consumer;
• providing specific notice to consumers on every Internet web page where personal information is collected; and
• responding to consumer requests to delete personal information – and directing third parties to do the same.²

The CCPA went into effect on January 1, 2020; while enforcement actions were delayed until July 1, 2020.³ CCPA requires the California Attorney General to solicit broad public participation and to adopt regulations to further the law’s purpose, establish procedures, and publish guidance to businesses on how to comply with the law. The Office of the Attorney General published numerous draft regulations, and issued its updated final draft regulations in August 2020.

In November 2020, California voters approved the California Privacy Rights and Enforcement Act (CPRA), which amends the CCPA, including with regards to: restrictions and obligations on “sharing” personal information; new limitations and obligations for service providers, provisions related to “sensitive personal information”, a new consumer right to “correct” and other clarifications of existing consumer rights; and establishing a new state privacy agency charged with implementation and enforcement of the statute.  The amendments enacted in the CPRA come into effect on January 1, 2023.

In addition to the CCPA, California law imposes a number of obligations on companies that collect information from California residents.  For example, the California Online Privacy Protection Act (CalOPPA) requires websites that collect personally identifiable information to conspicuously post and comply with a privacy policy.  Companies that do business in California must be sensitive to and ensure compliance with these laws.⁴

¹ Cal. Civ. Code § 1798.140(c).

² Id. § 1798.100 et seq.

³ Id. § 1798.185(c).

⁴ See Cal. Bus. & Prof. Code §§ 22575-22579.