California State Data Privacy Laws: Overview
Throughout 2024, we will highlight states that have enacted their own data privacy laws and highlight the most salient facts here on our blog. The first state we are highlighting is California, as they have been leading the charge in developing privacy standards.
California passed the California Consumer Privacy Act (“CCPA”) in 2018 which went into effect on January 1, 2020. The CCPA was amended in 2020 by the California Privacy Rights Act (“CPRA” Proposition 24) which became effective on January 1, 2023. Here are links to the California legislative information for the CCPA and the CPRA.
The CCPA applies to:
A for-profit business that conducts business in California, and meets any of the following:
- Has annual gross revenue greater than $25 million; or
- Annually buys, sells or shares the personal information of 100,000 or more California consumers or households; or
- derives 50% or more annual revenues from selling or “sharing” personal information of California consumers.
Relevant businesses under the CCPA/CPRA must adhere to several consumer rights requirements to ensure compliance including:
- Right to Know (Access)
- Right to Correction
- Right to Portability
- Opt-out of the Sale or Sharing of Personal Data
- The Right to Limit
- Right of erasure
- Right not to be discriminated against
Who enforces the laws:
- California Attorney General
- California Privacy Protection Agency
Fines:
Under the CPRA, penalties for non-compliance can range up to $2,500 per violation and up to $7,500 per intentional violation or violation involving minors.
Consumers may bring a private right of action against a business if the event of a data breach related to information that identifies, is capable of being associated with or reasonably linked, either directly or indirectly, with a specific consumer or household.
Tips for Marketers to Comply with CCPA and CPRA
- Conduct a comprehensive audit of data practices to align with CCPA and CPRA requirements.
- Review vendor contracts and third-party partnerships for CCPA and CPRA compliance.
- Update privacy policies and notices to reflect data handling practices accurately.
- Implement robust data security measures to prevent unauthorized access.
- Train employees on CCPA and CPRA compliance, particularly those handling consumer data.
- Establish at least two methods for consumers to exercise their rights under the CCPA.
- Respond to consumer Access and Deletion requests within 45 days (can extend another 45 days if the consumer is notified).