California Privacy Law Attorneys

California Privacy Law Overview

California has established itself as the national leader in consumer privacy protection. With the California Consumer Privacy Act (CCPA) and its expansion through the California Privacy Rights Act (CPRA), the Golden State offers consumers the strongest privacy rights in the United States. These comprehensive laws fundamentally change how businesses collect, use, and share personal information.

California's privacy framework has become the de facto standard for privacy compliance nationwide, with many businesses adopting California's requirements across all states to ensure consistent compliance. Understanding and navigating these complex regulations requires specialized legal expertise.

Key California Privacy Legislation

California Consumer Privacy Act (CCPA)

Effective January 1, 2020, the CCPA was the first comprehensive consumer privacy law in the United States. It grants California residents significant rights over their personal information and imposes substantial obligations on businesses.

California Privacy Rights Act (CPRA)

Passed in November 2020 and effective January 1, 2023, the CPRA significantly expands CCPA protections. It creates new consumer rights, adds business obligations, establishes the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and introduces stricter requirements for sensitive personal information.

Other California Privacy Laws

• Confidentiality of Medical Information Act (CMIA): Protects healthcare privacy beyond HIPAA
• California Online Privacy Protection Act (CalOPPA): Requires privacy policies for websites
• Shine the Light Law: Requires disclosure of personal information shared for marketing
• California Consumer Records Act: Governs data breach notifications
• California IoT Security Law: Mandates reasonable security for connected devices

Who the Laws Apply To

The CCPA/CPRA applies to for-profit businesses that do business in California and meet one or more of these thresholds:

The laws protect "personal information" - broadly defined as information that identifies, relates to, describes, or could reasonably be linked with a California resident or household.

Consumer Rights Under California Law

California residents have extensive rights regarding their personal information:

1. Right to Know

Consumers can request:

• What personal information a business has collected
• Categories of sources from which information was collected
• Business or commercial purpose for collection or sale
• Categories of third parties with whom information is shared
• Specific pieces of personal information collected

2. Right to Delete

Consumers can request deletion of personal information collected from them, subject to certain exceptions for legal compliance, security, and business operations.

3. Right to Opt-Out

Consumers can opt out of:

• Sale of personal information to third parties
• Sharing of personal information for cross-context behavioral advertising

Businesses must provide a clear "Do Not Sell or Share My Personal Information" link on their homepage.

4. Right to Correct

Under CPRA, consumers can request correction of inaccurate personal information.

5. Right to Limit Use of Sensitive Personal Information

Consumers can limit a business's use of their sensitive personal information to only what's necessary to perform requested services.

6. Right to Non-Discrimination

Businesses cannot discriminate against consumers for exercising their privacy rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing different quality of goods or services
• Suggesting consumers will receive different prices or quality

7. Right to Opt-In for Minors

Businesses must obtain opt-in consent before selling or sharing personal information of consumers under 16.

Business Obligations

California privacy laws impose comprehensive obligations on covered businesses:

Transparency Requirements

• Maintain comprehensive, accessible privacy policies
• Provide notices at collection explaining data practices
• Disclose categories of personal information collected and purposes
• Update privacy policies at least annually
• Provide clear opt-out mechanisms

Consumer Request Procedures

• Establish methods for submitting requests (toll-free number, website, email)
• Verify consumer identities before responding
• Respond to requests within 45 days (with 45-day extension if needed)
• Provide information free of charge (up to twice per 12-month period)
• Maintain records of requests and responses

Security and Data Protection

• Implement reasonable security procedures and practices
• Maintain security measures appropriate to the nature of information
• Protect against unauthorized access, destruction, use, or disclosure
• Implement cybersecurity controls and incident response plans

Sensitive Personal Information

CPRA defines sensitive personal information requiring special handling:

• Social Security, driver's license, state ID, passport numbers
• Account credentials and passwords
• Precise geolocation
• Racial or ethnic origin, religious beliefs, union membership
• Mail, email, text messages (unless the business is the intended recipient)
• Genetic data, biometric information for identification
• Health information, sex life, or sexual orientation

Vendor Management

• Execute contracts with service providers and contractors
• Ensure third parties comply with CCPA/CPRA requirements
• Monitor and audit vendor compliance
• Implement provisions prohibiting further data use or sharing

Data Minimization and Purpose Limitation

Under CPRA, businesses must:

• Collect personal information only for disclosed purposes
• Not collect additional categories without updating notices
• Retain information only as long as reasonably necessary
• Implement data retention and deletion policies

Penalties and Enforcement

Administrative Penalties

The California Attorney General and California Privacy Protection Agency can impose civil penalties:

• Unintentional violations: Up to $2,500 per violation
• Intentional violations: Up to $7,500 per violation
• Children's violations: Tripled penalties for violations involving minors under 16

Private Right of Action

California consumers can sue businesses directly for data breaches involving specific personal information:

• Covered information: Unencrypted/unredacted name combined with SSN, driver's license, financial account information, medical information, health insurance information, biometric data, or account passwords
• Damages: $100 to $750 per consumer per incident, or actual damages (whichever is greater)
• Requirement: 30-day cure period before filing suit
• Class actions: Permitted for data breach claims

California Privacy Protection Agency (CPPA)

Created by CPRA, the CPPA has broad enforcement powers including:

• Investigating potential violations
• Issuing administrative fines and penalties
• Conducting audits of businesses
• Promulgating regulations and guidance
• Bringing enforcement actions
• Coordinating with other agencies

Recent Enforcement Actions

California has actively enforced privacy laws with significant settlements:

• Sephora (2022): $1.2 million for failing to process opt-out requests and disclose data sales
• DoorDash (2023): Settlement for sale of consumer data without opt-out notice
• Major retailers and tech companies: Multiple investigations ongoing
• Dark patterns: Enforcement against deceptive opt-out interfaces

Recent Developments and Future Changes

2024-2025 Updates

• Expanded CPPA regulations: New rules on automated decision-making, risk assessments, and cybersecurity audits
• Delete Act: Proposed legislation for one-stop data deletion from data brokers
• AI and automated decision-making: Enhanced transparency and opt-out rights
• Children's privacy: Age-appropriate design code requirements for online services
• Employee and B2B data: Privacy protections extended to employee and business contact information
• Biometric information: Stricter regulations on collection and use

California Age-Appropriate Design Code (AADC)

Effective July 2024, this law requires businesses likely accessed by children to:

• Conduct data protection impact assessments for online services
• Configure default privacy settings to high privacy for child users
• Avoid using children's personal information in harmful ways
• Provide age-appropriate privacy information
• Not use dark patterns to manipulate children

Proposed Federal Preemption

California privacy advocates closely monitor federal privacy legislation that could preempt state laws, potentially weakening California's strong protections.

Common California Privacy Issues

For Businesses:

• Request management overwhelm: High volume of consumer requests requiring response systems
• Third-party compliance: Ensuring vendors and partners comply with requirements
• Data mapping challenges: Identifying all personal information flows across systems
• Sale vs. sharing determinations: Determining whether activities constitute "sale" or "sharing"
• Cookie consent and tracking: Implementing compliant consent mechanisms
• Cross-border data transfers: Managing international data flows
• Discriminatory pricing: Balancing incentive programs with non-discrimination requirements
• Service provider contracts: Negotiating compliant agreements with all vendors

For Consumers:

• Ignored or delayed requests: Businesses failing to respond within legal timeframes
• Difficult opt-out processes: Dark patterns making it hard to exercise rights
• Incomplete responses: Businesses providing insufficient information
• Retaliation: Different treatment after exercising privacy rights
• Data breach harm: Identity theft and fraud following security incidents
• Unauthorized data sales: Personal information sold without knowledge or consent

How California Privacy Attorneys Can Help

For Businesses:

• Compliance program development: Design comprehensive CCPA/CPRA compliance frameworks
• Privacy policy drafting: Create legally compliant privacy notices and policies
• Data mapping and inventory: Document personal information flows and systems
• Risk assessments: Conduct privacy impact assessments and identify vulnerabilities
• Vendor contract review: Draft and negotiate service provider agreements
• Request response procedures: Establish systems for handling consumer rights requests
• Training and education: Provide staff training on privacy compliance
• Investigation response: Represent businesses in CPPA or Attorney General investigations
• Enforcement defense: Defend against enforcement actions and penalties
• Breach response: Coordinate data breach response and notifications
• Strategic counsel: Advise on privacy-by-design and competitive advantages

For Consumers:

• Rights enforcement: Compel businesses to honor data requests
• Data breach litigation: File individual or class action lawsuits for breaches
• Discrimination claims: Challenge retaliatory or discriminatory treatment
• Attorney General complaints: File formal complaints with enforcement agencies
• Demand letters: Send legal demands to non-compliant businesses
• Settlement negotiation: Negotiate compensation for privacy violations
• Identity theft assistance: Help address breach-related identity theft

Specialized California Privacy Services:

• Cross-border data transfer compliance (GDPR, CPRA, etc.)
• Advertising technology privacy compliance
• IoT device privacy-by-design consulting
• Healthcare privacy (HIPAA + CMIA coordination)
• Children's privacy compliance (COPPA + AADC)
• AI and machine learning privacy compliance
• Employment data privacy programs
• Financial services privacy (GLBA + CCPA/CPRA)