Support Centre

California

Summary

Law: California Consumer Privacy Act of 2018 (last amended in 2020) ('CCPA') as amended by the California Privacy Rights Act of 2020 ('CPRA'), (consolidated version available here) ('CCPA as amended')

Regulator: The California Privacy Protection Agency ('CPPA') 

Summary: The right to pursue and obtain privacy is specifically protected by the California Constitution. California was the first US State to introduce a comprehensive data privacy law: the California Consumer Privacy Act of 2018 (last amended in 2020) (CCPA), which entered into effect on January 1, 2020. The CCPA creates obligations for businesses and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt out of the sale of their personal information. The CCPA was subsequently amended by the California Privacy Rights Act of 2020 (CPRA) which introduced new requirements associated with data sharing, sensitive data, and contractors' and service providers' responsibility. The CPRA also enhanced existing rights and created new consumer rights, including a right to correction, an expanded right to access, and additional disclosure and transparency requirements. A consolidated version of the CCPA amended by the CPRA (CCPA as amended) is available here. The CPPA also published the California Consumer Privacy Act Regulations (the revised CCPA Regulations) which became effective on March 29, 2023.

In addition to the CCPA as amended, §1798.82 of the California Civil Code stipulates that businesses that own or license computerized data that includes personal information must disclose a breach of the security of the system to any affected Californians and, if data of more than 500 residents was breached, to the Attorney General.

Other key privacy laws in California include the California Online Privacy Protection Act, the Shine the Light Law, the California Invasion of Privacy Act, and the recently enacted California: Age-Appropriate Design Code Act which entered into effect on July 1, 2024.

You can follow legislative developments in the US through the USA State Law Tracker.

News

Insights

October 2024

California: The AI Transparency Act – what you need to know

On September 19, 2024, the California AI Transparency Act (the Act) was signed into law by the California Governor. The Act follows in the steps of other US states that have developed laws requiring transparency in the use of artificial intelligence (AI). The Act, however, is unique in that it has specific watermarking requirements. In this Insight article, OneTrust DataGuidance breaks down the key provisions of the Act and who it applies to, with comments provided by Jacob Canter, Counsel at Crowell & Moring LLP, and Lily Li, Founder of Metaverse Law Corporation.

June 2024

California: Strategies for apps and websites to avoid claims under CIPA

Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S. Anderson, from Greenberg Glusker Fields Claman & Machtinger LLP, discuss the background of such claims under the California Invasion of Privacy Act (CIPA) and provide best practices for staying compliant to avoid costly litigation.

February 2024

California: The draft ADMT rules - top takeaways

California is on the verge of shaking up the privacy space again with rules on automated decision-making technology (ADMT). On February 23, 2024, California's dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released an updated draft of ADMT rules that builds on the Agency's December 2023 draft. Josh Hansen, Associate at Shook, Hardy & Bacon L.L.P., outlines the key points of the rules, their scope, and their requirements.

December 2023

California: An overview of the latest proposed amendments to the CCPA Regulations

On December 1, 2023, the California Privacy Protection Agency (CPPA) unveiled Proposed Revisions to the California Consumer Privacy Act (CCPA) regulations (the Proposed Revisions). The Proposed Revisions build on the CCPA regulations finalized on March 29, 2023, which operationalized the CCPA as amended by California Privacy Rights Act (CPRA) (collectively the CCPA as amended). The Proposed Revisions make amendments to the definition of sensitive personal information, monetary thresholds and fines, consent architecture, and third-party disclosures. In this Insight article, OneTrust DataGuidance breakdowns the key aspects of these Proposed Revisions and their implications. 

November 2023

California: Overview of the DELETE Act

California's Senate Bill 362 for an act relating to data brokers (DELETE Act) was signed into law by Governor Gavin Newsom on October 10, 2023. Once it goes into effect in 2026, the DELETE Act will require registered data brokers to comply with deletion requests made by California residents through a single, universally adopted deletion mechanism that will be developed by the newly formed California Privacy Protection Agency (CPPA). This deletion mechanism will allow California residents to delete their information with all registered data brokers through a single mechanism (instead of being required to submit a deletion request with each data broker individually). The DELETE Act will be enforced by the CPPA, which also has enforcement authority under California's comprehensive privacy law (that applies to all California businesses of a certain size, regardless of whether they are data brokers).

In this Insight article, Kirk Nahra, Ali Jessani, and Roma Gujarathi, from Wilmer Cutler Pickering Hale and Dorr LLP, provide a breakdown of the law's applicability, key definitions, and key provisions.

August 2023

California: CPPA publishes draft regulations on DPIAs - what do you need to understand and take action on?

The California Privacy Protection Agency (CPPA) has released suggested draft regulations for discussion by the CPPA board before its scheduled meeting on September 8, 2023. These draft regulations address both cybersecurity audit regulations and risk assessment regulations, the latter generally known as Data Protection Risk Assessment or Data Protection Impact Assessment (DPIA). While this is only a draft for discussion, certain sections have been distinctly marked as open "for additional discussion." Notwithstanding the preliminary nature of the document, the general approach and direction of these regulations are evident.

In this Insight article, Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides an in-depth exploration of the draft DPIA draft regulations.

June 2023

International: Privacy implications for organizations using generative AI

The use of generative artificial intelligence (AI) and large language models (LLMs) has grown exponentially in recent years. In this article, Lily Li, Founder of Metaverse Law, discusses the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.

May 2023

California: Operationalizing CPRA - sensitive personal information

On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced. The Board of the CPPA voted to adopt and approve the CPPA's rulemaking package, including the revised CCPA regulations on February 3, 2023, and the CPPA filed its rulemaking package with California's Office of Administrative Law for review on February 14, 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights, part two of this series explored the scope of the CCPA as amended by the CPRA, and part three of this series focused on some of the considerations for businesses in regards to vendors. In part four of this series, Shelby Dolen & TK Lively, from Husch Blackwell LLP, examine how the CCPA, as amended by the CPRA, treats sensitive personal information and the compliance challenges businesses need to consider.

May 2023

California: Operationalising CPRA - vendors and vendor management

In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020. The CPRA went into effect on 1 January 2023 (with a look-back period to 1 January 2022), and enforcement of the new provisions of the CPRA will be effective 1 July 2023. The CPRA amends the CCPA in many significant ways, including how businesses must address their vendor relationships.

Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights and part two of this series explored the scope of the CCPA as amended by the CPRA. In part three, Diana Iketani Iorlano, Founder and Managing Attorney, Iketani Law Corporation, focuses on some of the considerations for businesses in regards to vendors.

May 2023

California: Operationalising CPRA - scope and application

The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information. The CCPA was amended by the California Privacy Rights Act of 2020 ('CPRA'), which became fully operative on 1 January 2023, and which also created the California Privacy Protection Agency ('CPPA'), a new regulatory body dedicated exclusively to privacy regulation. The CPPA released its revised CCPA Regulations on 4 April 2023.

Part one of this series, Operationalising CPRA, discussed how the CPRA changed consumer rights. In Part two, Jennifer Guerrero, Senior Counsel at Buchalter PC, explores the scope of the CCPA as amended by the CPRA.

April 2023

California: COPPA v. CAADC - strength lies in knowing the differences

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

April 2023

California: Operationalising CPRA - new and expanded consumer rights under CCPA

The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA'). The CPRA changes the scope of the CCPA, expands the rights afforded to consumers under the law, and introduces a new regulatory agency, the California Privacy Protection Agency ('CPPA'), to be responsible for enforcement.

In part one of this series, Operationalising CPRA, Emily S. Tabatabai and Alyssa Wolfington, from Orrick Herrington & Sutcliffe LLP, discuss how the CPRA has changed consumer rights under the CCPA and what companies may need to consider regarding these changes.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.