California

Overview

California has always been at the forefront of digital data privacy legislation in the U.S. It was the first state to enact a comprehensive digital data law (CCPA), and it has since carried on extending protections under the California Privacy Rights Act (CPRA). As a result of this legislation, the residents of Californian are in considerable control over how companies gather and utilize their personal information. Additionally, the state has the first agency specifically focused on enforcing privacy laws.

California Consumer Privacy Act (CCPA) – Effective Jan 1, 2020

This digital privacy law grants consumers the opportunity to opt out of the sale of their personal data. Thus ensuring that business provide clear cut privacy notices to the consumers before obtaining the data.

California Privacy Rights Act (CPRA) – Effective Jan 1, 2023

Adds on top of the CCPA by including more consumer rights, reducing sensitive data use, and creating the California Privacy Protection Agency for enforcement.

• To know what private digital data is collected and why

• Delete your personal data

• To choose not to sell or share your private data

• To limit the use of your sensitive personal information

• To not be discriminated against for exercising privacy rights

These laws apply to for-profit businesses operating in California that meet any of the criteria below:

• Annual revenue of $25 million or more

• Contains data of 100,000+ consumers

• Makes more than 50% revenue from selling personal data

It also applies to service providers, contractors, and other third parties that might handle data on behalf of these businesses.

California continues to improve its digital data privacy to include some new technologies that have recently emerged. The CPPA is currently drafting rules on AI to cut back from automated decisions that impact citizens daily life, algorithmic transparency, etc (Bill SB 1047).