Some businesses, like Facebook, collect data you voluntarily supply, like your age, employer, relationship status, and where you live. They also track the other places you visit online and what apps you use. The companies then use all that information to sell advertisements.
These practices sound relatively harmless. But in 2018, details emerged about a political data firm, Cambridge Analytica, improperly collecting and using the personal data of millions of Facebook users. After that incident, the way Facebook and other businesses treat users' personal information came under increased scrutiny.
To address this issue, California passed the California Consumer Privacy Act (CCPA), which went into effect in 2020. This law gives consumers in California basic privacy rights concerning how businesses use their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, amends the CCPA and provides additional privacy protections for consumers.
The CCPA (Cal. Civ. Code § 1798.100 and following) is the first comprehensive consumer privacy law in the United States. The law is patterned after the European Union's General Data Protection Regulation, the primary law in Europe regulating how companies must handle EU citizens' private data and personal information.
The CCPA gives consumers in California fundamental privacy rights concerning how businesses collect and sell their personal information. This law went into effect on January 1, 2020.
The CPRA, a ballot initiative, is an amendment to the CCPA. The CPRA expands the protections under the CCPA and is sometimes called "CCPA 2.0."
The CPRA passed in November 2020, with most of its provisions becoming effective on January 1, 2023.
California consumers have the following rights under the CCPA, as amended by the CPRA.
Under the CCPA, you have the right to know the categories of personal information collected and how the business will use that information. You also have the right to request specific information from a business that collects personal information about you, including:
The CPRA modified and expanded consumers' rights under the CCPA. For example, under the CPRA, the business must provide information about the categories of personal information "shared" with third parties. ("Shared," in this context, means providing personal information to a third party for the purposes of targeted advertising.) (Cal. Civ. Code § 1798.140.)
You may request that a business delete your personal information. The company must erase your data upon receipt of your request, subject to certain exceptions.
A business doesn't have to erase your information under certain circumstances, like if the information is necessary to complete the transaction for which the personal information was collected or if it's needed to perform a contract between you and the business. (Cal. Civ. Code § 1798.105.)
The CPRA provides several new exceptions or clarifications to the deletion requirement. For example, businesses aren't required to delete household data or personal information that applies to a student's grades or test scores. (Cal. Civ. Code § 1798.145.)
Under the original CCPA, you got the right to opt out of the sale of your personal information. The CPRA expands this opt-out right to include both the sale and sharing of personal information.
A business has to provide a "Do Not Sell or Share My Personal Information" link on its internet homepage. This link must take you to a page that enables you to opt out of the sale or sharing of your personal information. (Cal. Civ. Code § 1798.120, § 1798.135.)
Also, a business generally can't sell (or share) a consumer's personal information if the business has actual knowledge that the consumer is less than 16 years of age. However, a consumer at least 13 years old or a consumer's parent (for consumers who are less than 13 years old) can opt into the sale or sharing of information. (Cal. Civ. Code § 1798.120.)
The CCPA prohibits a business from discriminating against you if you exercise your rights under this law. It includes a prohibition on charging a different price or providing you with a different quality of goods or services after you exercise your rights. But an exception applies if the difference is reasonably related to the value your data provides to the business. (Cal. Civ. Code § 1798.125.)
The CPRA expands these protections to prohibit retaliation against employees, applicants for employment, or independent contractors for exercising rights guaranteed under this law. The CPRA also clarifies that businesses can still offer loyalty, rewards, premium features, discounts, or club card programs. These types of programs don't constitute discrimination. (Cal. Civ. Code § 1798.125.)
Under the CCPA and CPRA, "personal information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." (Cal. Civ. Code § 1798.140(v)(1).) This definition of "personal information" is much broader than typical privacy-related laws in the United States.
The CCPA's definition of personal information also includes a wide range of examples, like:
However, publicly available information isn't considered personal information. (Cal. Civ. Code § 1798.140(v)(2).)
The CPRA creates several additional privacy rights for consumers.
Under the CPRA amendments, you get the right to correct inaccurate personal information that a business has on you. Businesses must disclose to consumers that they have the right to correct inaccurate personal information. (Cal. Civ. Code § 1798.106, § 1798.185(a)(7).)
After a business receives a verified request to correct inaccurate personal information, it must use "commercially reasonable efforts" to correct the personal information. However, some exceptions apply to requests that would be impossible or involve disproportionate effects. (Cal. Civ. Code § 1798.106, § 1798.130)
The CPRA provides consumers with a new right to restrict the use and disclosure of "sensitive personal information." (Cal. Civ. Code § 1798.121.)
California consumers get the right to tell a business to limit its use of sensitive personal information to that "which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services."
The business may also use the information for the performance of specific enumerated business purposes, like:
Businesses must include disclosures about their sensitive personal information collection and use practices. The CPRA requires a link on a business's website homepage titled "Limit the Use of My Sensitive Personal Information" or a combined link with the "Do Not Sell or Share My Personal Information" link, in some cases. (Cal. Civ. Code § 1798.121, § 1798.135.)
The CPRA also adds a right to opt out of automated decision-making technology, which includes profiling consumers based on their "performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, and movements." (Cal. Civ. Code § 1798.185(a)(16), § 1798.140(z).)
The CCPA, as amended by the CPRA, gives privacy rights and protections to consumers who are California residents, including:
The CCPA and CPRA apply to for-profit entities that collect and process the personal information of California residents and that do business in the State of California.
Also, for the CCPA and amendments to apply, the business must:
Nonprofit businesses and companies that don't meet any of the three criteria listed above don't have to comply with these laws.
The CCPA provides consumers with a private right of action (the right to file a lawsuit) if their nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure (that is, a data breach). "Personal information" in this context means an individual's first name or first initial and the individual's last name in combination with another data element, like a Social Security or driver's license number, when either the name or the data elements are not encrypted or redacted. (Cal. Civ. Code § 1798.81.5(d)(1)(A).)
Under the law as amended by the CPRA, you can also bring a private cause of action for a data breach involving the leak of an email address in combination with a password or security question and answer that would permit access to the account. (Cal. Civ. Code § 1798.150(d)(1)(B), § 1798.81.5.)
The breach must have happened because the business didn't comply with its duty to implement and maintain reasonable security procedures and practices. And you must satisfy certain procedural requirements first. (Cal. Civ. Code § 1798.150.)
Damages in any private action that a consumer brings will be not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. (Cal. Civ. Code § 1798.150.)
The CPRA established the California Privacy Protection Agency to implement and enforce the law. This agency has full administrative power, authority, and jurisdiction to implement and enforce the CCPA. (Cal. Civ. Code § 1798.199.10.)
The California Attorney General can also file suit against companies that don't comply with the CCPA. Any business, service provider, or other person found in violation is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. (Cal. Civ. Code § 1798.155.)
Enforcement of the civil and administrative obligations of the CPRA provisions begins July 1, 2023, and applies to violations that happen on or after that date.
If you have further questions about the California Consumer Privacy Act or its amendments, contact a consumer protection lawyer to get more information about your rights under state law.
An attorney can also advise you about filing a lawsuit against a company that has violated this law or any of its amendments, including the procedural requirements you need to follow before initiating such a suit.
Need a lawyer? Start here.