In the US, California is the state which is very aggressive when it comes to enforcing regulations to protect consumers / employees / residents in the age of digitization by businesses as well as other organizations. The state is known to be among the leading ones that enforces comprehensive regulations that other states tend to follow as benchmark.
California was the first state to enforce one of the most comprehensive privacy regulations, California Consumer Privacy Act (CCPA) in the United States. The beginning of the year 2024 has seen enforcement of CCPA’s updated version, California Privacy Rights Act (CPRA). Major development that underwent through CPRA is the establishment of California Privacy Protection Agency (CPPA).
We understand that business entities are often confused as to what regulation’s what requirements to look at when it comes to privacy compliance. This article covers the major privacy regulations and touch base others that are relevant to the privacy scenario in California.
About CCPA
The California Consumer Privacy Act (CCPA) became effective in January 2020. It applies to for-profit private organizations that do business in California and meet certain criteria such as gross revenues over $25 million, buy or sell or share personal information of 50,000 or more consumers or households or devices, or derive 50% or more of annual revenues from selling consumers' personal information.
CCPA requires target businesses to comply with the consumer rights such as the right to know what personal information is being collected, the right to delete the personal information, the right to opt-out of the sale of personal information and the right to non-discrimination for exercising their privacy rights.
CCPA also requires target businesses to provide online privacy notice describing the data collection and processing practices, implement procedures for managing personal data as well as consumer requests to exercise their rights and offer an opt-out mechanism for the sale of personal information.
Not complying to any of the CCPA requirements carry Civil penalties with fines up to $2,500 per violation and up to $7,500 per intentional violation. CCPA enforcement was under the authority of the California Attorney General.
About CPRA
The California Privacy Rights Act (CPRA) is the amended version of CCPA. It has been in effect since January 1, 2023. CPRA enforcement was delayed due to a legal challenge in which a state court judge had ruled that the CPRA could not be enforced until March 2024. However, this ruling was challenged and won by CPPA, and the act became enforceable as of early February 2024.
CPRA is built upon CCPA expanding its scope and adding new provisions. It applies to businesses that meet the same criteria as CCPA but also introduces more stringent requirements.
Among the expansion of scope, CPRA applies to all California resident consumers, including job applicants and employees, and it also applies to business-to-business transactions. CPRA has also expanded the CCPA consumer rights scope and has added new rights such as the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information.
With the establishment of California Privacy Protection Agency (CPPA) under CPRA, there are multiple initiatives underway in relation to consumer data protection and privacy in California.
Not complying with CPRA also carries the same penalties as CCPA in monetary terms. Also, under CPRA, employees can sue their employers for data breaches, and under certain circumstances, employees can bring a class action-type lawsuit as well.
Figure 1: Key enhancements from CCPA to CPRA
CPRA consumer rights from GDPR lens
GDPR is the pioneer in emphasizing the rights of data subjects/ consumers pertaining to processing of their personal information. CPRA has maintained a similar benchmark providing the consumers of California a significant control over how their data is being handled. Below table describes the consumer rights as provided in GDPR and CPRA. CPRA has addressed these consumer rights with well defined parameters as in GDPR. With this we can say that if not higher, CPRA has defined the same level of privacy protection mechanism for California as GDPR has done for the European Union.
Figure 2
The Regulatory Authorities
Although CPRA has established the California Privacy Protection Agency (CPPA), it is extremely important to note that both the CPPA and the California Attorney General can pursue enforcement under the CCPA/CPRA. Thus, it is important to review activity from both agencies in assessing future risk.
California Privacy Protection Agency (CPPA) initiatives
Governed by a 5 members board, the California Privacy Protection Agency (CPPA) carries the mission to protect Californians’ consumer privacy. The CPPA is responsible to implement and enforce the CPRA (CCPA regulations) via rulemaking, creating awareness on privacy as well as consumer rights and preparing administrative enforcements for the same. CPPA has been actively taking various initiatives towards its mission.
Under its responsibilities, in April 2024, CPPA published its first enforcement advisory making data minimization as a foundational principle of CCPA. Moreover, CPPA has proposed draft updates to the existing CCPA/CPRA regulations. The updates include new rules for Automated Decision-Making Technology (ADMT) and risk assessments, as well as revisions to the definition of sensitive personal information, the requirements for denying consumer requests, the verification of consumer requests, and the obligations of service providers and contractors.
As mentioned above, CPPA has also proposed regulations addressing automated decision-making technology (ADMT) and risk assessments for the processing of personal information. The draft rules mandate businesses to notify and grant the opt-out rights to consumers before using ADMT, and require risk assessments for specific data processing contexts, such as ADMT or AI training. Board members are divided on regulation scope, particularly regarding ADMT requirements.
In September 2023, CPPA also released Draft Risk Assessment Regulations, that addresses both cybersecurity audit and risk assessment under CPRA. The formal rulemaking for this is still in process.
Other regulations related to Privacy
There are a number of regulations related to privacy and data protection in California other than CCPA/CPRA that entities need to comply with. They are:
Data breach notification
Under California Civil Code Section 1798.29 and Section 1798.82, which are effective from July 2003, all entities that conduct business in California and process personal data, are required to notify the individuals whose data is affected during the breach. If the breach affects the data of more than 500 individuals, the entities are obligated to report to the regulatory authorities which in this case is the California Attorney General. Under the CCPA, a data breach can trigger a civil action against the entity that suffers a data breach.
California Online Privacy Protection Act (CalOPPA)
Effective from July 2004, CalOPPA requires operators of commercial websites or online services that collect personal data to post a privacy policy with an easy-to-find link to it on their web pages. These requirements are thoroughly covered in CCPA/CPRA.
Shine in the Light law
Effective from January 2005, the Shine in the Light law requires businesses to disclose to customers, upon request, what personal information is shared with third parties for direct marketing purposes.
The California Age Appropriate Design Code Act
Signed on 15 September 2022, this act requires a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements, including a requirement to configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy.
What should we do?
From the experience of our Clients at PwC, we understand that business entities are often confused as to where to look when it comes to privacy compliance. The root cause is there are a vast number of laws and regulations that exist and which are the right ones that they should comply with.
This article mentions all the privacy related regulations that are currently enforced in California. Also, the CPPA initiatives give a fair idea as to what is coming in the future.
These glimpses of the privacy regulations in California demand the entities to be vigilant when it comes to processing an individual's personal information.
To begin with, entities should ensure their privacy policies accurately detail how personal information is processed. Secondly, they should verify clear disclosure and functional testing of consumer requests and opt-out procedures. Make sure to align processes for access, deletion, and correction of personal data with regulations. Further, implement and diligently test these processes and systems handling personal data to confirm compliance.
Monitoring the progress of regulations and initiatives by regulatory authorities is all the more vital in order to stay in compliance.
Related Content