Miller Nash LLP
What law(s) specifically govern personal data / information?
California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (CIV 1798.100 to 1798.199.100) and the California Consumer Privacy Act Regulations (Title 11, Div. 6, § 7000 to § 7600).
California Online Privacy Protection Act (CalOPPA) (BPC 22575 to 22579).
Shine the Light (CIV 1798.83)
Website privacy notice requirement (BPC 22575-22579)
Data breach notification (CIV 1798.82)
Additional specific laws addressing types of data; see below for additional information.
What are the key data protection principles in this jurisdiction?:
Comprehensive consumer privacy law requiring transparency and consumer data control. California has some of the strongest data protection and consumer rights standards among the states.
Maintain reasonable security practices to protect personal information from unauthorised access, disclosure, and use.
What is the supervisory authority / regulator in charge of data protection?
California Attorney General; California Privacy Protection Agency
Is there a requirement to register with a supervisory authority / regulator?
Yes (Cal. Civ. Code § 1798.99.82):
California requires data brokers to register with the California Privacy Protection Agency and pay a registration fee.
Is there a requirement to notify the supervisory authority / regulator?
Yes, in the event of certain data breaches.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, for data brokers.
What are the key data subject rights under the data protection laws of this jurisdiction?
California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA) (Cal. Civ. Code § 1798.100 to 1798.199.100) and the California Consumer Privacy Act Regulations (Title 11, Div. 6, § 7000 to § 7600).
- Information and access rights
- Data portability rights
- Deletion rights
- Personal information sales prevention rights (sale opt-out and opt-in rights)
- Non-discrimination rights
- Required contractual provisions with service providers
California Online Privacy Protection Act (CalOPPA) (Cal. Bus & Prof. Code § 22575 to 22579)
- Requires operators of commercial websites and online services that collect California residents’ “personally identifiable information” to conspicuously post their privacy policies.
- CalOPPA requires specific pieces of information to be included in a company’s privacy policy. (See Cal. Bus. & Prof. Code § 22575(b)(1) to (4).)
Privacy Rights for California Minors in the Digital World Act (Eraser Law) (Cal. Bus. & Prof. Code § 22580 to § 22582)
- Grants California minors the right to remove online content.
- Restricts ability to advertise to minors
- More restrictive than the federal Children’s Online Privacy Protection Act (U.S. federal law) – applies to minors under the age of 18.
Student Online Personal Information Protection Act (SOPIPA) (Cal. Bus. & Prof. Code § 22584).
- SOPIPA prohibits:
- Knowingly engaging in targeted advertising to students and parents/guardians
- Using covered information to create student profiles
- Selling or disclosing covered information
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § 17529 to § 17529.9).
- Applies to commercial email advertisements from California or to California email addresses
- Prohibits all commercial emails unless either:
- The sender has a pre-existing business relationship with the recipient.
- The recipient has directly consented to receiving such emails.
Song-Beverly Credit Card Act (Song Beverly) (Cal. Civ. Code § 1747.08).
- Regulates credit cards and related transactions.
- Prohibits merchants from requesting or requiring personal identification information as a condition to accepting a credit card as payment.
California Consumer Reporting Agencies Act (CCRAA) (Cal. Civ. Code § 1785.10).
- Provides consumer rights regarding access, use, and correction of credit reports for purposes of determining creditworthiness.
Financial Information Privacy Act (FIPA) (Cal. Fin. Code § 4050 to § 4060).
- Requires financial institutions to give consumers the right to opt-out before sharing their Nonpublic Personal Information.
California’s Insurance Information and Privacy Protection Act (IIPPA) (Cal. Ins. Code § 791 to § 791.29).
- Generally, prohibits disclosure of personal information collected or received in connection with an insurance transaction.
Data Breach Notification Law (Cal. Civ. Code § 1798.82).
- Requires organisations to notify affected individuals of any unauthorised acquisition of unencrypted computerised data that contains a California residents’ personal information.
Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56)
- Addresses the privacy and security of health information regarding California residents.
California Constitution (Article 1, Section 1)
- Provides individuals with a constitutionally protected right to privacy that can be enforced against private employers.
Shine the Light law (Cal. Civ. Code § 1798.83)
- Requires businesses to provide customers with information regarding how their personal information is shared for marketing purposes.
California Invasion of Privacy Act (CIPA) (Cal. Penal Code § 630 to 638.55).
- Restricts recording or listening to private electronic communications.
California Data Protection Act (CDPA) (Cal. Civ. Code § 1798.81.5).
- Requires covered businesses to:
- Implement and maintain reasonable security procedures and practices appropriate to the nature of information.
- Protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Deletion requirements (Cal. Civ. Code § 1798.81)
- Requires business to dispose of records containing personal information when records no longer need to be retained.
California Age-Appropriate Design Code Act (Cal. Civ. Code § 1798.99.28 to § 1798.99.40)
- Currently being challenged in court proceedings.
Data broker registration and California Delete Act (Cal. Civ. Code § 1798.99.80 to § 1798.99.89)
- Data brokers need to register with the California Privacy Protection Agency and provide certain metrics on a yearly basis.
- Beginning Jan. 1, 2026, the California Privacy Protection Agency will establish a deletion mechanism for consumers to request that every data broker delete personal information related to that consumer.
Employment-related (Cal. Labor Code § 980 and Cal. Labor Code § 435)
- An employer cannot require or request that an employee or a job applicant provide access to a personal social media account.
- An employer cannot make an audio or video recording of an employee in a restroom or changing room.
Disclosures for Specific Products
- Routers made for residential use need to include security warnings. (Cal. Bus & Prof. Code § 22948.5 to § 22948.7)
- Connected televisions need to disclose voice recognition features. If the voice recognition features are used for an accessible interface for persons with disabilities, any collected data cannot be sold or used for advertising purposes. (Cal. Bus & Prof. Code § 22948.20 to § 22948.25)
- Required pre-sale disclosure for new motor vehicles equipped with in-vehicle cameras. Restrictions on the use, sale, and re-disclosure of data collected from in-vehicle cameras. (Cal. Bus & Prof. Code § 22948.50 to § 22948.59)
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
A business must be contractually permitted to monitor a service provider’s compliance through assessments or audits.
Does this jurisdiction have any specific data breach notification requirements?
Yes; a breach under California law is an unauthorised acquisition of computerised data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.
Personal information means:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted (meaning rendered unusable, unreadable, or indecipherable to an unauthorised person through a security technology or methodology generally accepted in the field of information security):
- Social Security number;
- Driver’s license number or state identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- Account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records);
- Information or data collected through the use or operation of an automated license plate recognition system (a searchable computerised database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data); or
- Biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual; or
- Genetic data.
(2) User name or email address, in combination with a password or security question and answer that would permit access to an online account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Affected individuals must be notified in the most expedient time possible and without undue delay.
If an entity is required to notify more than 500 California residents, the entity shall electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the California Attorney General (no specific timeline is set out).
What restrictions apply to the international transfer of personal data / information?
N/A
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes:
CCPA (Cal. Civ. Code § 1798.140(c)(1) – applies to any entity that:
- Collects a California consumer’s personal information and determines the purposes and means of processing; AND
- Does business in CA and meets one of the following thresholds:
- Annual gross revenue that exceeds USD $25 million;
- Annually buys, shares, or sells the personal information of 100,000 or more California consumers or households; or
- Derives 50% or more of annual revenues from selling or sharing California consumers’ personal information.
What rules specifically deal with marketing?
California Shine the Light (Cal. Civ. Code § 1798.83)
- Requires certain businesses to provide customers with information regarding how their personal information is shared for marketing purposes.
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § 17529 to § 17529.9.
- California’s anti-spam law bans most unsolicited commercial email advertisements to or from California email addresses.
The Eraser Law (Cal. Bus. & Prof. Code § 22580 to § 22582)
- The law places restrictions on advertising to minors. It prohibits website and online service operators from using a minor’s personal information, or allowing a third party to use a minor’s personal information, to market or advertise prohibited items.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. Under CCPA, as amended, applies to personal information collected by a business about an individual, when acting as a consumer or employee. CCPA, as amended, does not apply to business to business transactions.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § § 17529 to § 17529.9)
- California’s anti-spam law bans most unsolicited commercial email advertisements to or from California email addresses.
Cal. Bus. & Prof. Code § 17538.41
- California law generally prohibits text message advertisements to a California resident’s mobile telephone number without an existing relationship.
Cal. Bus. & Prof. Code § 17538.43
- California’s junk fax law prohibits fax advertisements without prior express consent.
What rules specifically deal with cookies?
Cookies are personal information under the CCPA, as amended, and collection of cookies must be disclosed in privacy notices. Consumers have the right to opt-out of the sale or sharing of personal information (including cookies used for targeted advertising). Businesses must have a “Do Not Sell or Share My Personal Information” link on a website homepage and the ability to recognize the Global Privacy Control opt-out signal.
What are the consequences of non compliance with data protections laws (including marketing laws)?
CCPA, as amended
- (Cal. Civ. Code § 1798.155): any business, service provider, or other person that violates this title shall be liable for an administrative fine of not more than two thousand five hundred dollars (USD $2,500) for each violation or seven thousand five hundred dollars (USD $7,500) for each intentional violation. The California Attorney General and the California Privacy Protection Agency can enforce CCPA, as amended.
- (Cal. Civ. Code § 1798.150(a)): a consumer whose nonencrypted or nonredacted personal information is subject to a breach resulting from the business’ violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action (private right of action) for any of the following:
- Damages in an amount between USD $100 and USD $750 per consumer per incident or actual damages, whichever is greater;
- Injunctive or declaratory relief;
- Any other relief the court deems proper.
- Note: The California Attorney General separately enforces the data breach laws as violations of California’s Unfair Competition Law, Business and Professions Code section 17200 et seq., and False Advertising Law, Business and Professions Code section 17500 et seq.
CalOPPA:
- (Cal. Civ. Code 1798.99.1): in an action brought by a public prosecutor, a business or person that violates this section shall be subject to a civil penalty not exceeding USD $7,500 for each violation.
Eraser Law
- Enforced under California’s Unfair Competition Law, which provides for a civil penalty of up to USD $2,500 per violation.
- Allows for private right of action.
SOPIPA
- Enforced under California’s Unfair Competition Law, which provides for a civil penalty of up to USD $2,500 per violation.
- Allows for private right of action.
California’s Anti-Spam Law
- (Cal. Bus. & Prof. Code § 17529.5): Provides for actual damages, liquidated damages of USD $1,000 per email with a max of USD $1,000,000 per incident, and attorney’s fees (with diminished damages if business implemented practices and procedures designed to prevent spam) but applies only to deceptive subject line headings or materially false or misleading header information; otherwise, the federal CAN-SPAM Act preempts.
Song-Beverly
- (Cal. Civ. Code § 1747.08(e)): any person who violates this section shall be subject to a civil penalty not to exceed USD $250 for the first violation and USD $1,000 for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for a violation of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant's maintenance of procedures reasonably adopted to avoid that error.
CCRAA
- (Cal. Civ Code § 1785.19(a)): in addition to any other remedy provided by law, a consumer may bring an action for a civil penalty, not to exceed USD $2,500.
FIPA
- (Cal. Fin. Code § 4057(a)): an entity that negligently discloses or shares non-public personal information in violation of this division shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed USD $2,500 per violation. However, if the disclosure or sharing results in the release of non-public personal information of more than one individual, the total civil penalty awarded pursuant to this subdivision shall not exceed USD $500,000.
- (Cal. Fin. Code § 4057(b)): an entity that knowingly and willfully obtains, discloses, shares, or uses non-public personal information in violation of this division shall be liable for a civil penalty not to exceed USD $2,500 per individual violation, irrespective of the amount of damages suffered by the consumer as a result of that violation.
IIPPA
- (Cal. Ins. Code § 791.22): any person who knowingly and willfully obtains information about an individual from an insurance institution, agent or insurance-support organization under false pretenses shall be fined not more than USD $10,000 or imprisoned for not more than one year, or both.
Data Breach Notification Law
- Private Right of Action. Any customer injured by a violation of this title may institute a civil action to recover damages, civil penalties up to USD $3,000 per violation, and attorney’s fees. (Cal. Civ Code § 1798.84). After providing a business 30 days’ written notice and the opportunity to cure the violation, any consumer can take bring an action for an individual or class and recover (1) damages in an amount between USD $100 and USD $750 per consumer per incident or actual damages, whichever is greater, (2) injunctive or declaratory relief, and (3) any other relief the court deems proper. (Cal. Civ Code § 1798.150).
- Any business that violates, proposes to violate, or has violated this title may be enjoined. (Cal. Civ Code § 1798.84). The California Attorney General separately enforces the data breach laws as violations of California’s Unfair Competition Law, Business and Professions Code section 17200 et seq., and False Advertising Law, Business and Professions Code section 17500 et seq.
CMIA
- (Cal. Civ. Code § 56.35): in addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) of Section 56.26 and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed USD $3,000, attorney’s fees not to exceed USD $1,000, and the costs of litigation.
Cal. Health & Safety Code § 1280.15
- The California Department of Health Services may impose the following penalties against covered entities that violate California’s medical information statute:
- USD $25,000 per patient whose information was unlawfully or without authorisation accessed, used, or disclosed; and
- Up to USD $17,500 for each later occurrence.
Shine the Light
- (Cal. Civ. Code § 1798.84): covered companies that fail to provide their customers with the requisite disclosures mandated by the statute face civil penalties of USD $500 (or USD $3,000 if the violation of the statute is willful, intentional, or reckless) and attorney’s fees.
CIPA
- Criminal and civil liability
- (Cal. Penal Code § 631(a): fines up to USD $2,500 or imprisonment not exceeding one year.
- (Cal. Penal Code § 637.2): individuals harmed can bring an action for the greater of USD $5,000 per violation or triple the amount of actual damages, if any.
CDPA
- (Cal. Civ. Code 1798.84(b)): any customer injured by violation of this title may institute a civil action to recover damages.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
California has some of the strongest state law data protections in the US reflected in numerous laws, and these laws apply to companies outside California that process personal information of California consumers.
What upcoming data protection developments should multinational organisations be aware of?
The California legislature is active in trying to pass new data protection laws. A review of which have been signed by the Governor is a prudent course of action.