Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
State General Privacy Law Tracker

California

  •  

Code/Regulations

  • Code: Cal. Civ. Code §§ 1798.100-1798.199.100 (2023)
  • Final Regulations: California Consumer Privacy Act Regulation, effective 03.29.23

Effective Date:  January 1, 2023 (CPRA amendment effective January 1, 2023)

Details

Threshold

Any business that (a) "does business" in California, (b) operates for the profit or financial benefit of its shareholders or owners, (c) collects personal information from one or more California residents (including even a single employee or customer), and (d) satisfies at least one of the following thresholds is subject to the CCPA:

  • Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)
  • Annually buys, sells, or shares the personal information of 100,000 California consumers or households
  • Derives 50% or more of its annual revenue from selling or sharing personal information

The term "business" means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.

(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers' personal information. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.

(3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.

(4) A person that does business in California, that is not covered by paragraph (1), (2), or (3), and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.

Definition of "Personal Data"

Identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Definition of "Sensitive Personal Information"

As with all state general privacy laws, includes the following Personal Data:

  • Race or ethnic origin;
  • Religious beliefs;
  • Citizenship or immigration status;
  • Genetic data;
  • Biometric data;
  • Health data; and
  • Sexual orientation.

In addition, California's definition also includes:

  • Precise geolocation;
  • Philosophical beliefs;
  • Sex life;
  • Union membership;
  • A consumer's SSN, driver's license, state ID card, or passport number;
  • A consumer's account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • The contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; and
  • Neural data.

Definition of "Sale"

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration

Data-Protection Assessments

Risk assessments must indicate whether processing involves sensitive personal information and must identify and weigh "the benefits and risks" of such processing

Opt-In Consent Required for Processing Sensitive Data

No, with caveat that the consumer has right to limit a business's use or disclosure of sensitive personal information and may opt out of processing of sensitive data for certain profiling (although exceptions apply)

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Profiling

Pending CCPA Regulatory Action

Pseudonymous Data Exempt from Consumer Requests

No

Appeal Rights

No

Universal Opt-Out Mechanism Required Recognition/Date

Yes (January 1, 2023)

Data of Minors

Opt-in consent required to "sell" or "share" personal information of minors under age 16

GLBA Exemption

Yes (data-specific)

HIPAA Exemption

Yes (data-specific)

Employer-Related Exemption

-

Nonprofit Exemption

No

Private Right of Action

Yes (limited to certain violations)

Cure Period

Expired

Cure Period Expiration

January 1, 2023

Enforcement Authority/Damages

California Privacy Protection Agency & Attorney General, up to $2,500 per violation and $7,500 per willful violation

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice. 

Searching...
abstract digita grid
09.19.24
Insights
State Privacy Laws
California's Privacy Regulator Issues Enforcement Guidance on How To Avoid "Dark Patterns" in Obtaining Consumer Consent Read More
Blue and purple digital globe of cyber security
08.17.23
Insights
Artificial Intelligence
California Regulator Previews Intentions for Cybersecurity, Privacy, and Automated Decisionmaking Regulations Read More
Calendar pages
06.30.23
Insights
State Privacy Laws
Enforcement of CCPA Regulations Delayed Until March 2024 Read More
Keyboard close up
04.06.23
Insights
State Privacy Laws
CCPA Regulations Approved in California, But Challenges Remain Read More
Keyboard close up
08.29.22
Insights
State Privacy Laws
CA Attorney General Settles With Online Retailer That Failed to Disclose "Sales" of Personal Information and Honor Global Privacy Control Opt-Out Requests Read More
Streaming lines of computer code
02.11.22
Insights
Consumer Privacy
What Employers Should Know About the New California Privacy Law Read More
Your search returned no results. Please try another search or remove search criteria.
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.