California

• Code: Cal. Civ. Code §§ 1798.100-1798.199.100 (2023)
• Final Regulations: California Consumer Privacy Act Regulation, effective 03.29.23

Effective Date:  January 1, 2023 (CPRA amendment effective January 1, 2023)

Threshold

Any business that (a) "does business" in California, (b) operates for the profit or financial benefit of its shareholders or owners, (c) collects personal information from one or more California residents (including even a single employee or customer), and (d) satisfies at least one of the following thresholds is subject to the CCPA: 

• Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)
• Annually buys, sells, or shares the personal information of 100,000 California consumers or households
• Derives 50% or more of its annual revenue from selling or sharing personal information

The term "business" means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.

(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers' personal information. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.

(3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.

(4) A person that does business in California, that is not covered by paragraph (1), (2), or (3), and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.

Definition of "Personal Data"

Identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Definition of "Sale"

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration

Data-Protection Assessments

Risk assessments must indicate whether processing involves sensitive personal information and must identify and weigh "the benefits and risks" of such processing

Opt-In Consent Required for Processing Sensitive Data 

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Profiling

Pending CCPA Regulatory Action

Pseudonymous Data Exempt from Consumer Requests

No

Appeal Rights

No

Universal Opt-Out Mechanism Required Recognition/Date

Yes (January 1, 2023)

Data of Minors

Opt-in consent required to "sell" or "share" personal information of minors under age 16 

GLBA Exemption

Yes (data-specific)

HIPAA Exemption

Yes (data-specific)

Employer-Related Exemption

-

Nonprofit Exemption

No

Private Right of Action

Yes (limited to certain violations)

Cure Period

Expired

Cure Period Expiration

January 1, 2023

Enforcement Authority/Damages

California Privacy Protection Agency & Attorney General, up to $2,500 per violation and $7,500 per willful violation

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.