Miller Nash, Polsinelli & Lathrop GPM
The following law(s) specifically govern personal data / information:
N/A
The key data protection principles in this jurisdiction are:
Comprehensive consumer privacy law requiring transparency and consumer data control. California has some of the strongest data protection and consumer rights standards among the states.
Maintain reasonable security practices to protect personal information from unauthorized access, disclosure, and use.
The supervisory authority / regulator in charge of data protection is:
California Attorney General; California Privacy Protection Agency
Is there a requirement to register with a supervisory authority / regulator?
Yes (Cal. Civ. Code § 1798.99.80): California requires data brokers to register with the California Attorney General
A registration fee is due to support the California AG in establishing and maintaining a publicly available data broker informational website.
Is it possible to register with / notify the supervisory authority / regulator online?
https://oag.ca.gov/data-broker/register
Is there a requirement to notify the supervisory authority / regulator?
N/A
The key data subject rights under the data protection laws of this jurisdiction are:
California Consumer Privacy Act (CCPA) (Cal. Civ. Code § 1798.100)
- Information and access rights
- Data portability rights
- Deletion rights
- Personal information sales prevention rights (sale opt-out and opt-in rights)
- Non-discrimination rights
- Amended by the CPRA (see below)
California Online Privacy Protection Act (CalOPPA) (Cal. Bus & Prof. Code § 22575)
- Requires operators of commercial websites and online services that collect California residents’ “personally identifiable information” to conspicuously post their privacy policies.
- CalOPPA requires specific pieces of information to be included in a company’s privacy policy. (See Cal. Bus. & Prof. Code § 22575(b)(1) to (4).)
Privacy Rights for California Minors in the Digital World Act (Eraser Law) (Cal. Bus. & Prof. Code § 22580)
- Grants California minors the right to remove online content.
- Restricts ability to advertise to minors
- More restrictive than the federal Children’s Online Privacy Protection Act (U.S. federal law) – applies to minors under the age of 18.
Student Online Personal Information Protection Act (SOPIPA) (Cal. Bus. & Prof. Code § 22584).
- SOPIPA prohibits:
- Knowingly engaging in targeted advertising to students and parents/guardians
- Using covered information to create student profiles
- Selling or disclosing covered information
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § 17529.5(a)).
- Regulates robocalls, junk faxes, and text messages.
- Applies to commercial email advertisements from California or to California email addresses
- Prohibits all commercial emails unless either:
- The sender has a pre-existing business relationship with the recipient.
- The recipient has directly consented to receiving such emails.
Song-Beverly Credit Card Act (Song Beverly) (Cal. Civ. Code § 1747.08).
- Regulates credit cards and related transactions.
- Prohibits merchants from requesting or requiring personal identification information as a condition to accepting a credit card as payment.
California Consumer Reporting Agencies Act (CCRAA) (Cal. Civ. Code § 1785.10).
- Provides consumer rights regarding access, use, and correction of credit reports for purposes of determining creditworthiness.
California Fair Debt Collection Practices Act (CFDCPA) (Cal. Civ. Code § 1788).
- The statute prohibits numerous deceptive, dishonest, unfair and unreasonable debt collection practices by debt collectors, and it also regulates the form and content of communications by collectors to debtors and others.
Financial Information Privacy Act (FIPA) (Cal. Fin. Code § 4050).
- Requires financial institutions to give consumers the right to opt-out before sharing their Personally Identifiable Non-public Information.
California’s Insurance Information and Privacy Protection Act (IIPPA) (Cal. Ins. Code § 791).
- Generally prohibits disclosure of personal information collected or received in connection with an insurance transaction.
Data Breach Notification Law (Cal. Civ. Code § 1798.29).
- Requires organizations to notify affected individuals of any unauthorized acquisition of unencrypted computerized data that contains a California residents’ personal information.
Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56)
- Addresses the privacy and security of health information regarding California residents.
California Constitution (Article 1, Section 1)
- Provides individuals with a constitutionally protected right to privacy that can be enforced against private employers.
Shine the Light law (Cal. Civ. Code § 1798.83)
- Requires businesses to provide customers with information regarding how their personal information is shared for marketing purposes.
California Invasion of Privacy Act (CIPA) (Cal. Penal Code § 630).
- Restricts recording or listening to private electronic communications.
California Data Protection Act (CDPA) (Cal. Civ. Code § 1798.81.5).
- Requires covered businesses to:
- Implement and maintain reasonable security procedures and practices appropriate to the nature of information.
- Protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Is there a requirement to appoint a data protection officer (or equivalent)?
N/A
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The CPRA, which comes into effect on January 1, 2023, requires a data processing impact assessment or risk assessment to identify risks associated with the handling of personal information.
Does this jurisdiction have any specific data breach notification requirements?
Yes; a breach under California law is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.
personal information means:
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted (meaning rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security):
- Social Security number;
- Driver’s license number or state identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- Account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records);
- Information or data collected through the use or operation of an automated license plate recognition system (a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data); or
- Biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual.
- User name or email address, in combination with a password or security question and answer that would permit access to an online account.
Affected individuals must be notified in the most expedient time possible and without undue delay.
If an entity is required to notify more than 500 California residents, the entity shall electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the California Attorney General (no specific timeline is set out).
The following restrictions apply to the international transfer of personal data / information:
N/A
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)
Yes:
CCPA (Cal. Civ. Code § 1798.140(c)(1) – applies to any entity that:
- Collects a California consumer’s personal information and determines the purposes and means of processing; AND
- Does business in CA and meets one of the following thresholds:
- Annual gross revenue that exceeds $25 million
- Annually buys, receives, shares, or sells the personal information of more than 50,000 California consumers, households, or devices for commercial purposes; or
- Derive 50% or more of annual revenues from selling California consumers’ personal information.
The following rules specifically deal with marketing:
California Shine the Light (Cal. Civ. Code §§ 1798.83)
- Requires certain businesses to provide customers with information regarding how their personal information is shared for marketing purposes.
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § 17529.5(a).
- California’s anti-spam law bans most unsolicited commercial email advertisements to or from California email addresses.
The Eraser Law (Cal. Bus. & Prof. Code 22580)
- The law places restrictions on advertising to minors. It prohibits website and online service operators from using a minor’s personal information, or allowing a third party to use a minor’s personal information, to market or advertise prohibited items.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. Under both CCPA and CPRA, personal information collected by a business about an individual consumer, when the consumer is acting on behalf of their employer in the context of providing or receiving a product or services to or from the business, is exempt from many obligations under CCPA and CPRA. This business to business exemption applies until January 1, 2023.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
California’s Anti-Spam Law (Cal. Bus. & Prof. Code § 17538.41)
- California’s anti-spam law bans most unsolicited commercial email advertisements to or from California email addresses.
Cal. Bus. & Prof. Code § 17538.41
- California law generally prohibits text message advertisements to a California resident’s mobile telephone number.
Cal. Bus. & Prof. Code § 17538.43
- California’s junk fax law prohibits fax advertisements without prior express consent.
The following rules specifically deal with cookies:
Cookies are personal information under the CCPA, and collection of cookies must be disclosed in privacy notices. There is also a concern that enabling certain third party cookies (for example cookies used for targeted advertising) on a business’s website could be considered a ‘sale’ of ersonal information under the CCPA, in connection with which a consumer must be provided the opportunity to opt out.
The consequences of non compliance with data protections laws (including marketing laws) are:
CCPA
- (Cal. Civ. Code § 1798.155): any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation
- (Cal. Civ. Code § 1798.150(a)): a consumer whose nonencrypted or nonredacted personal information is subject to a breach resulting from the business’ violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action (private right of action) for any of the following:
- Damages in an amount between $100 and $750 per consumer per incident or actual damages, whichever is greater;
- Injunctive or declaratory relief
- Any other relief the court deems proper.
CalOPPA:
- (Cal. Civ. Code 1798.99.1): in an action brought by a public prosecutor, a business or person that violates this section shall be subject to a civil penalty not exceeding $7500 for each violation.
Eraser Law
- Enforced under California’s Unfair Competition Law, which provides for a civil penalty of up to $2,500 per violation.
- Allows for private right of action.
SOPIPA
- Enforced under California’s Unfair Competition Law, which provides for a civil penalty of up to $2,500 per violation.
- Allows for private right of action.
California’s Anti-Spam Law
- (Cal. Bus. & Prof. Code § 17529.5): Provides for liquidated damages of $100 per email or max of $100,000 per incident, but applies only to deceptive subject line headings or materially false or misleading header information; otherwise, the federal CAN-SPAM Act preempts.
Song Beverly
- (Cal, Civ. Code 1747.08(e)): any person who violates this section shall be subject to a civil penalty not to exceed $250 for the first violation and $1,000 for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for a violation of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant's maintenance of procedures reasonably adopted to avoid that error.
CCRAA
- (Cal. Civ Code § 1785.19(a)): in addition to any other remedy provided by law, a consumer may bring an action for a civil penalty, not to exceed $2,500.
CFDCPA
- (Cal. Civ. Code § 1788.30(b)): any debt collector who willfully and knowingly violates this title with respect to any debtor shall, in addition to actual damages sustained by the debtor as a result of the violation, also be liable to the debtor only in an individual action, and his additional liability therein to that debtor shall be for a penalty in such amount as the court may allow, which shall not be less than $100 nor greater than $1,000.
FIPA
- (Cal. Fin. Code § 4057(a)): an entity that negligently discloses or shares non-public personal information in violation of this division shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed $2,500 per violation. However, if the disclosure or sharing results in the release of non-public personal information of more than one individual, the total civil penalty awarded pursuant to this subdivision shall not exceed $500,000.
- (Cal. Fin. Code § 4057(b)): an entity that knowingly and willfully obtains, discloses, shares, or uses non-public personal information in violation of this division shall be liable for a civil penalty not to exceed $2,500 per individual violation, irrespective of the amount of damages suffered by the consumer as a result of that violation.
IIPPA
- (Cal. Ins. Code § 791.22): any person who knowingly and willfully obtains information about an individual from an insurance institution, agent or insurance-support organization under false pretenses shall be fined not more than $10,000 or imprisoned for not more than one year, or both.
Data Breach Notification Law
- Private Right of Action. Any customer injured by a violation of this title may institute a civil action to recover damages.
- Any business that violates, proposes to violate, or has violated this title may be enjoined.
CMIA
- (Cal. Civ. Code § 56.35): in addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) of Section 56.26 and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed $3,000, attorneys' fees not to exceed $1,000, and the costs of litigation.
Cal. Health & Safety Code § 1280.15
- The California Department of Health Services may impose the following penalties against covered entities that violate California’s medical information statute:
- $25,000 per patient whose information was unlawfully or without authorization accessed, used, or disclosed; and
- Up to $17,500 for each later occurrence.
Shine the Light
- (Cal. Civ. Code § 1798.84): covered companies that fail to provide their customers with the requisite disclosures mandated by the statute face civil penalties of $500 (or $3,000 if the violation of the statute is willful) in each instance a customer request was made and the company did not adequately respond, provided that there is a limit of one violation per customer per year.
CIPA
- Criminal and civil liability
- (Cal. Penal Code § 631(a): fines up to $2,500 or imprisonment not exceeding one year.
- (Cal. Penal Code § 637.2): individuals harmed can bring an action for the greater of $5,000 or triple the amount of actual damages.
CDPA
- (Cal. Civ. Code 1798.84(b)): any customer injured by violation of this title may institute a civil action to recover damages.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
California has some of the strongest state law data protections in the US reflected in numerous laws, and these laws apply to companies outside California that process personal information of California consumers.
Multinational organisations should be aware of the following upcoming data protection developments:
California Privacy Rights Act (CPRA)
- The CPRA takes effect January 1, 2023, and it expands upon the rights granted under the CCPA.
- Additional rights included:
- Right to correct inaccurate personal pnformation.
- Right to opt-out of personal Information shared for cross-contextual behavioral advertising purposes.
- Right to restrict the use and disclosure of “sensitive personal information.”
- Obligation to undertake privacy impact assessments and cybersecurity audits for high risk processing activities.