California has a long history of protecting privacy rights. Article I, Section 1, of the California Constitution expressly provides a right of privacy. Recently, the focus has been on compliance with the California Consumer Privacy Act (CCPA), which provides a complex set of compliance issues, particularly for companies that employ California residents.
Quick Hits
- California laws protect consumers’ privacy rights regarding, among other things, financial and medical data, website usage, and telephone conversations. They also require businesses to eventually dispose of customer records containing personal information.
- Businesses are required to implement security procedures and practices with respect to personal information about California residents.
- Businesses with operations in California are required to disclose data breaches to California customers.
In addition to the CCPA, the California Constitution and state statutory law provide for a number of privacy rights and protections. More lawsuits have been popping up recently based on alleged privacy violations. Below is a summary of some key privacy laws that companies need to be aware of in order to navigate the California privacy landscape. This is not an exhaustive list; for example, there are numerous industry-specific privacy laws—such as those applicable to insurance companies, telecommunications companies, and state agencies—and there are other state law adoptions of federal law standards (such as background checks) that are not listed below.
California Constitutional Privacy Rights (Cal. Const., Art. I, § 1)
The California Constitution enshrines the right to privacy as an inalienable right of all individuals, and enforcement of privacy rights under the California Constitution is upheld through private right of action. To prevail in a privacy lawsuit, a plaintiff must demonstrate a legally protected privacy interest, a reasonable expectation of privacy in the circumstances, and conduct by the defendant constituting a serious invasion of privacy.
California Online Privacy Protection Act of 2003 (Cal. Bus. & Prof. Code §§ 22575–22579)
The California Online Privacy Protection Act (CalOPPA) addresses the privacy notice disclosure obligations of an operator of a commercial website or online service (collectively, “website”) that gathers personally identifiable information from California residents, not limited to those based within the state. A website operator that collects personally identifiable information of California residents through the internet is required to “conspicuously post its privacy policy” on its website. The term “personally identifiable information” means “individually identifiable information about an individual consumer collected online by the operator” from that individual “and maintained by the operator in an accessible form.” The website operator’s privacy policy must outline what personally identifiable information is collected, with whom it may be shared, and how consumers can review and request changes to their information. Additionally, the policy must describe how the website responds to web browser “do not track” signals and whether third parties may collect personally identifiable information about an individual’s online activities over time and across different websites.
Among other things, the California Legislature intended for this law to require each website operator to provide California resident consumers who use or visit the website with notice of its privacy policies, thus improving the knowledge these individuals have as to whether personally identifiable information obtained by the website may be disclosed, sold, or shared.
California Invasion of Privacy Act (Cal. Penal Code §§ 630–638.55)
The California Invasion of Privacy Act (CIPA) replaced laws that permitted the recording of telephone conversations with the consent of one party to a conversation. In 2002, in Flanagan v. Flanagan, the California Court of Appeal, Fourth District, clarified that the purpose of the law was to provide privacy protections “by, among other things, requiring that all parties consent to a recording of their conversation.” Citing Flanagan, the same court stated in 2011 that CIPA prohibits recording or monitoring done without consent, “regardless of the content of the conversation or the purpose of the monitoring, and is intended to protect rights separate and distinct from the right to prevent the disclosure of improperly obtained private information.”
Under CIPA, the following conduct is prohibited:
- “[I]ntentionally tap[ping], or mak[ing] any unauthorized connection … with any telegraph or telephone wire, line, cable, or instrument, including … any internal telephonic communication system.” Through additional code sections, this has been updated to include all types of recording devices.
- “[W]illfully and without the consent of all parties to the communication, or in any unauthorized manner, read[ing], or attempt[ing] to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit.”
- “[U]s[ing], or attempt[ing] to use … or to communicate in any way, any information [collected in violation of this law], or aid[ing], agree[ing] with, employ[ing], or conspir[ing] with any person or persons to unlawfully do, or permit, or cause to be done any of the acts” described in this law.
Violations of CIPA are punishable by a fine not exceeding $2,500 or by imprisonment in the county jail not exceeding one year. The statutory damages provision makes CIPA a desirable target for plaintiffs seeking recovery of damages without demonstrating any actual harm, subject to traditional principles of standing. As a result, CIPA litigation surrounding the use of online web tracking technology has been soaring in recent years. Ogletree Deakins will follow up soon with a more in-depth summary and update on CIPA litigation.
California Financial Information Privacy Act (Cal. Fin. Code §§ 4050–4060)
The purpose of the California Financial Information Privacy Act (CFIPA) is to require financial institutions to provide their consumers notice and meaningful choice about how their nonpublic personal information is shared or sold by their financial institutions. “Nonpublic personal information” means “personally identifiable financial information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution.”
Subject to some exceptions, CFIPA restricts financial institutions from disclosing nonpublic personal information to nonaffiliated third parties without the consumer’s explicit prior consent. For sharing information with affiliates, CFIPA requires financial institutions to notify consumers annually in writing and allow them the option to opt out of such information sharing. Importantly, CFIPA outlines specific scenarios where consumer consent is not required for the disclosure of personal information, such as circumstances necessary for completing transactions requested by the consumer, maintaining or servicing accounts, complying with legal and regulatory requirements, preventing fraud, and several other specified activities. Financial institutions are also required to adopt measures ensuring the confidentiality of consumer information when engaging in these exempted disclosures. Moreover, financial institutions must adhere to strict consent procedures before sharing nonpublic personal information with nonaffiliated third parties. This includes obtaining written consent from consumers through a clear and conspicuous form that details the nature of the consent and informs consumers of their rights, including the ability to revoke consent at any time.
Confidentiality of Medical Information Act (Cal. Civil Code §§ 56–56.37)
The Confidentiality of Medical Information Act (CMIA) establishes strict guidelines to protect the confidentiality of individuals’ medical information, and it supplements federal protections under the Health Insurance Portability and Accountability Act (HIPAA) by providing additional requirements for the handling of medical information by health care providers, health care service plans, pharmaceutical companies, and contractors in California. Under the CMIA, “medical information” is defined broadly to include “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor.” This encompasses a patient’s medical history, mental or physical condition, or treatment details, along with any personal identifying information sufficient to allow identification of the individual. Unauthorized disclosure of medical information is prohibited unless explicit authorization is obtained, except in specified circumstances such as legal proceedings, administrative investigations, and efforts to diagnose or treat the patient, among other exceptions
Among other remedies, the CMIA provides for an award of $1,000 in nominal damages to a patient if the health care provider negligently releases medical information or records in violation of the act. Furthermore, entities that knowingly and willfully obtain, disclose, or use medical information in violation of the CMIA may be subject to an administrative fine of up to $2,500 per violation. No breach of confidentiality takes place until an unauthorized person views the medical information. It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the act.
Customer Records (Cal. Civil Code §§ 1798.80–1798.84)
California’s customer records law under Civil Code §§ 1798.80–1798.84 requires that a business “take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” “Personal information” is defined as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual.”
Security Procedures and Practices
Businesses are required to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, [and] to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The law provides a detailed discussion of what constitutes personal information, which includes an “individual’s first name or first initial and last name” in combination with such things as a Social Security number, driver’s license number, or California identification number, or medical information and account information, along with several other categories.
Disclosure Requirements After Breaches
The customer records statute also requires providing notification of data breaches to affected individuals, in addition to notifying the California attorney general, where notification is provided to more than 500 California residents. A “data breach” is defined as unauthorized acquisition of either (i) unencrypted personal information or (ii) encrypted personal information with the encryption key or security credential. The statute furthermore requires notification “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” If the entity experiencing a breach does not own the data at issue (such as in the case of a service provider), it must notify the data owner or licensee “immediately.” Importantly, the acquisition of personal information in good faith by an employee or agent of the entity for the entity’s purposes does not constitute a breach, provided the “information is not used or subject to further unauthorized disclosure.” The law also mandates very specific notice content requirements. If Social Security numbers or government identification numbers are compromised, businesses are required to provide affected individuals with an offer for free identity theft prevention and mitigation services for a period of at least twelve months.
Digital Privacy Rights for Minors (Cal. Bus. & Prof. Code §§ 22580–22582)
The Privacy Rights for California Minors in the Digital World Act, enacted in 2013, addresses the unique privacy challenges faced by children in the online environment. This law prohibits operators of websites, online services, applications, or mobile apps directed at minors from engaging in certain advertising practices, such as promoting tobacco, alcohol, or firearms to minors. The law defines a minor as any natural person under eighteen years of age residing in California and specifies what constitutes an online platform directed at minors. It also outlines the obligations of operators regarding the use and disclosure of minors’ personal information, especially in the context of marketing and advertising.
Key provisions of the Privacy Rights for California Minors in the Digital World Act include:
- Advertising restrictions. Operators of online platforms catering to minors are prohibited from advertising certain products that may be harmful or inappropriate for children.
- Protection of minors’ online experiences. The law aims to shield minors from exposure to potentially harmful content and influences while navigating the digital landscape.
While the Privacy Rights for California Minors in the Digital World Act lacks express enforcement provisions, violations may be addressed through California’s Unfair Competition Law, underscoring the state’s commitment to protecting children’s online privacy.
Student Online Personal Information Protection Act (Cal. Bus. & Prof. Code § 22584–85)
Enacted in 2014, the Student Online Personal Information Protection Act (SOPIPA) aims to safeguard the privacy of K-12 students’ personal information collected and maintained by online platforms used for educational purposes. Businesses providing services to K-12 students, including those involved in educational technology and services beyond California but serving California students, must comply with SOPIPA’s requirements. The law prohibits operators of such websites or services from using students’ personally identifiable information for targeted advertising or creating profiles for commercial purposes.
Key provisions of SOPIPA include:
- Prohibition on targeted advertising. SOPIPA prohibits the use of students’ personal information for targeted advertising or creating user profiles for noneducational commercial purposes. This means operators cannot use the data collected from K-12 students to direct specific advertisements to them based on their online behavior or information gathered through educational services.
- Restrictions on data sharing. The law restricts how student data can be shared with third parties. Operators are barred from selling student information and are only allowed to disclose data under specific circumstances that further educational purposes, ensuring a higher degree of privacy for students.
- Information protected. SOPIPA safeguards “Covered Information,” which includes a broad range of personally identifiable information provided by students or collected by operators through educational services. This encompasses educational records, biometric data, contact information, disciplinary records, test results, and more, ensuring comprehensive protection of students’ data.
- Security and deletion requirements. Operators must implement reasonable security measures to protect students’ information from unauthorized access and other threats. Additionally, they are required to delete covered information upon request from the school or district, providing a mechanism for the removal of student data from online platforms when no longer needed.
While SOPIPA does not have explicit enforcement provisions, violations may be enforced through California’s Unfair Competition Law.
California Age-Appropriate Design Code Act (Cal. Civ. Code §§ 1798.99.28–1798.99.40)
California recently passed the California Age-Appropriate Design Code Act, marking a significant development in state law privacy protections for minors’ data that is set to take effect on July 1, 2024. Under the act, any business providing online services likely to be accessed by children under eighteen years of age faces affirmative requirements and prohibitions on certain data practices. Inspired by the United Kingdom’s Age-Appropriate Design Code, the act imposes burdensome obligations, including the completion of data protection impact assessments (DPIA), implementation of privacy protective default settings, and adherence to age-tailored transparency requirements. The broad language of the act presents challenges for designing compliance programs, with uncertainty surrounding potential regulatory guidance from the California attorney general.
Notably, in September 2023, the U.S. District Court for the Northern District of California entered a preliminary injunction in NetChoice, LLC v. Bonta, No. 22-cv-08861, blocking the law from taking effect. The California attorney general has appealed that decision, and the appeal remains pending before the Ninth Circuit Court of Appeals. Ogletree Deakins will continue to monitor that appeal for updates.
If the law is allowed to take effect following an appeal, key provisions of the act include age estimation measures, requiring businesses to assess whether their services, products, or features are “likely to be accessed by children,” and to implement age-gating or data collection limits for age estimation purposes. DPIAs are mandated for new online services likely to be accessed by children, with businesses required to identify risks of material detriment to children and develop mitigation plans. Additionally, default privacy settings must offer a high level of privacy, and transparency requirements must be tailored to the age of the children accessing the service.
Enforcement of the act will be overseen by the California attorney general, with violators facing injunctions and civil penalties of up to $7,500 per affected child for intentional violations. While the act prohibits a private right of action, businesses may want to consider proactively addressing compliance to avoid regulatory scrutiny and potential penalties. The act’s emphasis on protecting children’s physical and mental well-being underscores the importance of responsible data practices in the online environment, setting a precedent for children’s privacy protection nationwide and a likely model for other states to follow.
Data Broker Registration (Cal. Civ. Code §§ 1798.99.80–1798.99.89)
Effective January 1, 2020, the data broker registration law requires data brokers to register with the California attorney general and disclose pertinent information about their business practices. A “data broker,” as defined by the law, refers to “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” In October 2023, Governor Gavin Newsom signed into law Senate Bill (S.B.) 362, the Delete Act, which overhauled the data broker law to include more detailed registration and reporting requirements, expansion of metrics related to consumer rights requests, and the creation of a new deletion mechanism for consumers that is required to be implemented by January 1, 2026. Beginning on that date, data brokers must process all pending deletion requests at least once every forty-five days, and direct their contractors and service providers to also delete such information, among other requirements. Following passage of the Delete Act, the California Privacy Protection Agency (CPPA) is now responsible for registrations rather than the California attorney general, and the CPPA will maintain a publicly accessible website to publish information provided by data brokers.
Failure to register as a data broker incurs penalties, including civil fines and injunctions. The penalties include $200 for each day that a broker fails to register with the CPPA, and an administrative fine of $200 per deletion request every day that a broker fails to delete personal information where required.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will publish updates on the California and Cybersecurity and Privacy blogs as additional information becomes available.