Who is affected by California data privacy laws?
Both consumers and companies doing business in California are affected by the state’s data privacy laws. Currently, businesses, service providers, and third parties (a third party is any legal entity which does not meet the definition of “service provider” but receives personal information from a business) must comply with these laws.
Beginning in January 2023, the law will also apply to contractors as a specially defined group who are not lumped in with service providers. Contractors will be required to provide a certification that they understand California privacy restrictions and requirements and will comply with them.
California privacy laws define a “business” as a for-profit legal entity which:
- Collects consumers’ personal information, whether directly from consumers or indirectly;
- Either alone or jointly determines the purposes and means of data processing;
- Does business in California; and
- Meets one or more of the following thresholds:
- Annual gross revenue over $25 million;
- Annually buys, receives, sells, or shares personal information for 50,000 or more consumers, devices, or households (this threshold increases to 100,000 in 2023); or
- Derives half or more of its revenue from selling personal consumer information (or 50% of its revenue from the sharing or selling of personal information starting in 2023).
If you or your business meet these requirements, you’re expected to have a compliant privacy notice. Penalties include civil penalties, damages, non-monetary relief, and injunctions from the California Privacy Protection Agency, which has taken over enforcement from the Attorney General.
What’s the difference between privacy policies and privacy notices?
How to comply with the CCPA and CPRA
The CCPA is the California Consumer Privacy Act, which went into effect in 2020. This privacy law provides consumers:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information and
- The right to non-discrimination for exercising their CCPA rights.
The California Privacy Rights Act (CPRA) amends the CCPA, and goes into effect on January 1, 2023. It includes additional privacy protections for consumers, with a look-back to January 2022. Consumers now have additional privacy rights, including:
- The right to opt out of the sharing of their personal information for the purpose of targeted advertising;
- The right to have their personal information ported;
- The right to correct inaccurate personal information; and
- The right to limit the use and disclosure of their personal information.
Businesses, service providers, third parties, and contractors who collect, store, and process consumer data in California need to amend their privacy policies and notices. Keep in mind that your notices must include the additional rights provided by the CPRA starting on January 1, 2023.
Our software pairs technology with real legal expertise, so you’ll get a compliant policy in record time. Simply answer a series of questions, download the generated document, and have your lawyer review. It’s the easiest way to ensure compliance and avoid incurring hefty penalties.