U.S. Consumer Data Privacy Law Guide: California

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: California

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in California.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The California Consumer Privacy Act of 2018 (CCPA), as amended by The California Privacy Rights Act of 2020 (CPRA)

Effective Date: The California Consumer Privacy Act of 2018 (CCPA) took effect on January 1, 2020, and was subsequently amended by the California Privacy Rights Act of 2020 (CPRA), which entered into force on January 1, 2023. The CCPA, CPRA, and their implementing regulations are collectively referred to as "California Privacy Laws."

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the California Privacy Laws primarily regulate "Business," which is defined as a for-profit legal entity that, directly or through its Service Provider or agent, collects personal information of California residents (consumer) and satisfies one of the following three criteria:

having $25 million or more in global revenue as of January 1 of the calendar year;
Buying, selling, or sharing 100,000+ California consumers' personal information, during a calendar year; or
Deriving 50 percent of its annual revenues from selling or sharing California consumer's personal information.

2. Key Definitions:

Personal Information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including a unique personal identifier, online identifier, IP address, account name, among others.
Sales of Personal Information: The California Privacy Laws broadly define the terms "Sale," "Sell," or "Sold" to include the exchange of personal information for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.
"Sales" of Personal Information includes "sharing" of Personal Information, which refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring,…by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Sensitive Personal Information: The California Privacy Laws require a Business to provide a consumer the right to limit the use of their sensitive personal information. Sensitive personal information includes SSN, identification document, finance-related information, precise geolocation (within a radius of 1850 feet), racial or ethnic origin, religious or philosophical beliefs, union membership, genetic information, biological or neural data, health data, contents of emails (unless the business is the intended recipient), information concerning sex life or sexual orientation, among others.

3. Heightened Protection for Minors Under the Age of 16:

The California Privacy Laws expressly prohibit a Business from selling or sharing the personal information of consumers unless the Business obtains affirmative prior consent from: (i) the consumer over the age of 13 and under 16 years of age; or (ii) the consumer's parents or legal guardian, where the consumer is below the age of 13.

4. Business Obligations:

The California Privacy Laws impose additional obligations on persons who, alone or jointly with others, determine the purposes for and means of processing personal information (Business).

Data Processing Agreement (DPA): The California Privacy Laws require a Business to enter into a written agreement with:

its service providers or contractors (to which the Business discloses personal information); or
a third party to which the Business sells or shares personal information.

Data Protection Assessment. Yes, the California Privacy Laws require Businesses to conduct data protection assessments whose data processing activities present a significant risk to consumers' privacy or security. In November 2024, the California Privacy Protection Agency (CPPA) initiated the formal rulemaking process to implement requirements for certain Businesses to conduct risk assessments and annual cybersecurity audits including processing activities involving selling or sharing personal information, processing sensitive personal information, and certain high-risk profiling.

Privacy Notice and Notice at Collection: A Business must provide consumers with: (i) a notice given by a Business to a consumer at or before the point at which a Business collects personal information (Notice at Collection); and (ii) a statement describing the Business's online and offline information practices, and the rights of consumers regarding their own personal information (Privacy Notice).

Data Minimization and Purpose Limitation of Data Processing: The California Privacy Laws require a Business to ensure its collection, use, retention, and sharing of personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

Opt-out Mechanism: The Business must allow consumers to opt out of: (i) sales or sharing its personal information via a "Do Not Sell or Share My Personal Information" link; and (ii) limit the Business's use and disclosure of their sensitive personal information via a "Limit the Use of My Sensitive Personal Information" link. The California Privacy Laws require that a Business that sells or shares personal information recognize and process any opt-out preference signal sent by a platform, technology, or mechanism on behalf of the consumer for this purpose.

5. Consumer Rights:

Subject to certain exceptions, a California consumer has the right to:

Know what personal information is being collected, what personal information is being sold or shared, and to whom more than twice in a 12‐month period;
Correct inaccuracies in the consumer's personal information;
Delete personal information provided by, or obtained about, the consumer;
Obtain a copy of the personal information of a consumer in a readily usable format that allows the consumer to transmit this information from one entity to another without hindrance (also known as Right to Data Portability); and
Opt-out of sale or sharing of personal information (including targeted advertising and profiling), and if applicable limit the use and disclosure of sensitive personal information.

A Business shall not discriminate against a consumer for exercising any consumer rights outlined above.

6. Enforcement and Penalties:

Private Right of Action: None

Penalties: Administrative fine of no more than $2,500 for each violation or $7,500 for each intentional violation or violation involving personal information of consumers under 16 years of age.

Cure Period: Optional at the discretion of the CPPA.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.