California privacy laws Flashcards
California Online Privacy Protection Act (CALOPPA)
website operators must conspicuously post privacy policies on its website and mobile apps
California Data breach notification law
1st state generally applicable data breach notification law
entity that owns or licenses PI of CA resident must make required disclosures if PI is access or reasonably believed to have been access by unauthorized person
state data security law
1st statewide data security laws
applies to
- any entity that does business in CA
- any entity that owns licenses or maintains PI of CA resident
doesn’t apply to
- organizations subject to HIPAA and other CA laws that impose security standards already
state data security law requirements
- must implement and maintain reasonable security procedures and practices appropriate for nature of info
- must protect PI from unauthorized access, destruction, use, modification or disclosure
- must take reasonable steps to dispose customer records within its custody or control that contain PI
California Consumer Privacy act (CCPA)
1st comprehensive data protection law in US
came into effect in 2020
California Privacy Rights Act (CPRA)
came into effect in 2023, with lookback period to 2022
significantly expands upon privacy protections set forth in CCPA
CCPA applies to
- any business dousing business in state of CA that is
- for profit
- collects consumer PI
- any one of the following:
has more than 25 million in annual revenue
buys, sells, or shares PI of at least 50,000 people, household, or devices
derives at least 50% of its revenue from sale or sharing of PI
CCPA consumer rights
- notice on how data used prior to collection
- access to categories of PI collected, s sources, purpose, and disclosure
- deletion if requested (includes data processors and anyone controller sold data to )
- amend
- opt out
- limit use and disclosure of sensitive PI
- no discrimination against them for exercising rights
45 day period to respond to consumer rights request
California Privacy Protection Agency (CPPA)
de facto leading privacy regulator in US
executive member + 5 member board consisting of
- chairperson and 1 member appointed by governor
- 1 member appointed by CA AG
- 1 member appointed by CA senate rules committee
- 1 member appointed by speaker of CA assembly
term - no longer than 8 consecutive years
termination- after leaving members are prohibited form
1. accepting employment by entity subject to enforcement action under CCPA for.1 year
2. representing an entity or person in matters before the board for 2 years
CPPA role
oversee admin and enforcement of CCPA (as amendment by CPRA)
California Age Appropriate Design Code Act (AADC)
effective July 1, 2024
applies to
1. businesses doing business in state of CA
2. children (18 and under)
AADC prohibition
business providing online services like to be access by children may not
1. engage in various ad tactics directed at children detrimental to their overall health
2. profile children for targeting ad purposes
3. use dark patterns to encourage children to disclose PI
AADC requirement
must complete data protection impact assessment (DPIA) for new services and products directed at children
DPIA must
- be readily available
- be provided to CA AG within 5 days of written request
AADC enforcement
CA attorney general
no private cause of action
California Electronic Communications Privacy Act
passed in 2015
prohibits any CA government entity or officer from searching individuals phone/online accounts without
- court order
- consent
emergency
info obtained in violation of law is subject to suppression during trial or underling criminal matter
