New Privacy Rules in California and What it Means

In January 2020 California’s Consumer Privacy Act (CCPA) took effect.  This legislation is considered to be the broadest privacy law in the U.S.  protect the privacy rights and personal data of California residents. The law broadly defines personal information to include user’s name, address, phone number, biometric data such as fingerprints, online cookies and browsing history, IP addresses, mobile ad IDs (MAIDS), geolocation data, device identifiers, or other interactions with ads, websites, or apps.

This year, California has doubled down on their commitment to personal privacy through the passage of the California Privacy and Enforcement Act (CPRE) that takes effect on January 1, 2023. Building on CCPA, the new legislation expands the definition of sensitive personal information to include social security and driver’s license numbers, passports, religion, race, union membership, personal correspondences, and information regarding one’s sexual orientation or activity.  It also enables consumers to place limits on advertisers to tack geolocations, provides greater protections for minors, and expands consumers’ legal rights.  To ensure enforcement, it also includes the creation of a new enforcement agency called the California Privacy Protection Agency.

What does this mean?

Despite the title of the Act and California legislation, these privacy laws affect employers and employees nationwide. Much like the Colorado’s Equal Pay for Equal Work Act, regardless of where the employer is located, California residents are protected by these Acts.  If you qualify as a legal resident of California, you are protected under CCPA today (CPRA in the near future) and your employer must be fully compliant in their handling of your personally identifiable information.  

Currently the CCPA applies to businesses that meet any one of the following criteria:

  • Has a gross annual revenue more than $25 million from anywhere in the world, not just California
  • Annually receives, buys, sells, or shares for commercial purposes the personal information of 50,000 or more California residents
  • Derive 50 percent or more of its annual revenue from selling personal information

Data Minimization

One of the most important requirements for businesses subject to the CPRA is data minimization. This has never been a specific requirement by pre-existing California law, including the CCPA. The CPRA states that a business should only collect and use a consumer’s personal information to the extent “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” This is going to be hard to differentiate the measure of how much information is “necessary”. The CPRA also prohibits a covered business from holding onto personal information “for longer than is reasonably necessary” for the purpose for which it was collected. There is no one-size fits all answer for some of these regulations but they will be dealt with case-by-case. nextSource is determined to keep you posted on major business updates like this one as well as many others. Make sure to follow our Associate Edition of Working Knowledge to see more updates.