California’s Consumer Privacy Act (CCPA), a legislation for privacy rules in California, passed in 2018, took effect in 2020, and is one the broadest privacy laws in the U.S. and protects the privacy rights and personal data of California residents.
The CCPA broadly defines personal information to include a user’s name, address, phone number, biometric data such as fingerprints, online cookies and browsing history, IP addresses, mobile ad IDs (MAIDS), geolocation data, device identifiers, or other interactions with ads, websites, or apps.
In 2020, California doubled down on their commitment to personal privacy through the passage of California Privacy and Enforcement Act (CPRE), which went into effect this year on January 1, 2023. Building on the 2020 CCPA, the 2023 CPRE legislation expands the definition of sensitive personal information to include social security and driver’s license numbers, passports, religion, race, union membership, personal correspondences, and information regarding one’s sexual orientation or activity.
The 2023 CPRE also enables consumers to set limits on advertisers’ access to data and geolocation tracking, provides greater protections for minors, and expands consumers’ legal rights. To ensure enforcement, it also includes the creation of a new enforcement agency called the California Privacy Protection Agency (CPPA).
What Does this Mean?
Despite the title of the Act and California legislation, these privacy laws affect employers and employees nationwide. Much like Colorado’s Equal Pay for Equal Work Act, regardless of where the employer is located, state residents are protected by these privacy acts in California.
If you qualify as a legal resident of California, you are protected under CCPA today (CPRA in the near future), and your employer must be fully compliant in their handling of your personally identifiable information.
These Privacy Rules in California Apply to:
- Has a gross annual revenue more than $25 million from anywhere in the world, not just California
- Annually receives, buys, sells, or shares for commercial purposes the personal information of 50,000 or more California residents
- Derive 50 percent or more of its annual revenue from selling personal information
One of the most important requirements for businesses subject to the CPRA is data minimization. This has never been a specific requirement by pre-existing California law, including the CCPA.
The CPRA states that a business should only collect and use a consumer’s personal information to the extent “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” This is going to be hard to differentiate the measure of how much information is “necessary”.
The CPRA also prohibits a covered business from holding onto personal information “for longer than is reasonably necessary” for the purpose for which it was collected. There is no one-size-fits-all answer for some of these regulations, but they will be dealt with case-by-case.