California: Privacy and Data Protection-related Laws
California has among the nation’s strongest data privacy laws. See here for a list of important privacy and data-protection laws, not limited to digital data. Refer to this source (and search for “California”) to find detailed discussion of the most important digital privacy legislation in California. The most important laws are summarized below. Companies hoping to comply to these laws should read them in full.
California Online Privacy Protection Act
(California Business and Professions Code section 22575, In effect July 1, 2004)
- Mandates the publishing of a privacy policy for all online companies that collect company data. States that “An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site.”
- The privacy policy is required to identify the categories of personally identifiable information that the operator collects and who the operator may share that information with.
- The privacy policy has other requirements which are laid out in the text of the law.
“The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
- A first and last name.
- A home or other physical address, including street name and name of a city or town.
- An e-mail address.
- A telephone number.
- A social security number.
- Any other identifier that permits the physical or online contacting of a specific individual.
- Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
Electronic Communications Privacy Act
(CalECPA- California Penal Code section 1546, Approved Oct 8, 2015)
- Prevents any state law enforcement agency from compelling a business to turn over any metadata or digital communication without a warrant.
California Security Breach Notification Law
(California Civil Code sections 1798.29 and 1798.82, Approved Sept 25, 2002)
- “This bill… requires a state agency, or a person or business that conducts business in California that owns or licenses computerized data that includes personal information… to disclose in specified ways, any breach of the security of the data… to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
The California Shine the Light Law
(California Civil Code §§1798.83 to 1798.84, Approved September 24, 2003)
Allows California consumers to request from companies operating in California how their personal information is shared for marketing purposes.
- In response to a customer request, a business must provide, a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, and a list of names and entities who received this personal information.
- A customer must display prominently a statement of customer privacy rights on its website, detailing a customer’s rights to privacy as per this act, as well as display a mailing address, email address, toll-free telephone number, or fax number that a customer can reach the company at to request this information.
- The information that is given to the customer need not provide information associated with specific individuals.
- Businesses with fewer than 20 employees are exempt from this law.
Sources: