California Privacy Laws
The Privacy Law Section has compiled the following summary of some of California’s major privacy laws is below, with links to the statutes. We will update this list, but recommend you independently confirm the status of each statute, as this is a dynamic area of the law.
General and Consumer Privacy
California Constitution
Among other things, the California Constitution states that “[a]ll people are by nature” entitled to a right to privacy.
Enacted: the current section was enacted in 1974, although privacy was added to the state constitution’s list of inalienable rights in 1972.
Enforcement: Private right of action. Hill v. National Collegiate Athletic Assn., 865 P.2d 633, 644, 657 (Cal. 1994), requiring the plaintiff to establish “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.”
California Consumer Privacy Act of 2018
Cal. Civil Code §§ 1798.100–1798.199
Regulations: Cal. Code Regs. tit. 11, §§ 999.300–999.337
Requiring for-profit businesses in California—both online and off—to provide consumers with a notice at collection of the information collected, its uses, and the parties to whom it is disclosed. The Act provides California consumers with right to access, delete, and opt out of the sale of their personal information, and businesses are required to maintain a privacy policy detailing those rights and the business’s privacy practices. The Act has been amended multiple times since its enactment. Most recently, AB 713 amended the Act to align its exception for deidentified health information with the federal Health Insurance Portability and Accountability Act, effective January 1, 2021; AB 1281 also extended exceptions for employees’ personal information and business-to-business transactions for another year until January 1, 2022.
Enacted: 2018
Enforcement: Action by the California Attorney General, with a limited private right of action for breaches of unencrypted personal information. Cal. Civil Code § 1798.150.
Data Broker Registration
Cal. Civil Code §§ 1798.99.80–1798.99.88
Requiring data brokers to register with the Attorney General and disclose information about the business (e.g., name, website address) which will be posted on the Attorney General’s data broker page. Defines a “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Effective: January 1, 2020
Enforcement: Enforceable by Attorney General. Data brokers that fail to register are subject to injunction and liable for civil penalties, fees, and costs. Civil penalty of $100 for each day the data broker fails to register as required by this section; registration fees past due; and expenses incurred by Attorney General in investigation and prosecution of the action, as the court deems appropriate. Cal. Civil Code §1798.99.82
California Financial Information Privacy Act
Prohibiting financial institutions from disclosing a consumer’s “nonpublic personal information” with “any nonaffiliated third parties.” Requires a financial institution to obtain consumer consent to share the consumer’s nonpublic personal information on a form conspicuously disclosing the terms of the consent. Requires consumers be given annual notice of disclosure to affiliates and be given an opportunity to opt out of that disclosure.
Enacted: 2003
Enforcement: Private right of action for $2,500 per violation, with a cap for negligent violations affecting more than one individual of $500,000 total; there is no cap for knowing and willful violations affecting more than one individual. Id. § 4057.
Insurance Information Privacy Act
Prohibiting “insurance institutions,” agents, or related organizations from using pretextual interviews to gather information related to an “insurance transaction. The Act requires insurance institutions or agents to provide notice when collecting personal information, which must contain certain statutory disclosures. The Act also prohibits disclosure of personal information without written authorization of the individual unless certain exceptions apply.
Enacted: 1980
Enforcement: Hearings and cease-and-desist orders by the Insurance Commissioner, subject to judicial review and enforcement. Id. § 791.14–791.20. Private actions for actual damages. Id. § 791.20. Preempts causes of action for defamation, invasion of privacy, or negligence.
Insurance Code Regulations – Privacy of Nonpublic Personal Information
Cal. Code Regs. tit. 10, §§ 2689.1–2689.24
Regulations that implement federal Gramm-Leach-Bliley Act privacy provisions for transactions governed by state insurance law and the California Insurance Code’s privacy provisions.
Consumer Credit Reporting Agencies Act
Cal. Civil Code §§ 1785.1–1785.36
Paralleling the federal Fair Credit Reporting Act, this Act requires credit reporting agencies, among other things, to (1) permit consumers to review all files maintained by the agency regarding the consumer, (2) allow consumers to request their credit scores, (3) limit the information included in the credit report and the permissible recipients of credits reports, (4) respond to consumer requests to correct their credit reports.
Enacted: 1975
Enforcement: Private right of action, Cal. Civil Code 1785.31, preempting any action or proceeding in the nature of defamation or invasion of privacy, id. § 1785.32, but preempting any action where there is a parallel proceeding under the federal Fair Credit Reporting Act, 15 U.S.C. §§ 1781n, 1781o.
Fair Debt Collection Practices Act
Cal. Civil Code §§ 1788–1788.33
Prohibiting debt collectors from using certain practices such as threatening criminal prosecution where none exists, disclosing the debtor’s status to his or her employer or family, or disclosing the debtor’s status on “deadbeat lists” or in lists of debt for sale.
Enacted: 1977
Enforcement: Individual private rights of action for actual damages subject to an “additional” statutory penalty between $100 and $1,000. Cal. Civil Code § 1788.30.
Information Practices Act of 1977
Cal. Civil Code §§ 1798–1798.78
Requiring state agencies to collect and maintain personal information only to the extent “necessary to accomplish a purpose of the agency required or authorized” by law. Further requires that agencies maintain the source of information on a person and to include certain disclosures on collection forms. Disclosure of personal information requires consent from the person to whom the information pertains unless certain exceptions apply. The Act includes the breach notifications for “computerized information,” Cal. Civil Code §§ 1798.25-1798.29, below.
Enacted: 1977
Enforcement: Private right of action against agencies for actual damages and injunctive relief. Cal. Civil Code §§ 1798.45-1798.48. Termination and criminal penalties for agency employees who intentionally and willfully violate the provisions. Id. §§ 1798.55-1798.57.
Privacy in Communications and Online
Online Privacy Protection Act of 2003 (CalOPPA)
Cal. Bus. & Prof. Code §§ 22575–79
Requiring operators of commercial web sites or online services that collect personal information on California consumers through a web site to conspicuously post a privacy policy on the site and to comply with its policy. Privacy policies must identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information
Enacted: 2003
Enforcement: No express enforcement provisions, but may be enforced through California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17210.
Data Breach Notice
Agencies (Information Practices Act of 1977): Cal. Civil Code §§ 1798.25–1798.29
Businesses: Cal. Civil Code §§ 1798.80–1798.84
A business or government agency that owns or licenses “computerized data” must provide notice to any California residents whose (1) unencrypted personal information or (2) encrypted personal information along with the encryption key is reasonably believed to have been acquired by an unauthorized person. Businesses must provide “reasonable security procedures and practices” for personal information and agencies must “establish appropriate and reasonable administrative, technical, and physical safeguards . . . to ensure the security and confidentiality of records.”
Enacted: 1977 for agencies, 2000 for businesses.
Enforcement: Private right of action against agencies for actual damages and injunctive relief. Cal. Civil Code §§ 1798.45-1798.48. Termination and criminal penalties for agency employees who intentionally and willfully violate the provisions. Id. §§ 1798.55-1798.57. Private right of action against businesses to recover damages or for statutory penalties for willful violations. Id. §§ 1798.84.
California Invasion of Privacy Act
Prohibiting the use of “any machine, instrument, or contrivance” to tap any telephonic communication and use of any “electronic amplifying or recording device” to eavesdrop upon a “confidential communication” without consent of all parties to the communication. The prohibition includes several exceptions, including for emergency law enforcement activities or wiretapping pursuant to an order for a pen register or trap and trace device.
Enacted: 1967, subsequently amended.
Enforcement: Punishable by fines up to $10,000 or up to one year in prison; private right of action for statutory penalties for the greater of $5,000 for each illegally recorded communication or three times the actual damages. Id. § 637.2.
California Electronic Communications Privacy Act (CalECPA)
Requiring government to obtain search warrants prior to “compel[ling] the production” of “electronic communication information” or “electronic device information”
Enacted: 2016
Enforcement: Suppression of improperly obtained evidence in criminal and civil proceedings. Cal. Penal Code § 1546.4.
Telecommunications Customer Privacy
Cal. Publ. Utils. Code §§ 2891-2894.10
Prohibiting disclosure without consent of a subscriber’s calling patterns, persons called, financial information, demographic information, and services subscriptions.
Enacted: 1986.
Enforcement: Private right of action.
Children’s and Educational Privacy
Digital Privacy Rights for Minors
Cal. Bus. & Prof. Code §§ 22580–22582
Prohibiting operators of “an Internet Web site, online service, online application, or mobile application directed to minors” from advertising certain products such as tobacco, alcohol, or firearms to minors.
Enacted: 2013
Enforcement: No express enforcement provisions.
Privacy of Pupil Records
Prohibiting sharing of student records without parental or student consent, subject to exceptions. Permitting a local educational agency to adopt policies permitting information sharing with cloud-based services to provide education software, subject to privacy restrictions. Prohibiting schools from collecting information on students from social media without public notice and comment.
Enacted: 1976, subsequently amended
Enforcement: No express enforcement provisions.
Student Online Personal Information Protection Act (SOPIPA)
Cal. Bus. & Prof. Code §§ 22584–22585
Prohibiting operators of websites or online services used primarily and designed and marketed for K-12 school purposes from using personally identifiable information gathered from their sites or services to target advertising to or amass profiles on K-12 students and from selling students’ information.
Enacted: 2014
Enforcement: No express enforcement provisions, but may be enforced through California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17210.
Health Information Privacy
Confidentiality of Medical Information Act
Limiting disclosure of patients’ medical information by medical providers, health plans, pharmaceutical companies, and other businesses—including mobile applications—unless the patient provides consent, or an exception applies.
Enacted: 1981
Enforcement: Private right of action for compensatory and statutory damages and civil penalties; punishable as a misdemeanor.
Click here for a list of additional California privacy laws.