LLMpediaThe first transparent, open encyclopedia generated by LLMs

California Consumer Privacy Act

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: E-commerce companies of the United States Hop 4
Expansion Funnel Raw 57 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted57
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
California Consumer Privacy Act
Short titleCalifornia Consumer Privacy Act
LegislatureCalifornia State Legislature
Long titleAn act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy.
Enacted byCalifornia State Legislature
Signed byJerry Brown
Date signedJune 28, 2018
EffectiveJanuary 1, 2020
Related legislationCalifornia Privacy Rights Act

California Consumer Privacy Act. The California Consumer Privacy Act is a landmark state statute in the United States that grants residents of California significant control over their personal information collected by businesses. Enacted in 2018 and effective from January 2020, it was introduced by Ed Chau and Robert Hertzberg and signed by Governor Jerry Brown. The law establishes a comprehensive framework for data privacy, influencing similar legislation in other states like the Virginia Consumer Data Protection Act and the Colorado Privacy Act.

Overview

The legislation emerged amid growing public concern over data broker practices and high-profile incidents like the Facebook–Cambridge Analytica data scandal. It was swiftly passed by the California State Legislature to preempt a more stringent ballot initiative proposed by Alastair Mactaggart of the California Privacy Protection Agency. The act fundamentally reshaped the privacy law landscape in the U.S., creating new obligations for entities like Google and Meta Platforms while drawing comparisons to the General Data Protection Regulation in the European Union. Its implementation prompted widespread changes in data processing activities across the technology sector.

Key provisions

Core definitions under the law establish a broad scope, covering any for-profit entity doing business in California that meets specific thresholds for annual gross revenue or data volume. It defines personal information expansively to include identifiers such as IP address, geolocation data, and biometric data. The statute introduces concepts like the "right to opt-out" of the "sale" of personal information, with "sale" defined to include exchanges for monetary or other valuable consideration. It also mandates transparency through required privacy policy disclosures detailing data collection and sharing practices.

Rights of consumers

The act grants California residents several enforceable rights regarding their data held by covered businesses. These include the right to know what personal information is being collected, used, shared, or sold, and to request its deletion, often called the "right to be forgotten". Consumers can opt-out of the sale of their information to third parties like data brokers or advertising networks. Additionally, they have the right to non-discrimination, meaning businesses like Amazon or Walmart cannot deny goods or charge different prices for exercising these privacy rights.

Business obligations

Covered organizations, ranging from Fortune 500 companies to smaller data processors, must implement mechanisms to receive and verify consumer requests. They are required to provide at least two methods for submitting requests, such as a toll-free telephone number and a website address. Businesses must disclose data collection purposes and the categories of third parties, such as analytics firms or payment processors, with whom information is shared. They must also maintain records of requests and responses for potential review by the California Attorney General.

Enforcement and penalties

Primary enforcement authority initially rested with the California Attorney General, currently Rob Bonta, with no private right of action for most violations. The Attorney General's office can seek civil penalties of up to $2,500 per unintentional violation or $7,500 for intentional violations after providing a 30-day cure period. In cases of data breaches involving unencrypted data, consumers have a limited private right to sue for statutory damages. Enforcement actions can involve coordination with other agencies like the Federal Trade Commission for matters affecting interstate commerce.

The act has been amended several times, most notably by the California Privacy Rights Act, a 2020 ballot measure that established the California Privacy Protection Agency as a dedicated enforcement body. Other related statutes include the California Online Privacy Protection Act and the Shine the Light law. The evolving legal landscape has prompted proposed federal laws such as the American Data Privacy and Protection Act, while states including Nevada and Maine have enacted their own privacy statutes influenced by this pioneering law.

Category:California statutes Category:Privacy law in the United States Category:2018 in California law