- ABOUT
- About CLA
- Leadership
- CLA News
- Advocacy
- Awards
- Bar Relations
- Diversity, Equity and Inclusion
- Sponsorship and Advertising
- California Lawyers Foundation
- MEMBERSHIP
- Member Benefits
- Membership Pricing
- Member Discounts
- Law Students
- Volunteer Opportunities
- Online Community
- RESOURCES
- Knowledge Hub
- Career Center
- Fastcase
- Indian and Tribal Law
- Section Publications
- Our Bookstore
- COMMITTEES
- Appellate Practice Network
- Cannabis Law
- Ethics
- Health and Wellness
- Environmental, Social and Governance
- Antitrust and Unfair Competition Law
- Business Law
- Criminal Law
- Environmental Law
- Family Law
- Intellectual Property Law
- International Law and Immigration
- Labor and Employment Law
- Law Practice Management and Technology
- Litigation
- New Lawyers
- Privacy Law
- Public Law
- Real Property Law
- Solo and Small Firm
- Taxation
- Trusts and Estates
- Workers’ Compensation
California Privacy Laws
The Privacy Law Section has compiled the following summary of some of California’s major privacy laws is below, with links to the statutes. We will update this list, but recommend you independently confirm the status of each statute, as this is a dynamic area of the law.
General and Consumer Privacy
California Constitution
Among other things, the California Constitution states that “[a]ll people are by nature” entitled to a right to privacy.
Enacted: the current section was enacted in 1974, although privacy was added to the state constitution’s list of inalienable rights in 1972.
Enforcement: Private right of action. Hill v. National Collegiate Athletic Assn., 865 P.2d 633, 644, 657 (Cal. 1994), requiring the plaintiff to establish “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.”
California Consumer Privacy Act of 2018
Requiring for-profit businesses in California—both online and off—to provide consumers with a notice at collection of the information collected, its uses, and the parties to whom it is disclosed. The Act provides California consumers with right to access, delete, and opt out of the sale of their personal information, and businesses are required to maintain a privacy policy detailing those rights and the business’s privacy practices. The Act has been amended multiple times since its enactment. Most recently, AB 713 amended the Act to align its exception for deidentified health information with the federal Health Insurance Portability and Accountability Act, effective January 1, 2021; AB 1281 also extended exceptions for employees’ personal information and business-to-business transactions for another year until January 1, 2022.
Enforcement: Action by the California Attorney General, with a limited private right of action for breaches of unencrypted personal information. Cal. Civil Code § 1798.150.
Data Broker Registration
Prohibiting financial institutions from disclosing a consumer’s “nonpublic personal information” with “any nonaffiliated third parties.” Requires a financial institution to obtain consumer consent to share the consumer’s nonpublic personal information on a form conspicuously disclosing the terms of the consent. Requires consumers be given annual notice of disclosure to affiliates and be given an opportunity to opt out of that disclosure.
Enforcement: Private right of action for $2,500 per violation, with a cap for negligent violations affecting more than one individual of $500,000 total; there is no cap for knowing and willful violations affecting more than one individual. Id. § 4057.
Insurance Information Privacy Act
Prohibiting “insurance institutions,” agents, or related organizations from using pretextual interviews to gather information related to an “insurance transaction. The Act requires insurance institutions or agents to provide notice when collecting personal information, which must contain certain statutory disclosures. The Act also prohibits disclosure of personal information without written authorization of the individual unless certain exceptions apply.
Enforcement: Hearings and cease-and-desist orders by the Insurance Commissioner, subject to judicial review and enforcement. Id. § 791.14–791.20. Private actions for actual damages. Id. § 791.20. Preempts causes of action for defamation, invasion of privacy, or negligence.
Insurance Code Regulations – Privacy of Nonpublic Personal Information
Regulations that implement federal Gramm-Leach-Bliley Act privacy provisions for transactions governed by state insurance law and the California Insurance Code’s privacy provisions.
Consumer Credit Reporting Agencies Act
Online Privacy Protection Act of 2003 (CalOPPA)
Requiring operators of commercial web sites or online services that collect personal information on California consumers through a web site to conspicuously post a privacy policy on the site and to comply with its policy. Privacy policies must identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information
Enforcement: No express enforcement provisions, but may be enforced through California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17210.
Data Breach Notice
Agencies (Information Practices Act of 1977): Cal. Civil Code §§ 1798.25–1798.29
Prohibiting disclosure without consent of a subscriber’s calling patterns, persons called, financial information, demographic information, and services subscriptions.
Enforcement: Private right of action.
Children’s and Educational Privacy
Digital Privacy Rights for Minors
Prohibiting operators of “an Internet Web site, online service, online application, or mobile application directed to minors” from advertising certain products such as tobacco, alcohol, or firearms to minors.
Enforcement: No express enforcement provisions.
Privacy of Pupil Records
Prohibiting sharing of student records without parental or student consent, subject to exceptions. Permitting a local educational agency to adopt policies permitting information sharing with cloud-based services to provide education software, subject to privacy restrictions. Prohibiting schools from collecting information on students from social media without public notice and comment.
Enacted: 1976, subsequently amended
Enforcement: No express enforcement provisions.
Student Online Personal Information Protection Act (SOPIPA)
Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17210.
Health Information Privacy
Confidentiality of Medical Information Act
here for a list of additional California privacy laws.
400 Capitol Mall, Suite 650
Sacramento, CA 95814- Link to Linked in
- Link to Facebook
- Link to Twitter
- Link to Instagram
- Link to YouTube
- Link to Flickr
- ABOUT