U.S. Consumer Data Privacy Law Guide: California

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in California.

Overview

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Last updated: December 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The California Consumer Privacy Act of 2018 (CCPA), as amended by The California Privacy Rights Act of 2020 (CPRA)

Effective Date: The California Consumer Privacy Act of 2018 (CCPA) took effect on January 1, 2020, and was subsequently amended by the California Privacy Rights Act of 2020 (CPRA), which entered into force on January 1, 2023. The CCPA, CPRA, and their implementing regulations are collectively referred to as "California Privacy Laws."

1. Applicability Thresholds:

The California Privacy Laws primarily regulate "Business," which is defined as a for-profit legal entity that, directly or through its Service Provider or agent, collects personal information of California residents (consumer) and satisfies one of the following three criteria:

Having $26.6 million or more in global revenue as of January 1 of the calendar year;
Buying, selling, or sharing 100,000+ California consumers' personal information, during a calendar year; or
Derived 50 percent of its annual revenues from selling or sharing California consumers' personal information.

2. Key Definitions:

Personal Information which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including a unique personal identifier, online identifier, IP address, or account name, among others.
Sales of Personal Information: The California Privacy Laws broadly define the terms "Sale," "Sell," or "Sold" to include the exchange of personal information for not only monetary compensation, but also "other valuable consideration," subject to certain exemptions.
"Sales" of Personal Information includes "sharing" of Personal Information, which refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Sensitive Personal Information: The California Privacy Laws require a Business to provide a consumer the right to limit the use of their sensitive personal information. Sensitive Personal Information includes SSN, ID, finance-related information, precise geolocation (within a radius of 1850 feet), racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic information, biological or neural data, health data, contents of emails (unless the business is the intended recipient), information concerning sex life or sexual orientation, among others.

3. Heightened Protection for Minors Under the Age of 16:

The California Privacy Laws expressly prohibit a Business from selling or sharing the personal information of consumers unless the Business obtains affirmative prior consent from: (i) the consumer over the age of 13 and under 16 years of age; or (ii) the consumer's parents or legal guardian, where the consumer is below age 13.

4. Business Obligations:

The California Privacy Laws impose additional obligations on persons who, alone or jointly with others, determine the purposes for and means of processing personal information (Business).

Data Processing Agreement (DPA): The California Privacy Laws require a Business to enter into a written agreement with:
- its service providers or contractors (to which the Business discloses personal information); or
- a third party to which the Business sells or shares personal information.
Data Protection Assessment. Yes, the California Privacy Laws require Businesses whose data processing activities present a significant risk to consumers' privacy or security. Effective January 1, 2026, certain Businesses shall conduct risk assessments and annual cybersecurity audits where their processing of Personal Information presents significant risk to consumers' privacy or security, including processing activities involving selling or sharing personal information, processing sensitive personal information, and certain high-risk profiling or AI use cases.

Privacy Notice and Notice at Collection: A Business must provide consumers with: (i) a notice given by a Business to a consumer at or before the point at which a Business collects personal information (Notice at Collection); and (ii) a statement describing the Business's online and offline information practices, and the rights of consumers regarding their own personal information (Privacy Notice).

Data Minimization and Purpose Limitation of Data Processing: The California Privacy Laws require a Business to ensure its collection, use, retention, and sharing of personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

Opt-out Mechanism: A Business must allow consumers to opt out of: (i) sales or sharing its personal information via a "Do Not Sell or Share My Personal Information" link; and (ii) limit the Business's use and disclosure of their sensitive personal information via a "Limit the Use of My Sensitive Personal Information" link. The California Privacy Laws require that a Business selling or sharing personal information recognize and process any opt-out preference signal sent by a platform, technology, or mechanism on behalf of the consumer for this purpose.

5. Consumer Rights:

Subject to certain exceptions, a California consumer has the right to:

Know what personal information is being collected, what personal information is being sold or shared, and to whom more than twice in a 12‐month period;
Correct inaccuracies in the consumer's personal information;
Delete personal information provided by, or obtained about, the consumer;
Obtain a copy of the personal information of a consumer in a readily usable format that allows the consumer to transmit this information from one entity to another without hindrance (also known as Right to Data Portability);
Opt out of sale or sharing of personal information (including targeted advertising and profiling), and if applicable, limit the use and disclosure of sensitive personal information; and
Access and Appeal Automated Decision-Making Technology (ADMT) to receive plain language explanation of specific information about the business's use of ADMT to make a significant decision.

A Business shall not discriminate against a consumer for exercising any consumer rights outlined above.

6. Enforcement and Penalties:

Private Right of Action: None

Penalties: Administrative fine of no more than $2,663 for each violation or $7,988 for each intentional violation, or violation involving personal information of consumers under 16 years of age.

Monetary Damages: Not less than $107 and not greater than $799 per consumer per incident or actual damages, whichever is greater.

Cure Period: Optional at the discretion of the California Privacy Protection Agency (CPPA).