The Major Privacy Laws for California Businesses (with a little history thrown in)

Delanoy Law
Dec 2, 2025
8 min read

In the annals of U.S. law, privacy is a relative newcomer as a recognized right, becoming constitutionally recognized as such in the 1960s. Much of the development of privacy as a legal doctrine followed 20^th century advances in technology and the tendencies of those technological advances to allow the exposure of an individual’s personal life to an ever-widening quantum of the public.

Privacy as a legal concept first gained attention in 1890, when lawyers Samuel Warren and (later Supreme Court justice) Louis Brandeis wrote their influential essay “The Right to Privacy” in the Harvard Law Review. Warren and Brandeis were spurred to their subject by social and technological advancements of the day that were beginning to threaten what they called “the right to be let alone”: namely, photography and intrusive newspaper reporting.

Years later, in the 1928 Supreme Court case Olmstead v. United States, the majority of the Court found that wiretaps obtained without a warrant did not violate the Fourth and Fifth Amendments to the U.S. Constitution. (Telephones were then a relatively new technology.) Justice Brandeis, as he had then become, built upon his earlier essay when he asserted in a dissenting opinion that privacy was indeed an individual right and that there should be a constitutional amendment to guarantee that right. (The Court later reversed its decision in this case in Katz v. United States in 1967.)

It wasn’t until 1965, in the case of Griswold v. Connecticut, that the Supreme Court established the right to privacy as a constitutional doctrine – finding that the First, Third, Fourth, Fifth, and Ninth Amendments all referred to various “zones of privacy”. Having established the right to privacy, the Court ruled that the Constitution protected the right to marital privacy against state laws banning contraception. (The Court later applied the right to privacy more famously to abortion rights in Roe v. Wade in 1973 and sodomy laws in Lawrence v. Texas in 2003.)

Finally, the U.S. Congress codified protections on the collection and use of personal information in the Fair Credit Reporting Act of 1970 (for personal financial data) and the Privacy Act of 1974 (for the government’s collection and use of personal information).

In 1972, voters in California approved an amendment to the state’s constitution that added privacy as an “inalienable right”, making the California Constitution the first in the nation to include privacy as a right. The movement to adopt the privacy amendment was prompted by governmental surveillance and data collection as well as developments in technology: the invention of the microprocessor in 1968, the first messages sent in 1969 over the precursor of what would become the internet, and the first mobile phone call in 1973.

Fast forward to the commercialization of the internet in 1995 and the invention of the iPhone and social media a little more than a decade later, which resulted in the internet and cellular networks becoming a primary means of communication today. These modern technologies have exponentially increased the capabilities of governments and companies in collecting and storing an individual’s personal information of consumers.

Not surprisingly, companies recognized the immense value in that information – both for themselves and others. Consumers have rightly balked at the thought of their personal information being used or traded among any number of companies or other entities for purposes those consumers have not consented to – where the consumers are even aware of such use or sharing.

In response, governments have stepped in with a legion of new privacy laws to ensure consumers remain in control of their personal information through continued expansion of privacy laws.

Accordingly, companies trading in today’s world are subject to an increasingly complex tangle of state, federal, and international privacy regulations. Listed below are the laws a company in California would most commonly need to be familiar with. It does not include laws that apply only to government entities (such as the federal Privacy Act of 1974), nor important international privacy legislation such as the European Union’s General Data Protection Regulation (GDPR).

Federal Privacy Laws
	Children’s Online Privacy Protection Act of 1998 (COPPA)
		COPPA prohibits websites and online services from collecting the personal information of a child under 13 years of age, including those outside the U.S., unless those websites or online services comply with a number of requirements, including a notification to and verified consent from the parents and the granting of parental control over the information collected about their child. The law also sets out content that must be included in the website operator’s privacy policy as well as restrictions on marketing to those children. Recent amendments require website operators to verify separately parental consent prior to a disclosure of their child’s personal information unless such disclosure is integral to the website. (The law includes 3 new methods for obtaining that verifiable consent.) Operators are also now required to provide notice of their data retention policies on their website, including the purpose for the collection of that information and timeframe for its use and deletion.
	Health Insurance Portability and Accountability Act of 1996 (HIPAA)
		HIPAA applies only to healthcare providers and insurers. The law provides a minimum level of protection for “protected health information”, which is broadly defined to include individually identifiable information about physical or mental health, healthcare services provided, and payment information related to healthcare. HIPAA allows states to institute their own health privacy laws as long as the state law is no less restrictive than HIPAA.
	Do-Not-Call Act of 2003
		Telemarketers are prohibited from contacting individuals who have added their phone number to the Do-Not-Call Registry, unless the telemarketer has an existing business relationship with the person or their written consent.
	Gramm-Leach-Bliley Act of 1999
		Banks and other financial companies are required to give notice annually of their privacy policies, and must also give notice prior to disclosing personal information to a third party (that must include an “opt-out” option from that disclosure). The Act also sets limits on the sharing of some information for marketing purposes and establishes guidelines for the safeguarding of personal financial information.

California Privacy Laws
	California Constitution, Article I, § 1
		California’s Constitution enshrines privacy as an “inalienable right” of all individuals in California that may be enforced through a private right of action. In order to succeed, there must be a legally protected privacy interest, a reasonable expectation of privacy in the circumstances, and conduct constituting a serious invasion of privacy.
	California Consumer Privacy Act of 2018 (CCPA)
		The CCPA was enacted to give consumers more control over their personal information. It applies to consumers who reside in California, and businesses serving those residents that meet any of the following criteria: Gross annual revenue over $25 million; Buy, sell, or share the personal information of 100,000 or more California residents or households; or Derive half or more of annual revenue from selling California resident’s personal information. The CCPA establishes the following rights for consumers: Right to know about personal information collected by a business and how that information is used and shared Right to delete personal information held by a business (with limited exceptions) Right to opt-out of the sale or sharing of personal information Right to correct inaccurate information a business may hold Right to limit use and disclosure of ‘sensitive’ personal information, such as social security numbers, genetic data, financial information, and precise geolocation data. Businesses that are subject to the CCPA are required to comply with the above consumer privacy rights, and to ensure consumers can exercise their rights with those businesses.
	California Online Privacy Protection Act of 2003 (CalOPPA)
		CalOPPA sets out privacy notice disclosure obligations for commercial website operators that gather personal information (defined as “individually identifiable information about an individual collected online by the operator”) from California residents. Such websites are required to “conspicuously” post their privacy policy on the website. That privacy policy must include a description of the personal information collected, how it might be shared, and how consumers can access and edit their personal information. CalOPPA also requires the website operator’s privacy policy to include details of how the website handles “do not track” commands from web browsers and whether third parties may collect personal information in connection with a consumer’s online activities across other websites over a period of time (such as by the use of tracking cookies).
	California Invasion of Privacy Act (CIPA)
		CIPA is a law that sets privacy protections on telephone conversations, requiring that all parties consent to a recording of their conversation, regardless of the content of the communication or the purpose of the monitoring. Later amendments to the law broadened its application to modern digital modes of communication such as cellular networks and the internet.
	California Financial Information Privacy Act (CFIPA)
		CFIPA requires financial institutions to inform their customers about how any personally identifiable non-public financial information they hold about the customer is shared or sold to third parties. With some exceptions, CFIPA restricts the disclosure of that personal financial information to non-affiliated third parties without the customer’s prior written consent. CFIPA also requires financial institutions to provide notice to customers of their information sharing policies and allow those customers to opt-out of that sharing.
	Privacy Rights for California Minors in the Digital World Act
		This law requires website operators and mobile application providers to comply with certain restrictions if their website/app is directed towards minors – defined as a person under the age of 18 residing in California. For example, website/app operators are prohibited from advertising products deemed to be harmful to children, such as tobacco, alcohol, drugs, fireworks, and firearms. The law also sets out requirements for operators’ use and disclosure of their minor users’ personal information.
	California Customer Records Act (CCRA)
		The CCRA applies to businesses that hold or license personal information about California residents, whether that business is large or small, or located in California or elsewhere. The Act sets out a series of requirements for the safeguarding of personal information, including an obligation to take reasonable security measures. Businesses are required to develop a data protection plan that addresses risks and vulnerabilities to unauthorized access or breaches of systems that hold personal data, including regular audits to continually monitor weaknesses and respond to threats. The Act also requires businesses to implement secure procedures for the disposal of personal information when it is no longer needed, such as by the shredding of paper records or the use of data erasing software. The CCRA includes requirements for businesses that suffer a data breach, including specific details that customer notices must include if their personal information was accessed. For example, a notice must provide details of the information accessed and the steps being taken by the business in response to the breach. Where such notice is sent to more than 500 California residents, the business must also notify the California attorney general. Newly passed amendments to the law that take effect in 2026 set a deadline of 30 days by which a business much notify California residents of a data breach - with exceptions allowing for delayed disclosure if necessary to accommodate measures to determine the scope of the breach or the involvement of law enforcement). Where notification of the California attorney general is required (e.g. more than 500 California residents impacted), that disclosure must now be made within 15 days of the notice to affected individuals.
	Global Privacy Control
		As noted above under the CCPA, businesses that sell or share personal information must provide consumers the option to opt-out of the sharing/selling of their personal information. One such accepted method for consumers to deny the sharing/selling of their personal information is the Global Privacy Control (“GPC”) option now provided in several internet browsers, including Firefox, Duck Duck Go, and Brave. The GPC was developed in response to the CCPA, and therefore reflects the regulations set out by the CCPA in providing consumers the ability to communicate their opt-out request broadly to all websites they visit without the need to communicate that opt-out on a case-by-case basis. Under law, businesses subject to the CCPA must honor the consumer’s opt-out request where it has been communicated via a GPC selection in a browser.

Comments