Is My Business Affected By California Privacy Laws? What You Need to Know and How to Guard Against Legal Action
If you own a business or have a website, you need to know about California’s privacy laws, even if your business is not based in California.
Website owners nationwide are dealing with three separate California privacy issues. Here is a summary of each and how it may apply to your business.
1. The California Consumer Privacy Act (CCPA)
The CCPA, enacted in 2018, gives consumers more control over the personal information businesses collect about them. It assigns California consumers four key rights:
- The right to know how a business collects, uses, and shares their personal information
- The right to delete any personal information collected
- The right to prevent the sale or sharing of their personal information
- The right against discrimination for exercising their CCPA rights
2. The California Privacy Rights Act (CPRA)
The CPRA, approved by California voters in 2020, expanded the CCPA with additional privacy protections that went into effect on January 1, 2023, including:
- The right to correct inaccurate personal information a business has about them
- The right to limit the use and disclosure of sensitive personal information collected about them
The CPRA was primarily designed to protect consumers in their dealings with large companies that do business in California and does not apply to small businesses, nonprofit organizations, or government agencies.
In general, a business is covered by the CPRA if it:
- Is a for-profit business operating in California and
- Meets one of these thresholds:
- Has a gross annual revenue of $26.625 million or more
- Buys, sells, or shares personal information of 100,000+ California residents or households
- Gets 50% or more of its annual revenue from selling or sharing California residents’ personal information
Many companies outside California do not technically meet these thresholds but voluntarily comply because their websites receive visitors from California, use advertising platforms and tracking technologies, or want a uniform privacy approach nationwide.
Fines for violating CPRA are up to $2,663 per unintentional violation and up to $7,988 per intentional violation.
3. The California Invasion of Privacy Act (CIPA)
This law, enacted in 1967, was designed to protect against telephone wiretapping and eavesdropping. It prohibits the intentional interception of communications “in transit” without the consent of all parties.
Unfortunately, plaintiffs are now using this decades-old law to argue that websites “intercept communications in transit” when information entered by a user—such as a name typed into a search field—is transmitted to third-party analytics or advertising platforms like Google Analytics or Meta Pixel without the user’s explicit consent.
Some companies have received demand letters alleging that their websites violate CIPA and seeking statutory damages under the law. Because the law allows for penalties of up to $5,000 per violation, and each third-party recipient may be treated as a separate violation, the potential financial exposure can be significant.
Courts are divided on whether this is an appropriate application of the law. Some cases have been dismissed, while others have been allowed to move forward. Given the lack of clarity, website owners should take proactive steps to understand their privacy obligations and evaluate their current data collection and tracking practices.
Why You May Be Affected, Even If Your Business is Not Based in California
While CCPA, CPRA, and CIPA are all California laws, that does not mean that businesses based in other states are not affected. CIPA’s jurisdiction is based on the location of the consumer, not the business, so if your website or app interacts with a user physically located in California, your business is subject to CIPA.
Unlike CPRA, CIPA also has no income threshold, so even small businesses are vulnerable. This means that virtually any website that collects user information may be at risk.
What Industries Face the Greatest Risk of Violating California Privacy Laws?
Websites that collect, store, or process large amounts of personal information face a higher risk of violating California privacy laws. This is especially true for organizations that routinely handle sensitive data, including:
- Healthcare
- Hospitals
- Behavioral health
- Senior living
- Employment/recruiting sites
- E-commerce
- Financial services
- Education
- Any site collecting forms plus advertising pixels
The following website features and tracking technologies have been associated with some of the most significant privacy compliance risks:
- · Career pages using Meta Pixel
- · Healthcare forms with GA4 or Meta Pixel
- · Session replay tools on forms
How Can You Ensure Your Website is Compliant?
Several widely accepted best practices can help reduce risk and improve transparency for website visitors:
- Implement a consent management platform (CMP), such as OneTrust, Ketch, Termly, Osano, CookieYes, Enzuzo, Usercentrics, iubenda, Cookiebot, etc.
- Block nonessential cookies and tracking technologies until a visitor has provided consent.
- Configure Google Analytics, Meta Pixel, and other tracking tools to respect user consent preferences.
- Implement Google Consent Mode v2 where applicable.
- Maintain an accurate and up-to-date privacy policy that reflects your data collection and sharing practices.
- Provide California opt-out mechanisms when required by law.
- Conduct regular audits of website tags, cookies, and tracking technologies to ensure they remain compliant with current privacy requirements.
Privacy compliance is ultimately a legal decision, so organizations should consult with their legal counsel to determine the best approach for their specific circumstances and whether updates to their privacy policy, consent practices, or website functionality are necessary.