California Privacy Rights: CCPA and Constitutional Protections

California operates one of the most expansive privacy protection regimes in the United States, combining a constitutional right to privacy with statutory frameworks that impose enforceable obligations on businesses. This page covers the scope and structure of those protections, the regulatory bodies that administer them, and the operational boundaries that determine when and how these frameworks apply. The interplay between constitutional and statutory protections creates a layered system distinct from the federal baseline, making California's privacy landscape a reference point for professional, legal, and policy analysis nationwide.

Definition and scope

California's privacy protections derive from two independent legal sources. First, Article I, Section 1 of the California Constitution explicitly enumerates "privacy" as an inalienable right alongside life, liberty, and property — a direct constitutional guarantee absent from the federal Constitution. Second, the California Consumer Privacy Act of 2018 (CCPA), as amended by Proposition 24 (the California Privacy Rights Act of 2020, CPRA), establishes a statutory privacy rights framework governing commercial data practices.

The CCPA/CPRA is codified at California Civil Code §§ 1798.100–1798.199.100. The statute applies to for-profit businesses that: (1) have gross annual revenues exceeding $25 million; (2) annually buy, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households; or (3) derive 50% or more of annual revenue from selling or sharing consumers' personal information (California Civil Code § 1798.140(d)). Nonprofit organizations and most government agencies fall outside the CCPA/CPRA's direct coverage thresholds.

The California Privacy Protection Agency (CPPA), established by Proposition 24, serves as the primary regulatory authority for rulemaking and enforcement under the CPRA as of January 1, 2023. The California Attorney General retains concurrent enforcement authority.

For the broader constitutional and regulatory framework within which these protections operate, see Regulatory Context for the California Legal System.

Scope boundary: This page covers California state-law privacy protections under the California Constitution and the CCPA/CPRA. Federal privacy statutes — including HIPAA (45 C.F.R. Parts 160 and 164), the Gramm-Leach-Bliley Act, COPPA, and the Electronic Communications Privacy Act — operate separately and are not addressed here. California employees covered exclusively by federal sector employment law may fall under different frameworks. The page does not address California data breach notification law (California Civil Code § 1798.82), which is a related but distinct statutory obligation.

How it works

Constitutional privacy claims under Article I, Section 1 are enforceable against both government actors and private parties. The California Supreme Court, in Hill v. National Collegiate Athletic Ass'n (1994) 7 Cal.4th 1, established the analytical framework: a plaintiff must demonstrate (1) a legally protected privacy interest, (2) a reasonable expectation of privacy under the circumstances, and (3) a serious invasion of that interest. Defendants may then raise countervailing interests, and courts balance competing claims. This framework applies in civil litigation before California's Superior Courts.

Statutory rights under CCPA/CPRA operate through a defined sequence:

Disclosure obligation — Businesses must inform consumers, at or before the point of data collection, of the categories of personal information collected and the purposes for which it will be used (§ 1798.100(b)).
Right to know — Consumers may request disclosure of specific pieces and categories of personal information a business has collected about them in the prior 12-month period (§ 1798.110).
Right to delete — Consumers may request deletion of personal information, subject to enumerated exceptions including completing transactions, detecting security incidents, and legal compliance obligations (§ 1798.105).
Right to correct — Under the CPRA amendment, consumers may request correction of inaccurate personal information (§ 1798.106).
Right to opt-out — Consumers may direct a business to stop selling or sharing their personal information. Businesses must post a "Do Not Sell or Share My Personal Information" link on their homepage (§ 1798.120).
Right to limit use of sensitive personal information — A CPRA addition allowing consumers to restrict businesses' use of specified sensitive data categories (§ 1798.121).
Non-discrimination — Businesses may not retaliate against consumers for exercising privacy rights, though financial incentives tied to data sharing are permitted under defined conditions (§ 1798.125).

The CPPA has authority to issue administrative fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation or violation involving a minor's data (California Civil Code § 1798.155).

Common scenarios

Business compliance assessments arise when a company operating in California or processing California residents' data evaluates whether it meets the statutory thresholds. A technology company with $30 million in annual revenue that processes data for 150,000 California users meets the threshold on two independent prongs.

Consumer rights requests (DSARs) — Data Subject Access Requests — require businesses to respond within 45 days, extendable by an additional 45 days upon notice (California Civil Code § 1798.145(a)(1)). Failure to respond exposes businesses to enforcement action by the CPPA or the Attorney General.

Constitutional privacy tort claims arise in contexts such as unauthorized disclosure of medical or financial records by private institutions, intrusive surveillance by employers, or publication of private facts — scenarios covered under the California Civil Rights Law landscape.

Employee data occupies a transitional category: the CPRA extended CCPA protections to employees and job applicants as of January 1, 2023, ending the prior exemption. The California Employment Law Framework addresses intersecting obligations.

Minor's data triggers heightened protection: the CPPA may impose the $7,500-per-violation ceiling for any CPRA violation involving consumers under 16 years of age.

Decision boundaries

The constitutional claim and the statutory claim are parallel, not hierarchical. A party may have a viable constitutional privacy claim without meeting CCPA/CPRA thresholds, and a statutory violation may not always rise to a constitutional infringement.

Dimension	Constitutional (Art. I, §1)	Statutory (CCPA/CPRA)
Who can be sued	Government actors and private parties	For-profit businesses meeting thresholds
Who enforces	Plaintiff in civil court	CPPA, Attorney General, limited private right of action (§ 1798.150)
Standard	Balancing test (Hill framework)	Strict compliance with enumerated requirements
Remedy	Damages, injunction	Administrative fines; limited statutory damages ($100–$750 per consumer per incident for data breach)
Rulemaking body	None (constitutional)	California Privacy Protection Agency

The private right of action under § 1798.150 is limited to data breach scenarios — specifically, unauthorized access to a consumer's unencrypted and unredacted personal information resulting from a business's failure to implement reasonable security measures. It does not extend to violations of other CCPA/CPRA rights, which remain subject to agency enforcement.

The California Legal System homepage provides orientation across the full spectrum of California's legal structures, including the constitutional provisions that situate these privacy rights within California's broader rights framework.

References

📜 5 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log