Privacy and Data Security Trends: Ensuring Compliance in the State of California in 2024

In an era where data is the new currency, it’s crucial for businesses to be aware of key legal changes and trends as we continue into 2024. Various states across the country have adopted, and continue to adopt, new laws and regulations to expand their scope in consumer privacy, with the Federal Trade Commission (FTC) and the State of California continuing to lead in enforcing consumer privacy protections.

California
Here in California, consumers will soon be able to opt-out of all registered data brokers with a single click as a result of the recently implemented DELETE ACT. This new law will require integration between the existing state data broker registry and any data broker’s system that operates in the State of California, with data brokers being required to carry out deletion requests every 45 days – essentially making deletion permanent. The state has been given a two year window to create this system, which would take effect in mid-2026. In 2028, data brokers will then be required to undergo an audit by an independent third party to verify compliance.

The amended California Consumer Privacy Act regulations through the California Privacy Protection Agency (CPPA) will also take effect March 29, 2024, and touches on a wide range of consumer data such as:
● Right to Limit Use of Sensitive Personal Information: Businesses must notify and offer consumers the Right to Limit Use of Sensitive Personal Information if the business is planning on using the consumer’s personal information outside of the services requested, and allows the consumer to limit the use of their personal information to just the requested services.
● Right to Opt-out of Sale or Sharing: Consumers will have the ability to request that businesses cease selling or sharing their personal information. Businesses will have to comply after receiving the consumer’s opt-out request.
● Right to Know: Consumers will have the right to request that businesses share the personal information they have collected about them, the sources of their information, why the business is using the information, and the third parties that the information is sold or disclosed to. Consumers are able to
make a request up to twice a year.
● Right to Correct: If a business has incorrect or inaccurate information about a consumer, they will have the right to request that the business correct the information.
● Right to Delete: Consumers will have the right to request that a business delete any and all personal information about the consumer that has been collected.

The California Privacy Protection Agency (CPPA) has also proposed new regulations, covering topics such as privacy risk assessments, cybersecurity audits, artificial intelligence and automated decision making technology, changes to the existing CCPA regulations, and rules for insurance companies. More information on these proposals will be here in the coming months.

The privacy and data security space will continue to change rapidly, so staying up to date on new legal and regulatory changes will be pivotal for businesses looking to stay in compliance. In California, these privacy regulations and the rights granted by them apply to all consumers, including employees and job applicants. If a company is a covered entity under the consumer privacy protection laws, it is important for them to understand what specific personal information they collect, why they collect it, with whom they share it, and how long they retain it to ensure full compliance.