One of the most common misconceptions among companies entering the California market, whether from Europe or elsewhere in the U.S., is treating the CCPA/CPRA as the California privacy law. In reality, it is just the most visible layer of a much deeper and older legal ecosystem.
Dozens of major privacy statutes coexist with the CCPA, many predating it by decades, several with sharper teeth on specific issues. Understanding this landscape is not optional. Exposure can come from directions you never anticipated.
Here is what you actually need to know.
I. General & consumer Privacy laws
- California Consumer Privacy Act (CCPA) — Cal. Civil Code §§ 1798.100–1798.199 Enacted: 2018, effective January 1, 2020
The most well-known California privacy law. It requires for-profit businesses meeting certain thresholds to provide consumers with a notice at collection, and grants Californians the rights to access, delete, and opt out of the sale of their personal information. Businesses must maintain a privacy policy detailing these rights and their data practices.
Enforcement is primarily by the California Privacy Protection Agency (CPPA) — the only dedicated privacy enforcement body in the U.S. — and the Attorney General. A limited private right of action exists for breaches of unencrypted personal information.
- California Financial Information Privacy Act (CalFIPA) — Cal. Fin. Code §§ 4050–4060 Enacted: 2003
Often overlooked by tech companies, CalFIPA goes significantly further than its federal equivalent, the Gramm-Leach-Bliley Act. It prohibits financial institutions from sharing a consumer's nonpublic personal information with any nonaffiliated third party — not just selling it — without obtaining affirmative opt-in consent. This is a stricter standard than GLBA's opt-out model, and it applies to banks, credit unions, mortgage lenders, and any business "significantly engaged" in financial activities operating in California.
Enforcement: Private right of action at $2,500 per violation, with no cap on knowing and willful violations affecting multiple individuals.
- Data Broker Registration — Cal. Civil Code §§ 1798.99.80–1798.99.88 Effective: January 1, 2020
Any business that knowingly collects and sells personal information about consumers with whom it has no direct relationship must register with the California Attorney General and publicly disclose its practices. Failure to register triggers civil penalties of $100 per day plus the AG's investigation costs.
Note: California's Delete Act (SB 362, 2023) significantly expands this regime, creating a single opt-out mechanism allowing consumers to request deletion of their data from all registered data brokers simultaneously. This will be operational by 2026.
- Information Practices Act of 1977 — Cal. Civil Code §§ 1798–1798.78 Enacted: 1977
One of the oldest privacy laws in the country, the IPA applies to California state agencies — not private businesses — and requires them to collect personal information only to the extent necessary for authorized purposes, maintain records of information sources, and obtain consent before disclosure. It includes breach notification obligations for computerized data held by agencies.
Private right of action against agencies for actual damages and injunctive relief.
- Insurance Information Privacy Act — Cal. Ins. Code §§ 791–791.29 Enacted: 1980
Governs how insurance institutions, agents, and related organizations collect, use, and disclose personal information in the context of insurance transactions. Prohibits pretextual interviews to gather personal information and requires written authorization before disclosing personal data. Enforced by the Insurance Commissioner, with private rights of action for actual damages.
- Consumer Credit Reporting Agencies Act — Cal. Civil Code §§ 1785.1–1785.36 Enacted: 1975
California's parallel to the federal Fair Credit Reporting Act (FCRA), but with additional consumer protections. Requires credit reporting agencies to allow consumers to review their full files, request credit scores, and correct inaccuracies. Enforced through a private right of action — but preempted where a parallel federal FCRA proceeding exists.
- Fair Debt Collection Practices Act — Cal. Civil Code §§ 1788–1788.33 Enacted: 1977
Restricts debt collectors from disclosing a debtor's status to their employer, family members, or on public "deadbeat lists." Though primarily a consumer protection statute, it directly governs the sharing of personal financial information. Private right of action with statutory penalties between $100 and $1,000 per violation.
II. Privacy in communications & online
- Online Privacy Protection Act of 2003 (CalOPPA) — Cal. Bus. & Prof. Code §§ 22575–79 Enacted: 2003
CalOPPA was a landmark law when enacted — the first U.S. law to require a privacy policy on a commercial website. It applies to any operator of a commercial website or online service that collects personal information from California consumers, regardless of where the business is located. The privacy policy must identify the categories of data collected and the categories of third parties with whom it may be shared.
No express enforcement mechanism, but violations can be pursued under California's Unfair Competition Law (UCL) — which allows both the AG and private plaintiffs to seek injunctions and restitution.
- Data Breach Notification — Cal. Civil Code §§ 1798.80–1798.84 (businesses) and §§ 1798.25–1798.29 (agencies) Enacted: 2000 for businesses, 1977 for agencies
California was the first state in the U.S. to enact a data breach notification law — a model that all 50 states have since followed. Any business or government agency that owns or licenses computerized personal data must notify affected California residents when unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.
Businesses must also maintain "reasonable security procedures and practices" for personal information — a baseline security obligation that exists entirely independently of the CCPA. Private right of action for damages, with statutory penalties for willful violations.
- California Invasion of Privacy Act (CIPA) — Cal. Penal Code §§ 630–638.55 Enacted: 1967
Originally targeting telephone wiretapping, CIPA has become one of the most litigated privacy statutes in the U.S. in the last five years, primarily because plaintiffs' lawyers have successfully argued it applies to session replay tools, chat widgets, pixel tracking, and third-party analytics embedded in websites — on the theory that these constitute illegal "wiretapping" of online communications without consent of all parties.
CIPA is an all-party consent statute. If any party to a communication has not consented to its interception, a violation may have occurred. Enforcement: criminal penalties (up to $10,000 fine or one year imprisonment) and a private right of action for the greater of $5,000 per recorded communication or three times actual damages. The wave of CIPA class actions has become one of the highest-risk areas of California privacy litigation today.
- California Electronic Communications Privacy Act (CalECPA) — Cal. Penal Code §§ 1546–46.1 Enacted: 2016
Requires government entities to obtain a warrant before compelling production of electronic communication information or device data. While this governs law enforcement rather than private businesses directly, it has significant implications for companies served with government data demands — and for companies assessing their risk exposure in the context of EU-US data transfers and transfer impact assessments.
- Telecommunications Customer Privacy — Cal. Publ. Utils. Code §§ 2891–2894.10 Enacted: 1986
Prohibits telecommunications carriers from disclosing, without consent, a subscriber's calling patterns, demographic information, financial information, or service subscriptions. Enforced through a private right of action.
III. Children's & educational Privacy
- Digital Privacy Rights for Minors — Cal. Bus. & Prof. Code §§ 22580–22582 Enacted: 2013
Prohibits operators of websites, apps, or online services directed at minors from marketing tobacco, alcohol, firearms, or other age-restricted products to minors, and from compiling personal information about minors for such marketing purposes.
- Privacy of Pupil Records — Cal. Ed. Code §§ 49060–49085 Enacted: 1976, subsequently amended
Restricts the sharing of student records without parental or student consent. Allows local educational agencies to adopt policies permitting limited data sharing with cloud-based educational services, subject to privacy restrictions. Explicitly prohibits schools from collecting information about students from social media without public notice and comment.
- Student Online Personal Information Protection Act (SOPIPA) — Cal. Bus. & Prof. Code §§ 22584–22585 Enacted: 2014
Applies to any operator of a website or online service used primarily for K-12 school purposes. Prohibits using students' personal information for targeted advertising, building profiles on students outside of the educational context, or selling student data. Enforceable under the UCL.
IV. Health information Privacy
- Confidentiality of Medical Information Act (CMIA) — Cal. Civil Code §§ 56–56.37 Enacted: 1981
California's health privacy law is significantly broader than HIPAA in one critical respect: it applies not just to covered entities and their business associates, but to any business — including mobile applications and consumer wellness platforms — that handles medical information. A fitness app, a mental health chatbot, or a period-tracking app that is not subject to HIPAA can still be fully subject to CMIA.
The CMIA restricts disclosure of patients' medical information by medical providers, health plans, pharmaceutical companies, and — crucially — other businesses that maintain medical information as part of their services, unless the patient provides explicit written consent or a statutory exception applies.
Enforcement: Private right of action for compensatory and statutory damages; civil penalties up to $250,000; punishable as a misdemeanor. This is one of the most aggressively litigated health privacy statutes outside the federal framework.
What this means in practice
The cumulative picture is striking. A company operating in California that processes health data, runs a website with third-party analytics, offers a financial product, and has K-12 users could simultaneously be subject to CMIA, CIPA, CalFIPA, CalOPPA, SOPIPA, the Data Breach Notification law, and the CCPA; each with its own definitions, thresholds, consent requirements, and enforcement mechanisms, some entirely independent of others.
The CCPA is the framework. It is not the full story.
Any serious compliance program for the California market must begin with a complete statutory mapping across all applicable layers (general consumer, sectoral, and communications) before a single privacy notice is drafted or a single data flow is documented.