Welcome to Jahangiri Law Group

The California Privacy Rights Act (CPRA), which significantly amended the California Consumer Privacy Act (CCPA), has established a robust framework for consumer data privacy. Businesses need to understand the nuances of "personal information" and "sensitive personal information" under CPRA as it is crucial for achieving and maintaining compliance. What is "Personal Information" under CPRA? The CPRA adopts a broad definition of "personal information" (PI), encompassing any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This includes, but is not limited to: Identifiers: Real name, alias, postal address, unique personal identifier, online identifier (e.g., IP address, cookie ID), email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. Customer Records Information: Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Characteristics of Protected Classifications: Under California or federal law (e.g., age, race, religion, gender, sexual orientation). Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Biometric Information: Physiological, biological, or behavioral characteristics, including DNA, used or intended to be used, separately or in combination with other data, to establish individual identity (e.g., fingerprints, facial recognition). Internet or Other Electronic Network Activity Information: Browse history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement. Geolocation Data: Information that indicates the precise location of an individual or device. Sensory Data: Audio, electronic, visual, thermal, olfactory, or similar information (e.g., call recordings, CCTV footage). Professional or Employment-Related Information. Inferences: Information drawn from any of the above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. It is important to note that personal information does not include publicly available information from federal, state, or local government records (e.g., professional licenses, public real estate records). What is "Sensitive Personal Information" (SPI) under CPRA? The CPRA introduced a new, more protected category of personal information: Sensitive Personal Information (SPI) . This subset of PI requires heightened safeguards due to its potentially intimate or revealing nature, and consumers have additional rights regarding its use and disclosure. SPI includes personal information that reveals: A consumer's Social Security number, driver's license number, state identification card, or passport number. A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. A consumer's precise geolocation. A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership. The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication. A consumer's genetic data. The processing of biometric information for the purpose of uniquely identifying a consumer. Information concerning a consumer's health. Information concerning a consumer's sex life or sexual orientation. Key Differences and Why They Matter for Businesses The distinction between general "personal information" and "sensitive personal information" is critical because the CPRA imposes additional obligations and consumer rights specifically for SPI. Heightened Protection: Businesses handling SPI must implement more robust security measures to protect this data from unauthorized access or disclosure. Right to Limit Use and Disclosure: Consumers have a new right to direct businesses to limit the use and disclosure of their SPI to only those purposes necessary to perform the services or provide the goods reasonably expected by an average consumer. This means businesses generally cannot use or disclose SPI for other purposes, such as cross-context behavioral advertising, without explicit consumer permission. Dedicated Opt-Out Link: Businesses that use or disclose SPI for purposes other than those allowed by the CPRA must provide a "clear and conspicuous link" on their homepage(s) labeled "Limit the Use of My Sensitive Personal Information." This is in addition to the "Do Not Sell or Share My Personal Information" link for general personal information. Notice at Collection: Businesses must clearly disclose the categories of SPI collected, the purposes for which it is collected or used, and whether it is sold or shared. What Businesses Need to Know for CPRA Compliance: To effectively comply with the CPRA, businesses must undertake a comprehensive approach to data privacy, with a particular focus on the differentiated treatment of personal and sensitive information: Data Inventory and Mapping: Identify all types of personal information you collect, store, process, and share. This includes data from customers, employees, job applicants, contractors, and business-to-business (B2B) contacts (as CPRA largely removed previous exemptions for employee and B2B data). Specifically identify and classify any sensitive personal information (SPI) collected. Map how data flows across your organization, including transfers to third parties, service providers, and contractors. Update Privacy Policies and Notices: Clearly disclose the categories of personal information and sensitive personal information collected. State the purposes for which each category of information is collected and used. Specify retention periods for all categories of personal and sensitive information, ensuring data is not kept longer than "reasonably necessary" for the disclosed purpose. Explain consumer rights under CPRA, including the right to know, delete, correct, opt-out of sale/sharing, and limit the use of sensitive personal information. Implement Opt-Out Mechanisms: Provide "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links on your website homepage(s) and other relevant data collection pages. Ensure these links lead to user-friendly pages where consumers can easily exercise their rights. Maintain records of opt-out requests for at least 12 months. Data Minimization and Security: Collect only the personal information and SPI that is absolutely necessary for your disclosed purposes. Implement robust security measures to protect all personal information, with heightened safeguards (e.g., encryption, access controls) for SPI. Develop a comprehensive incident response plan. Respond to Consumer Requests: Establish clear and efficient processes for responding to consumer requests to access, delete, correct, opt-out of sale/sharing, and limit the use of their personal and sensitive information. Ensure timely responses (typically within 45 days, with a possible 45-day extension). Notify service providers, contractors, and third parties to whom data has been shared when a deletion request is received. Third-Party Contracts: Review and update contracts with service providers and third parties to ensure they are also compliant with CPRA obligations, especially regarding data protection and consumer rights. Training: Provide regular training to all employees who handle personal data on CPRA requirements and best practices for data privacy and security. By diligently addressing these areas, businesses can navigate the complexities of CPRA, protect consumer privacy, and mitigate the risks of non-compliance, including significant penalties from the California Privacy Protection Agency (CPPA). For any business operating in California or collecting data from California residents, a proactive and well-informed approach to data privacy is no longer optional, but a legal imperative. Brinda Bellur is a dual-licensed attorney in California and India, with extensive experience in both litigation and transactional matters. She holds an LLM from UC SF Law (formerly UC Hastings) and certifications in privacy (CIPP/US, IAPP) and commercial contracts (UC Berkeley Law Executive Education).

In today's data-driven economy, businesses operating in California face an evolving landscape of privacy regulations. At the forefront of this shift is the California Consumer Privacy Act (CCPA), a landmark law that grants significant rights to California consumers regarding their personal information. For businesses, understanding and complying with the CCPA is not just a legal obligation – it's a crucial aspect of building trust and maintaining a sustainable operation. At Jahangiri Law Group, we understand the complexities that the CCPA can present for businesses of all sizes. This article serves as an introduction to this pivotal legislation, highlighting key aspects that your organization needs to be aware of. The CCPA: A New Era of Data Privacy in California Effective since 2020, the CCPA empowers California residents with fundamental rights over their personal information held by businesses. These rights include the ability to: Know: Request information about the categories and specific pieces of personal information collected, the sources of the information, and the purposes for its collection. Access: Obtain a copy of the personal information held by the business. Delete: Request the deletion of their personal information (with certain exceptions). Opt-Out of Sale: Direct businesses not to sell their personal information to third parties. Non-Discrimination: Not be penalized for exercising their CCPA rights. Who Does the CCPA Apply To? It's crucial for businesses to determine if they fall under the purview of the CCPA. Generally, the law applies to any for-profit business that does business in California and meets at least one of the following thresholds: Has annual gross revenues of over $25 million. Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households. Derives 50% or more of its annual revenue from selling or sharing the personal information of California consumers. Even if your business doesn't have a physical presence in California, if you meet these criteria and interact with California residents' personal information, the CCPA likely applies to you. Key Obligations for Businesses Under the CCPA: Compliance with the CCPA requires businesses to implement significant changes to their data handling practices. Some key obligations include: Providing Notice to Consumers: Informing consumers about the categories of personal information being collected and the purposes for which the categories of personal information are collected or used. Responding to Consumer Requests: Establishing processes to respond to consumer requests to know, access, and delete their personal information. Implementing Data Security Measures: Maintaining reasonable security procedures and practices to protect consumers' personal information. Providing the Right to Opt-Out of Sale: If your business sells personal information, you must provide a clear and conspicuous "Do Not Sell My Personal Information" link on your website. Updating Privacy Policies: Ensuring your privacy policy accurately reflects consumers' CCPA rights and your business practices. At Jahangiri Law Group, we understand the complexities of the CCPA and are dedicated to helping businesses navigate these requirements effectively. Our experienced team can provide guidance on: Determining CCPA applicability to your business. Developing and implementing compliant data privacy policies and procedures. Establishing processes for responding to consumer rights requests. Advising on data security best practices. Assisting with employee training on CCPA compliance. Defending businesses against potential CCPA violations.  The CCPA represents a significant shift in data privacy regulation, and proactive compliance is essential for businesses operating in California. Businesses must carefully conduct the analysis to determine it does not meet ANY of the three thresholds of “what is a business” under the CPRA before deciding whether CCPA, applies to them or not.

Jahangiri Law Group is proud to announce that we have been recognized as the recipient of the prestigious Diversity Award, 2024, presented by the Contra Costa County Bar Association. This honor celebrates our unwavering commitment to fostering inclusivity, equity, and representation within our legal practice and the broader community. At Jahangiri Law Group, diversity is not just a value—it is a cornerstone of our mission. We believe that embracing a wide range of perspectives strengthens our ability to serve our clients and contribute to a more just and equitable society. This award is a testament to the collective efforts of our team and our dedication to creating meaningful change. We extend our heartfelt gratitude to the Contra Costa County Bar Association for this recognition. As we celebrate this achievement, we reaffirm our pledge to continue championing diversity and inclusion in all that we do.