News & Articles

In an era where data privacy concerns are top-of-mind, California has established a robust legal framework to protect personal information – not just for businesses, but for state entities, as well. The California Information Practices Act of 1977 (IPA) sets the foundation for state agencies handling data, while the California Public Records Act provides public access to certain information. Additionally, Government Code Sections 11015.5 and 11019.9 impose restrictions on data collection and require state agencies to implement clear privacy policies. Understanding these laws can help determine how agencies should manage personal information, which in turn, fosters trust between the public and public-serving institutions. This post details these laws, with key requirements for each. Requirements of the Information Practices Act of 1977 The California Information Practices Act (IPA) of 1977 is a law that protects the privacy of individuals by limiting how California state agencies collect, store, and share personal information. This law requires state agencies to collect and keep only the information that is necessary to accomplish their legal purpose. The IPA applies to all state agencies, with limited exemptions for the state legislature, agencies established under Article VI of the California Constitution, the State Compensation Insurance Fund, and local agencies as defined under Section 7920.510 of the Government Code. Under the IPA, each state agency must generally provide a notice with certain information to the individual when collecting information, but this notice is not required if the agency is using information only for the purpose of identification and communication with the individual by the agency. Under the IPA, the notice shall provide:

• Information about the agency, including the name, division requesting information, and the authority of the agency to collect and maintain information, whether granted by statute, regulation, or executive order.
• Information about what the records will be used for and contact information for the person responsible for the system records. On request, this person will inform the individual of the location of their records and categories of people who use the individual’s records.
• Information about submission, including whether submission of the information is mandatory or voluntary, the consequences of not providing any or all of the information, and whether there are any foreseeable disclosures of information.
• Information about the right of access to the individual’s records containing personal information.

Requirements for the California Public Records Act While it does not pertain specifically to privacy notices, the California Public Records Act (CPRA)—which is not to be confused with the California Privacy Rights Act, an amendment to the California Privacy Protection Act—is similar to the federal Freedom of Information Act (FOIA). These laws work to enhance transparency in the information that is collected by government agencies; a similar goal to laws that promote transparency by requiring privacy notices. As enshrined in the California Constitution, “the people have the right of access to information concerning the conduct of the people’s business.” To this end, the CPRA is designed to help “safeguard the accountability of the government to the public” by promoting prompt public access to government records. Government Code §7920.530 broadly defines a public record as “any writing containing information relating to the conduct of the public’s business prepared, owned, used or retained by any state or local agency regardless of physical form or characteristics.” However, it is essential to note that “electronically collected personal information” is one of the many exemptions from the CPRA. This includes information like the domain name or IP address, and statistical information about the webpages visited, which may not be subject to public inspection and copying if not otherwise protected by federal or state law. When a copy of a record is requested, the agency shall determine within 10 days whether to comply with the request. Upon its determination, it shall promptly inform the requester of the decision and inform them of the reasons for that decision. Requirements of Government Code Section 11015.5 Government Code Section 11015.5 established privacy requirements for state agencies that electronically collect personal information. This provision applies to all California state agencies, defined as every state office, officer, department, division, bureau, board and commission—including the California State University system. When using any means to electronically collect personal information on the internet, agencies must provide users with notice at the initial point of interaction. This notice should include:

• Information about collection, such as the existence of the gathering method, what type of personal information is being collected and how it will be used. This includes information about the length of time that the gathering device will be in the user’s hard drive, if applicable.
• Information about deletion and sharing, including that the user has the option of having their personal information discarded without reuse or redistribution, and that state agencies shall not distribute or sell any electronically collected personal information about users to any third party without consent.
• Information about other laws, including that all information acquired is subject to the limitation of the IPA, as detailed above, and that electronically collected information is exempt from requests made pursuant to the CPRA, discussed above.

These requirements aim to promote transparency in data collection practices and provide individuals with control over their personal information when interacting with state agencies online. Requirements of Government Code Section 11019.9 Government Code Section 11019.9 mandates that every state department along with state agencies maintain and establish a permanent privacy policy in compliance with the IPA, as detailed above. This requirement applies to all state entities, defined the same as in Government Section Code 11015.5 above, but excludes the California State University system. While similar to Government Code Section 11015.5, this requirement applies to a wider number of state-affiliated entities by including both departments and agencies. The required privacy policy must address the following:

• Information about collection, including that the information is obtained only through lawful means, and the purpose for which the data is collected for. The data collected must be relevant to this purpose.
• Information about processing, including that personal information will not be disclosed, made available, or otherwise used for purposes other than those in the policy, except by law or with consent of the data subject.
• Information about security, including the general means by which personal information is protected against loss, unauthorized access, use, modification, or disclosure, unless that would compromise the legitimate purposes of the state department, agency, or law enforcement. Each covered state entity must also designate a position within the organization which is responsible for the privacy policy.

Additionally, state entities covered by Section 11019.9 are required to conspicuously post their privacy policy on their website. The policy must be accessible through a hyperlink labeled “PRIVACY” on the homepage of the website. This link must be in a contrasting color and displayed in capitalized letters equal in size or larger than the surrounding text. Through these laws, California has implemented a comprehensive framework to require that state entities handle personal information responsibly, by providing privacy notices, restricting data usage, and protecting data subjects’ rights. These requirements reflect an ongoing effort to balance transparency, accountability, and protection of personal information, while fostering public trust in governmental data collection and use practices.