Summary of the California Information Practices Act

This is a summary of California’s Information Practices Act, Civ. Code, § 1798 et seq. (IPA or Act:).  Immediately following is an Executive Summary based upon a California Supreme Court description of the Act.  A more detailed summary can be found in our white paper here.  

Words in italics reflect words defined in the Act.  One important point to remember, this Act applies to agencies.  As defined, agencies excludes a county; city, whether general law or chartered; city and county; school district; municipal corporation; district; political subdivision; or any board, commission or agency thereof. . . .  Thus, the IPA  regulates state, not local, agencies.

EXECUTIVE SUMMARY

The following is a summary of the IPA which the Supreme Court crafted in Perkey v. Department of Motor Vehicles (1986) 42 Cal.3d 185, 191-193.

In 1972, the people of California amended the state Constitution to provide explicit language protecting the personal right of privacy.  Five years  later, the Legislature enacted the Information Practices Act of 1977 (the Act).  (Civ. Code, § 1798 et seq.)  The Act delineates an elaborate statutory scheme specifically designed to implement the privacy amendment.

Section 1798.1, one of the Act's introductory provisions, captures the spirit of the legislation:  "The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution and that all individuals have a right of privacy in information pertaining to them."

In the Act's declaration of purpose, the Legislature stated that the right to privacy was being threatened by "the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies" and that "[the] increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information."  (§ 1798.1, subds. (a) and (b).)

To guard against this threat, the Act places strict limits on "the maintenance and dissemination of personal information."  (Id., subd. (c).)  "Personal information" is defined to include "any information that is maintained by an agency that identifies or describes an individual, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual."  (§ 1798.3, subd. (a), italics added.)

Under the Act, state agencies are required to limit the collection and retention of personal information to that necessary to accomplish the agency's specific purpose (§ 1798.14).  If an agency maintains such a record (§ 1798.32), individuals must be informed when they request it.  Further, they may request amendments to correct any inaccurate information (§§ 1798.35-1798.37).  More importantly, all disclosures of personal information are restricted (§ 1798.24), and an accounting of such disclosures must be made, including disclosures pursuant to subpoena or search warrant (§ 1798.25).