CCPA and CPRA

Image

CCPA and CPRA Topic Page

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

  • expand_more

    CCPA Law and Documents

  • expand_more

    CPRA Law and Documents

Featured Resources

BOOK

California Privacy Law, Fifth Edition

This textbook provides practical guidance and in-depth information to navigate the state’s strict policies.
Read More

ARTICLE SERIES

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act.
Read More

CHART

California Privacy Legislation Tracker

This tracker overviews bills pending in the California Legislature that would amend the California Consumer Privacy Act and/or California Privacy Rights Act.
Read More

CHART

California Rulemaking Process Overview

This chart provides a roadmap for the California rulemaking process as the CPPA continues to promulgate regulations delegated to it by California legislators and voters.
Read More

ARTICLE SERIES

California 2022-23 legislative wrap-up

This article outlines privacy legislation introduced in California in 2023.
Read More

ARTICLE SERIES

CPPA’s automated decision-making rules proposal

This article breaks down the CPPA’s proposed rules for automated decision-making technology.
Read More


Additional News and Resources

CPPA's draft automated decision-making rules unpacked

The California Privacy Protection Agency's draft regulations on the use of automated decision-making technologies are the first preview of how artificial intelligence processing could be regulated under the California Consumer Privacy Act, as part of a CPPA workstream that began in the fall of 2021. When formally proposed and adopted, the ADMT rules will join the expanding set of privacy laws that include rules about the use of AI in contexts related to decision-making and profiling. Like in ot... Read More

The California Delete Act: Implications for data brokers and privacy

The California Legislature 14 Sept. adopted the Delete Act, providing Californians a one-stop shop to delete personal information held by data brokers. It now goes to the governor’s desk for signature by 14 Oct. What does it require of data brokers? When will requirements kick in? Who will this effect? How does it relate to broader California Privacy Rights Act requirements? How will it be enforced? What effect might it have beyond California? How should you prepare? IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy joined with Loeb & Loeb Partner and Privacy, Security and Data Innovations Chair Jessica Lee and Gravy Analytics Chief Privacy Officer and Vice President Legal Jason Safarti for a conversation on these and many other questions. Read More

The CPPA's upcoming rulemaking process

On 28 Aug., the California Privacy Protection Agency released its initial draft regulations for cybersecurity audits and risk assessments. The CPPA has not yet commenced its formal rulemaking process for these regulations, which will assuredly undergo several rounds of revision. Once finalized, businesses will be required to perform annual cybersecurity audits and regularly submit risk assessments to the CPPA regarding their processing of personal information. Businesses will undoubtedly be moni... Read More

CPPA debuts new CPRA complaint form

The California Privacy Protection Agency announced a new consumer complaint system is now in effect at its most recent board meeting 14 July. The new form allows residents and nonresidents to lodge both sworn and unsworn complaints detailing possible violations of the California Consumer Privacy Act. There is also an FAQ page to assist individuals filling out their complaint. During the meeting, CPPA Special Advisor Elizabeth Allen, CIPP/US, said the new system received 13 complaints after its... Read More

Court decision pushes CPRA regulations enforcement to March 2024

In another unexpected twist concerning California Privacy Rights Act regulations, covered entities need not stress about enforcement of the rules this month as anticipated. A last-minute decision from the Sacramento County Superior Court 30 June on a complaint filed by the California Chamber of Commerce pushed enforcement of CPRA regulations from 1 July to 29 March 2024. The court-ordered delay pertains only to CPRA rules, not the body of the CPRA statute or regulations previously finalized un... Read More

CCPA enforcers emphasize compliance, downplay federal preemption

While the program at the IAPP Global Privacy Summit 2023 contained plenty of federal privacy law undertones, the U.S. regulatory talk fell squarely back to California's privacy regime. The focus was inevitable, after the first set of California Privacy Rights Act regulations were finalized in the days leading up to the conference. Members of California's privacy enforcement bodies — the California Privacy Protection Agency and the Office of the Attorney General of California — acknowledged the ... Read More

CPRA regulations finalized with OAL approval

New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February. The first rulemaking package addresses regulations concerning data processing agreements, consu... Read More

California legislative wrap-up: CCPA amendments, children’s privacy and more

Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10 proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Infor... Read More

Does the CCPA as modified by the CPRA apply to your business?

The California Consumer Protection Act has been in effect since Jan. 1, 2020 and the California Privacy Rights Act, which modified the CCPA, went into effect Jan. 1, 2023. Now that the CPRA is in effect, one of the questions businesses are concerned about is the modification of the CCPA threshold test of "what is a business," and the implications this modification for small businesses, e.g., those under USD25 million in annual revenue, in light of the new compliance requirements for business-to... Read More

Proposed CPRA regulations finalized; CPPA targets April effective date

Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations. The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law fo... Read More

All things 'California Privacy Law' with Lothar Determann

California has led the way on many privacy-related laws, going back to at least 2002 when it passed the first data breach notification law in the U.S. More recently, passage of the California Consumer Privacy Act and the California Privacy Rights Act has prompted other states to follow suit. Lothar Determann has long practiced and taught international data privacy law, and beginning in 2013, published the book, “California Privacy Law.” Now in its fifth edition and published by the IAPP for the... Read More

CPPA anticipates final CPRA regulations will be effective by April

The anticipated finalization of California Privacy Rights Act regulations has been pushed back again. While the CPRA takes effect in just under two weeks — on Jan. 1, 2023 — the California Privacy Protection Agency is still working to promulgate final rules. During a Dec. 16 board meeting, CPPA Executive Director Ashkan Soltani said the final rules will likely be released in late January. Under that timeline, with a 30-day review by the California Office of Administrative Law, the regulations w... Read More

Cross-context behavioral advertising is ‘sale.’ It is time to get over it.

It seems like at the start of every year there are new privacy laws. The 2020 new year brought us the California Consumer Privacy Act. The 2023 new year will bring us the California Privacy Rights Act and the Virginia Consumer Data Protection Act, with new legislation from Colorado, Connecticut and Utah arriving a bit later in the year. So yet again, cross-functional privacy teams from across the digital advertising industry are trying to decipher what companies can and can’t do under new state... Read More

Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time

Original broadcast date: 14 Nov. 2022 In this web conference, panelists explain the key elements of the proposed rules and the consequences of failing to perform vendor due diligence and risk assessments. They cover the actions you can take now to ensure you can meet your regulatory requirements to verify your vendors’ compliance, create the new and required counter-party contracts, and your imminent obligation to audit your vendors. They also discuss real-life examples of what can go wrong and how new software can help. Read More

Home stretch: Finalization of CPRA regulations draws closer

The delay on California Privacy Rights Act regulations has proven difficult for everyone involved. Covered entities are in a bind trying to address CPRA compliance ahead of the Jan. 1, 2023, effective date without final rules being promulgated by the California Privacy Protection Agency. On the other hand, the CPPA is trying to work diligently and tactfully in the face of criticism for running well past its initial July 1 deadline to finalize regulations. The pressure on both sides could ease s... Read More

CPPA publishes first modifications of CPRA draft regulations

The California Privacy Protection Agency released updated California Privacy Rights Act draft regulations with a summary of the latest modifications. These are the first updates to the initial draft rules published May 31 covering select topics under the CPRA, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement and privacy notice requirements. The CPPA filed its updates ahead of expected discussion on the draft regulations during its two-day ope... Read More

CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition

In an op-ed for The San Francisco Chronicle, California Privacy Protection Agency Board Chair Jennifer Urban reiterated the agency's position on how the proposed American Data Privacy and Protection Act would "undermine" Californians' privacy rights and businesses' "ability to confidently invest in more privacy-protective practices." Urban said companies "may be understandably confused about how to invest if Congress overturns this existing guidance" under the California Consumer Privacy Act. Sh... Read More

CCPA/CPRA grace period for HR and B2B ends Jan. 1

On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" ... Read More

CCPA enforcement action: A case study at the intersection of privacy and marketing

Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Glob... Read More

The Sephora case: Do not sell – But are you selling?

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorn... Read More

California attorney general announces first CCPA enforcement action

There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale... Read More

CPPA restates American Data Privacy and Protection Act opposition to US House leaders

California Privacy Protection Agency Executive Director Ashkan Soltani wrote a letter to U.S. House Speaker Nancy Pelosi, D-Calif., and House Minority Leader Kevin McCarthy, R-Calif., doubling down on its opposition to the proposed American Data Privacy and Protection Act. Soltani told House leadership the ADPPA's "sweeping preemption" works to "remove important protections and significantly weaken the privacy Californians currently enjoy." Soltani called preemption "an anomaly for federal priva... Read More

CPPA launches CPRA rulemaking process

The California Privacy Protection Agency officially launched the formal rulemaking process for the California Consumer Privacy Rights Act. The CPPA announced draft regulations in early June that maintain pre-existing California Consumer Privacy Act regulations, while modifying certain provisions and proposing new regulations. The public is invited to participate in the rulemaking process by submitting written comments by Aug. 23 or attending public hearings scheduled for Aug. 24 and 25, both in-... Read More

Complying with the California Consumer Privacy Act’s consumer request process

The California Consumer Privacy Act gives California residents the right to know what personal information a business collects about them and how it is used. The law likewise imposes obligations on businesses to ensure consumers can exercise this right. Although the CCPA and its regulations provide a framework, operationalizing the consumer request process can be complex. Two compliance issues that present challenges for organizations covered by the CCPA are: The scope of information subject... Read More

CPPA board moves CPRA rulemaking process forward

The California Privacy Protection Agency board reached what member Christopher Thompson called “an incredible milestone” June 8, voting unanimously to authorize Executive Director Ashkan Soltani to begin the California Privacy Rights Act rulemaking process. “I think we all share a desire to ensure that we issue regulations and enforce those regulations in a way that protects consumers’ privacy and allows consumers to understand and make decisions about their own privacy,” Thompson said.  The a... Read More

Privacy pros take stock of surprise CPRA draft regulations

There has been a stream of activity around California Privacy Rights Act rulemaking in recent months, yet privacy professionals have been working under a mostly undefined timeline for a formal rulemaking process. The California Privacy Protection Agency is now signaling that process is on the horizon. The CPPA announced May 27 its plans to discuss CPRA draft regulations during its next board meeting June 8. That announcement subtly included the first cluster of proposed rules for the 22 topics ... Read More

CPPA board charts course for CPRA rulemaking

The California Privacy Protection Agency Board outlined a proposed course of action for the upcoming California Privacy Rights Act rulemaking process, addressing what will and will not be anticipated areas of focus. The board did not discuss the quickly approaching July 1 target date for finalizing regulations. The CPRA takes effect Jan. 1, 2023, and provides for regulations to be finalized by July 1, allowing for a six-month compliance window. CPPA Executive Director Ashkan Soltani indicated d... Read More

Web Conference: State of CCPA: A Look Back to Prepare for What's to Come

Original broadcast date: 31 March 2022 In this web conference you will learn how much the average organization is paying for their privacy programs, how many do-not-sell requests to expect once the California Privacy Rights Act goes into effect next year, what steps people are taking to reduce their online footprint, and what this means for businesses, why CPRA will likely increase costs for many businesses among other things.  Read More

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

Compliance activities loom large as organizations gear up for the California Privacy Rights Act to take force next year. Remaining measures depend largely on the substance of the California Privacy Protection Agency's much-anticipated CPRA rulemaking. The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law's Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. Whil... Read More

CPPA releases public comments for CPRA regs

The California Privacy Protection Agency published the public comments from its stakeholder consultation on California Privacy Rights Act regulations. The comment periods were conducted Sep. 22 to Nov. 8 and broken up into four sections. The CPPA intends to have additional informational hearings to gather more feedback toward its rulemaking process. Formal rulemaking activities will begin at the conclusion of the agency's fact gathering, which has no set timetable. Editor's note: IAPP's Cathy Co... Read More

Status of the California Privacy Protection Agency’s work

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More

Brace for impact: PSR21 workshop focuses on CPRA considerations

With California playing host to the IAPP's Privacy. Security. Risk. 2021, it was only fitting that the California Privacy Rights Act took center stage from the get-go. Attendees were treated Wednesday to a CPRA Comprehensive workshop, a full-day event dedicated to providing information and advice on what to expect when the law takes effect Jan. 1, 2023, and how to best prepare for compliance in the leadup to the day. The workshop's panel sessions covered some of the most obvious and pressing qu... Read More

FTC alum Ashkan Soltani selected to lead CPPA

It was always going to be interesting to see who would be appointed the inaugural leader of the California Privacy Protection Agency. With the hiring process mostly closed-door and unpublicized, the selection was bound to catch people by surprise and did just that on Monday. The CPPA announced Ashkan Soltani, former chief technologist for the U.S. Federal Trade Commission and senior advisor to the White House, will be its first executive director. Soltani was a key player in the drafting of the... Read More

CPRA could obstruct existing employment rights

Employment rights and obligations related to human resources data are about to get messy in California. On Jan. 1, 2023, California will become the first state to have a comprehensive data privacy law covering human resources data when the California Privacy Rights Act becomes operational. This change will leave both employees and employers confused regarding the interplay between the CPRA and employment laws because most of the rights under the CPRA either are already addressed or do not make s... Read More

Top-10 takeaways from the California AG’s CCPA enforcement case examples

In July, the office of the attorney general of California marked the one-year anniversary of its enforcement of the California Consumer Privacy Act by issuing a press release to tout its “successful enforcement efforts.” Also well-publicized, in the same announcement, the office unveiled a new Consumer Privacy Tool to enable consumers to directly notify eligible businesses of perceived “Do Not Sell My Personal Information” link deficiencies. Although the press release teased four examples of not... Read More

How Defendants Are Attacking CCPA Claims

The California Consumer Privacy Act provides a limited private right of action under Section 1798.150 against businesses failing to protect personal information from unauthorized disclosure. This graphic identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA. Read More

California attorney general offers CCPA enforcement update, launches reporting tool

Those wondering how California Consumer Privacy Act enforcement went after the law's first year in effect got that answer and plenty more July 19. California Attorney General Rob Bonta held a press conference to tout the effectiveness of the CCPA, particularly its cure notices, while unveiling a new Consumer Privacy Tool for individuals to report instances of missing or unclear "Do Not Sell My Personal Information" buttons on companies' websites. Bonta said he was pleased to report 75% of the c... Read More

A look at the California Privacy Protection Agency inaugural meeting

The California Privacy Protection Agency is the new agency established by the California Privacy Rights Act to implement and enforce the law. On June 14, the five-member CPPA Board held its first public meeting over Zoom. The 15 agenda items focused primarily on informational and logistical tasks as the board considered what is needed to create the agency. Not surprisingly, the July 1, 2022, deadline for adopting final CPRA regulations overshadowed much of the discussion.   The IAPP previously ... Read More

What the CPPA's appointments say about enforcement priorities, strategy

With any newly assigned leadership group, it is fair to wonder if the appointments provide any clues as to how they might approach their duties. It is a question being asked and explored in the days following the appointments to the California Privacy Protection Agency board. The inaugural board members for the first privacy-focused regulatory body in the U.S. were announced by California government officials March 17. University of California, Berkeley Clinical Professor of Law Jennifer Urban ... Read More

New CCPA regulatory provisions seek to clarify business requirements

On March 15, 2021, California approved new regulations implementing the California Consumer Privacy Act. These regulations primarily focus on a business's obligations to comply with opt-out right protocols and requirements (e.g., Do Not Sell links) and respond to data privacy requests that are submitted by a consumer's authorized agent.  Although California voters recently approved the California Privacy Rights Act, the CCPA's outstanding requirements, including these new regulations, remain in... Read More

Analyzing the CPRA’s new contractual requirements for transfers of personal information

New Year’s Day 2023 will usher in many new changes for California (and, by extension, the U.S.) privacy law when the California Privacy Rights Act becomes fully operative. One significant change will be the CPRA’s expansion of contracting requirements for transfers of personal information to other entities. The California Consumer Privacy Act only requires contracts to establish service provider relationships. The CPRA will expand that requirement to include transfers to third parties and “contr... Read More

Ambiguity in CPRA imperils content intended for underrepresented communities

In November 2020, California voters approved a new data privacy law. Unfortunately, the law contains a provision that may threaten the future of digital content for underrepresented communities. California’s new law, the California Privacy Rights Act, includes provisions that prohibit “revealing” a consumer’s racial or ethnic origin, religious or philosophical beliefs, and sex life or sexual orientation. The beneficial intent behind this provision is unassailable, but regulations need to careful... Read More

New categories, new rights: The CPRA's opt-out provision for sensitive data

In November 2020, a majority of Californians (56.1%) voted to pass Proposition 24 — establishing the California Privacy Rights Act. While the CPRA’s provisions become enforceable in 2023, many aspects of the law come into effect now, including the creation of a new California Privacy Protection Agency and a period of formal rulemaking that could begin as early as July 2021. While preserving the CCPA’s existing consumer rights, the CPRA establishes a range of new protections, including and perha... Read More

Calif. approves Prop 24, paving the way for CPRA

While most of the nation anxiously awaits the final vote tallies for the U.S. presidential election, several privacy-related propositions and referendums were also on the ballots in a few states. Most significantly, California's Proposition 24 has passed, paving the way for the California Privacy Rights Act. This major new state privacy law is something privacy pros will want to pay attention to. IAPP Editorial Director Jedidiah Bracy, CIPP, shares some early reactions from practitioners on what... Read More

Whether yes or no, the stakes are high for Calif.'s Prop 24

With only a week until what might be the most important U.S. election in a generation, tensions across the United States are running high. True, the big focus for the nation is on the presidential election, while a selection of closely contested and equally significant U.S. Senate races also hang in the balance. But for the privacy profession, there's a major election choice in California this Nov. 3.  Proposition 24, the ballot initiative that would cement the California Privacy Rights Act in... Read More

The Privacy Advisor Podcast: Alastair Mactaggart on California's Prop 24

Hard to believe it, but we’re only days away from a fateful vote in California on what’s called Proposition 24. If approved by the residents of California, Prop 24 will put the California Privacy Rights Act on the books. The law will add an additional layer of privacy protections for California residents and a new privacy compliance regime for businesses. Prop 24 has been hotly debated, especially in recent weeks. And the traditional fault lines between consumer advocacy and industry are not wha... Read More

Data brokers: A preview of the new edition of 'California Privacy Law'

In the flurry of bills relating to the California Consumer Privacy Act (CCPA),[1] the California Legislature also enacted a new law effective January 1, 2020, according to which data brokers must register with the California attorney general by January 31, 2020. With the new law, California follows a similar (but not identical) law in Vermont[2] and attention to data brokers by Congress, the Federal Trade Commission (FTC) and advocates in prior years.[3] California lawmakers placed the broker la... Read More

CCPA Litigation Overview

Published: October 2020Click To View (PDF) The IAPP developed a chart illustrating the differences among the CCPA cases being filed. The "CCPA Litigation Overview" includes the alleged conduct the plaintiff(s) claim violated the CCPA, whether a CCPA count is specifically included in the complaint and the other California statutes raised by plaintiffs. ... Read More

CCPA update: Calif. attorney general comments, new amendments signed into law

In September, California Attorney General Xavier Becerra testified at the U.S. Senate Committee on Commerce, Science and Transportation hearing regarding the need for a U.S. privacy law. Although the context of the hearing was federal privacy legislation, his testimony included important insights into how his office may approach enforcement of the California Consumer Privacy Act and what privacy issues he is focused on going forward. In addition, several bills with privacy implications were pas... Read More

Benchmarking CCPA-related data subject requests

On July 1, 2020, the California Consumer Privacy Act hit two milestones. It was the midyear point of its Jan. 1, 2020, implementation and the day full enforcement of the law officially began. The six-month grace period between implementation and enforcement was designed to give businesses an opportunity to get ahead of the CCPA and put programs in place. Of course, when that grace period was built into the law, no one anticipated a pandemic and millions of people moving to remote work, shifting... Read More

What does the CCPA's 'purpose limitation' mean for businesses?

In a provision that has not yet received much attention, the California Consumer Privacy Act imposed the fair information principle of “purpose limitation” on businesses subject to the law. As we explain below, this provision and the way the California Attorney General’s Office has sought to implement it may have important consequences for businesses when evaluating whether the personal information they have collected from consumers can be used for purposes not specifically contemplated at the t... Read More

The CCPA dog that didn’t bark: B2B and employee moratoria extended one year

For much of the year, privacy professionals have expressed concern that the California Consumer Privacy Act business-to-business and employee partial moratoria were scheduled to expire at the end of 2020. If these moratoria lapse, the scope of CCPA rights requirements would expand dramatically. For example, CCPA businesses would need to present CCPA “At Collection” privacy notices to employees and representatives of other business entities — something that U.S. businesses rarely, if ever, do tod... Read More

Web Conference: Privacy and Regulations: What's Next After CCPA?

Original broadcast date: Aug. 4, 2020 Join us for a panel discussion to hear from privacy and legal experts about the scope and impact of the CCPA/CPRA and how other states can enforce similar regulations, how companies can win by implementing automated discovery and privacy measures at scale, considerations for managing privacy and ensuring internal compliance during these new and challenging work from home times among other things. Read More

CPRA promises short-term consumer benefits, long-term uncertainty

The California Consumer Privacy Act is the nation’s first comprehensive commercial privacy law, and Consumer Reports has been working to defend and expand it since it was signed into law in 2018. The fact that California residents now have the legal right to access, delete and control the sale of one’s information is a major step forward, especially as the federal government has failed to take action to protect online privacy. That said, the CCPA was in some places drafted sloppily — its looph... Read More

CCPA draft regulations: Privacy notices and accessibility in the employment context

Editor's note: This is the third article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act. On June 2, the proposed regulations were sent to the California Office of Administrative Law for final review, and if approved by the OAL, the California Consumer Privacy Act regulations will then be filed with the California Secretary of State and become enforceable. This third article in a three-part series on the dr... Read More

The new CCPA draft regulations: Identity verification

Editor’s note: This is the second article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act. The California Consumer Privacy Act affords California residents several data privacy rights, including the right to know, access and delete specific pieces or categories of personal information that a business has collected about them and the right to “opt-out,” which refers to a consumer’s right to request that a bu... Read More

CCPA litigation: Shaping the contours of the private right of action

The private right of action in the California Consumer Privacy Act has generated substantial commentary. Now that plaintiffs have started to bring lawsuits alleging violations of the CCPA, we can see how these claims are being plead and the novel questions courts will be asked to consider. Litigation on these issues seems likely, as litigants seek to define the scope of this remedy for consumers. CCPA private right of action Section 1798.150(a)(1) of the CCPA provides a private right of actio... Read More

Will CPRA prevail Nov. 3?

The California Privacy Rights Act officially cleared the threshold to make it into the November 2020 ballot last week. It was a bumpy road to certification, but Californians for Consumer Privacy ended up with significantly above the minimum required verified signature count. This, despite most of California being in COVID-19 lock-down since April and an unexpected administrative delay by Riverside County that threatened to derail the initiative just a few weeks ago. It will be now up to Califor... Read More

At Calif. Assembly, critics question CPRA's timing

The California State Assembly held a hearing June 12 on the California Privacy Rights Act, formerly known as "CCPA 2.0." CPRA author Alastair Mactaggart was on hand to explain why he thinks the CPRA should make it to the ballot, but critics asked: Why now? The ink on the CCPA's regulations is barely dry, and companies are scrambling to get compliant. Is now the right time to throw another law at them? IAPP Editor Angelique Carson, CIPP/US, has the details for The Privacy Advisor. Full Story... Read More

CPRA initiative moves to sampling, CCPA regs likely delayed

On May 14, California Secretary of State Alex Padilla announced that the Californians for Consumer Privacy effort to qualify the California Privacy Rights Act initiative for the November ballot has met its first threshold. The raw number of signatures filed exceeded prima facie the 623,212 number required for the CPRA to qualify for the ballot. More on this can be found here.  Padilla ordered county officials to begin the process of verifying signatures selected from random samples. In counties... Read More

CPRA's top-10 impactful provisions

As Californians for Consumer Privacy announced last week, a new privacy law is likely to be on the California ballot in November. The California Privacy Rights Act is a ballot initiative, which, if adopted — and most agree it will be — would replace the California Consumer Privacy Act, which entered into force earlier this year. The CPRA is truly an omnibus data protection law, modeled on the EU General Data Protection Regulation, and would create a much broader set of privacy rights and obligat... Read More

CPRA analysis: The 'good' and 'bad' news for CCPA-regulated 'businesses'

May the 4th be with Alastair Mactaggart? On May 4, the Californians for Consumer Privacy, led by founder Alastair Mactaggart, announced its submission to qualify the California Privacy Rights Act for the November 2020 ballot. Because of COVID-19 social distancing measures in place in California and the huge number of signatures required, the announcement surprised many political observers.  However, the CPRA’s presence on the ballot is still not a "done deal." County election officials and the... Read More

CCPA Enforcement Infographic

Published: May 2020Click To View (PDF)Click To View (PNG) The IAPP released a series of infographics as the California Consumer Privacy Act enforcement began July 1, 2020. The infographics highlight the civil penalties companies can face under the CCPA, and based on a survey conducted in partnership with FairWarning, 50% of IT and privacy professionals have reported one or more data breaches, and 67% has documented at least one privacy incident in the past three years. To view the CCPA Litiga... Read More

Are IP addresses 'personal information' under CCPA?

As companies grapple with complying with the California Consumer Privacy Act, they will need to decide whether the internet protocol addresses they collect from consumers are considered “personal information” and thus within the scope of this new law. It will not be easy. The CCPA defines “personal information” to include online identifies such as an IP address, but only if the identifier “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be ... Read More

The Top-10 Most Impactful Provisions of the CPRA

The IAPP created an infographic outlining the 10 most-impactful provisions of the California Privacy Rights Act ballot initiative. The infographic gives a snapshot of the potential implications stemming from the CPRA being passed and entering into force January 2023. New provisions on sensitive data, the creation of an independent regulator and expanded breach liability are among the top impacts in play. Read More

Are companies using semantics to get around CCPA's 'sale' provision?

The California Consumer Privacy Act certainly has its fair share of complexities, which companies began grappling with well before the law came into force Jan. 1. While some are becoming more clear with time and discussion, others remain the topic of debate, including how to approach the CCPA's broad definition of "sale." Instead of accepting and conforming to the statute of the law, though, there's talk within the privacy profession that some companies are using tricky semantics to avoid termi... Read More

How the CCPA impacts civil litigation

After more than a year of preparation, the California Consumer Privacy Act is now in effect. Yet, in the sprint to get ready for the CCPA, businesses may have overlooked the CCPA’s impact on anticipated or pending civil litigation. This article examines some of those impacts. Deletion of personal information pre-litigation Readers are undoubtedly aware of the general rule that the obligation to preserve evidence arises when [a] party has notice that the evidence is relevant to litigation or wh... Read More

With the CCPA now in effect, will other states follow?

A new year means a slate of new laws went into effect across the country Jan. 1. For privacy pros, particularly those based in the United States, the big one in 2020 is the California Consumer Privacy Act. As people rang in the dawn of a new decade Tuesday night, the country's most comprehensive privacy law went into the books Wednesday, and the email inboxes of countless individuals filled up with new CCPA-related notices.  The CCPA is expected to affect approximately 500,000 businesses operat... Read More

What you must know about 'third parties' under GDPR and CCPA

With the EU General Data Protection Regulation being in force for quite a while and its "controller" and "processor" concepts for yet much longer, there seems to be a well-established practice for identifying third parties and where they fit into that picture. However, there are still situations in which this remains a significant challenge, both to organizations concerned and to the data protection authorities. The California Consumer Privacy Act, on the other hand, is a completely new legal a... Read More

One law firm's take on the new draft CCPA regulations

On Oct. 10, the California Office of the Attorney General issued a draft of their long-awaited regulations pursuant to the California Consumer Privacy Act. The draft rules do more than simply fill in gaps in the CCPA regarding how businesses should implement CCPA rights; they also contain substantial additional requirements not found in the statute.  There are significant “new” aspects of the draft rules, which will be open for public comment until Dec. 6, 2019. The attorney general's office in... Read More

Critics say attorney general's proposed CCPA regulations add confusion, not clarity

Tanya Forsheit, CIPP/US, CIPT, PLS, was about to take the stage Thursday at a speaking engagement when a colleague asked her if she was watching the news conference. Forsheit assumed there must have been a news conference on U.S. President Donald Trump's impeachment hearings. But, like everyone else watching the California Consumer Privacy Act's progress as it nears its 2020 implementation date, Forsheit was surprised to learn that California's attorney general was, in fact, holding a news confe... Read More

White Paper – 5 Steps You Must Take to Prepare for the CCPA

To help businesses operationalize CCPA’s requirements, we present here five concrete action items privacy professionals can tackle, as well as the considerations that underpin each step. We discuss how to determine whether and how CCPA applies to your business, necessary updates to vendor contracts and privacy notices, areas of focus to enable consumer requests, and organizational training needs. In each regard, we outline core requirements and point to additional resources for a deeper dive. Read More

GDPR and CCPA: A compatibility story

The way companies use personal data is somewhat reminiscent of how people approach their wardrobes. You start buying clothes of a particular style or brand, but over time, your sense of fashion changes, and you buy based on new needs and desires. The use of personal data works in the same way, as companies collect data for one purpose and then use it differently as new needs arise. In both instances, the sudden change in direction merits some type of justification, and that's especially the cas... Read More

On keynote stage, Mactaggart addresses his 'new' CCPA

Everyone at the Privacy. Security. Risk. stage Wednesday was expecting to have one specific conversation: How about those recent California Consumer Privacy Act amendments? What no one but one man knew until the night before, including the panelists to take the stage, was that another conversation would supplant those plans. On Tuesday, news broke that Alastair Mactaggart, the co-architect of the CCPA, would introduce a citizen's initiative more stringent than the CCPA.  The new initiative, cal... Read More

A look at the latest CCPA amendment updates

The Legislature in Sacramento finished its session last Friday, Sept. 13 and will no longer be able to make changes to the California Consumer Privacy Act before it goes into effect Jan. 1, 2020.  Assuming that California Gov. Gavin Newsom signs all of these laws — he has until Oct. 13 — these amendments will leave the "right to know" intact but make significant changes including to some of the definitions, the non-discrimination provision, and how a consumer makes a verifiable request. The le... Read More

CCPA amendment update: Changes to technical corrections and loyalty programs bills

The 2019 California Consumer Privacy Act amendment process is finally coming to a close this week, less than four months before the law will take effect. The Legislature is scheduled to adjourn Friday the 13th, and sometime thereafter, the attorney general is expected to issue draft rules that will clarify notice and request verification obligations under the landmark law.  Overall, the CCPA amendment bills that passed the Senate Committee on the Judiciary appear on track to be enacted. However... Read More

Navigating disclosures and sales of personal information under the CCPA

The requirements of the California Consumer Privacy Act enter into force Jan. 1, 2020, and impose an array of requirements on companies that are subject to the law. Among them are obligations related to the sharing of “personal information” [Section 1798.140(o)] that obligate businesses to push down contractual limitations on service providers and other recipients of personal information and to offer California “consumers” [Section 1798.140(g)] the right to opt out of disclosures that qualify as... Read More

A close-up on deidentified data under CCPA

The California Consumer Privacy Act has made plenty of waves since its announcement in April 2018. The EU General Data Protection Regulation near-look-alike is the first of its kind in the U.S. and presents many complications for global businesses with California residents as their consumer. The CCPA will demand revision to many data-handling practices, chiefly in the data subject access right space, but will also feature expansion of the definition of personal information, depending on your org... Read More

What one CCPA co-architect will watch closely with Sacramento back in session

Sacramento is back in session, and there is one more month to get changes through the Legislature before the California Consumer Privacy Act goes into effect Jan. 1, 2020.  These are some of the issues I will be watching closely: Who will win the battle over the definitions of 'personal information' and 'deidentified'? Tech lobbyists suffered a major blow when AB 873, changing the definition of "deidentified," failed to pass out of the U.S. Senate Judiciary Committee. Assemblymember Jacqui Irw... Read More

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

CCPA update: Senate committee pares back amendments

On Tuesday, July 9, the California Senate Standing Committee on Judiciary took up the slew of California Consumer Privacy Act amendment bills that the Assembly had passed more than a month earlier.  Consensus bills At the hearing, Democratic State Sen. Hannah-Beth Jackson supported two CCPA “clean-up” bills without requesting amendments. These were Democratic Assembly Privacy Committee Chairman Ed Chau’s AB 25 and Democratic Assemblymember Jacqui Irwin’s AB 874. Both sailed through her committ... Read More

Preparing for CCPA: Start benchmarking now

Unless you’ve been living under a rock for the last year, you are well aware of the California Consumer Privacy Act. This regulation first captured the attention of privacy professionals through how it came to be, originating with an unlikely champion in San Francisco real estate developer Alastair Mactaggart, gaining momentum in a post–Cambridge Analytica political climate, and speeding to Democratic Gov. Jerry Brown’s desk to receive his signature after weeks of intense negotiation between pri... Read More

A data processing addendum for the CCPA?

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other stat... Read More

Comparing Maine and Nevada's new privacy laws with the CCPA

As of July 1, 2020, for Maine, and Oct. 1, 2019, for Nevada, some companies will have to comply with additional requirements and restrictions regarding personal information selling under new laws that seem inspired by but not as broad as the California Consumer Privacy Act. Maine’s Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s S... Read More

TheScore’s privacy notice analyzed against the CCPA

Transparency is a fundamental aspect of the California Consumer Privacy Act. The act creates consumer rights to access data and obligations for businesses to disclose data practices. One of the law’s effects will be increased scrutiny of privacy notices, specifically their details about a business’s data collection and sales practices. This article applies the CCPA to the current privacy notice of theScore — a sports news application — one of the 17 apps The New York Times recently identified f... Read More

Encryption, redaction and the CCPA

There appears to be consistent confusion with regard to the California Consumer Privacy Act and its incentives to encrypt and redact personal information wherever possible. Specifically, the CCPA encourages security through two means. First, non-encrypted and non-redacted information that is breached results in fines of up to $750 per consumer. Data that is encrypted and redacted may potentially avoid such fines in the case of a breach. Second, deidentified or aggregate data is not subject to ... Read More

Competing CCPA amendments sculpt law's scope

The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to third parties — a provision that may have profound implications for the online advertising industry. This provision has revealed the divide between privacy advocates and industry groups, perhaps more th... Read More

California lawmakers smooth over some of the CCPA's rough edges

On Tuesday, the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the California Consumer Privacy Act. As readers of the Daily Dashboard know well, the CCPA sets out landmark privacy rights for Californians, but often in language that is either confusing or difficult to operationalize. Several bills approved at the hearing offer encouragement that the legislature may resolve several key compliance ambiguities before the attorney general’s rul... Read More

State legislature debates CCPA ad-tech carve out amendment

Editor's note: This story has been amended to reflect the more recent vote in the California legislature, updating the April 23 version. The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to third parties — a provision that may have profound implications ... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

Analysis: The California Consumer Privacy Act of 2018

Broad data and business regulation, applicable worldwide As of January 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies have to observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and liquida... Read More

GDPR matchup: The California Consumer Privacy Act 2018

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In this installment, Lydia De La Torre, CIPP/US, compares the new California Consumer Privacy Act 2018 to the GDPR. We all found out the results of the World Cup July 15, but there is a different matchup i... Read More

New California privacy law to affect more than half a million US companies

The brand-new California Consumer Privacy Act of 2018, which swept through the California legislature last week with startling speed as a compromise measure preempting an even stricter ballot initiative, will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. These figures were derived by an IAPP examination of the language of the law as applied to U.S. census data about American businesses.  The new act, which provides California resid... Read More