""

 

CCPA and CPRA

CCPA and CPRA

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

  • expand_more

    CCPA Law and Documents

  • expand_more

    CPRA Law and Documents

Featured Resources

State of CCPA: Prepare for What’s to Come

In this web conference you will learn how much the average organization is paying for their privacy programs, how many do-not-sell requests to expect once the California Privacy Rights Act goes into effect next year, what steps people are taking to reduce their online footprint, and what this means for businesses and why CPRA will likely increase costs for many businesses.
Read More

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
Read More

CCPA-/CPRA-Related Legislation Tracker

To help keep track of all this activity, the IAPP has put together the “CCPA-/CPRA-Related Legislation Tracker.” The grid includes the bill number with a link to the full bill, a brief summary of the amendment, subject, lead author, status and last legislative action.
Read More


""

Latest News and Resources

CPPA board charts course for CPRA rulemaking

The California Privacy Protection Agency Board outlined a proposed course of action for the upcoming California Privacy Rights Act rulemaking process, addressing what will and will not be anticipated areas of focus. The board did not discuss the quickly approaching July 1 target date for finalizing regulations. The CPRA takes effect Jan. 1, 2023, and provides for regulations to be finalized by July 1, allowing for a six-month compliance window. CPPA Executive Director Ashkan Soltani indicated d... Read More

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

Compliance activities loom large as organizations gear up for the California Privacy Rights Act to take force next year. Remaining measures depend largely on the substance of the California Privacy Protection Agency's much-anticipated CPRA rulemaking. The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law's Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. Whil... Read More

Status of the California Privacy Protection Agency’s work

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More

CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data
(Littler, April 2022)
CPRA for Employers: Vendor Contracting Requirements
(Littler, April 2022)
CPPA releases public comments for CPRA regs
(IAPP, December 2021)
Brace for impact: PSR21 workshop focuses on CPRA considerations
(IAPP, October 2021)
FTC alum Ashkan Soltani selected to lead CPPA
(IAPP, October 2021)
CPRA could obstruct existing employment rights
(IAPP, September 2021)
Top-10 takeaways from the California AG’s CCPA enforcement case examples
(IAPP, September 2021)
How Defendants Are Attacking CCPA Claims
(IAPP, August 2021)
Web Conference: Your Roadmap to CPRA Compliance in 60 Days
(IAPP, July 2021)
California attorney general offers CCPA enforcement update, launches reporting tool
(IAPP, July 2021)
A look at the California Privacy Protection Agency inaugural meeting
(IAPP, June 2021)
Comparison of Comprehensive Data Privacy Laws in Virginia and California
(IAPP, May 2021)
What the CPPA’s appointments say about enforcement priorities, strategy
(IAPP, March 2021)
A look at possible CPRA compliance challenges
(IAPP, August 2021)
New CCPA regulatory provisions seek to clarify business requirements
(IAPP, March 2021)
Analyzing the CPRA’s new contractual requirements for transfers of personal information
(IAPP, March 2021)
Ambiguity in CPRA imperils content intended for underrepresented communities
(IAPP, November 2021)
New categories, new rights: The CPRA’s opt-out provision for sensitive data
(IAPP, February 2021)
Summary of CPRA Contractual Obligations
(IAPP, February 2021)
Prop 24 passes in Calif., paving way for CPRA
(IAPP, November 2020)
Web Conference: Where We Stand with CPRA, and How This Impacts Your Organization
(IAPP, November 2020)
Consumer Reports: CCPA — Are Consumers’ Digital Rights Protected
(Consumer Reports, October 2020)
Whether yes or no, the stakes are high for Calif.’s Prop 24
(IAPP, October 2020)
Podcast: Alastair Mactaggart on California’s Prop 24
(IAPP, October 2020)
LinkedIn Live: ‘Ask the Expert: Lothar Determann on California Consumer Privacy’
(IAPP, October 2020)
Data brokers: A preview of the new edition of ‘California Privacy Law’
(IAPP, October 2020)
CCPA Litigation Overview
(IAPP, October 2020)
CCPA update: Calif. attorney general comments, new amendments signed into law
(IAPP, October 2020)
Benchmarking CCPA-related data subject requests
(IAPP, October 2020)
What does the CCPA’s ‘purpose limitation’ mean for businesses?
(IAPP, September 2020)
Web Conference: How to Limit Exposure and Minimize Your Risk Under the CCPA
(IAPP, September 2020)
The CCPA dog that didn’t bark: B2B and employee moratoria extended one year
(IAPP, September 2020)
Considerations for digital media publishers and advertisers seeking to engage adtech companies as ‘CCPA Service Providers’
(Network Advertising Initiative, September 2020)
Web Conference: Privacy and Regulations: What’s Next After CCPA?
(IAPP, August 2020)
CPRA promises short-term consumer benefits, long-term uncertainty
(IAPP, July 2020)
Calif. attorney general updates CCPA FAQ
(IAPP, July 2020)
CCPA draft regulations: Privacy notices and accessibility in the employment context
(IAPP, July 2020)
The new CCPA draft regulations: Identity verification
(IAPP, June 2020)
CCPA litigation: Shaping the contours of the private right of action
(IAPP, June 2020)
Web Conference: CCPA Enforcement: What to Expect after July 1
(IAPP, June 2020)
Will CPRA prevail on November 3?
(IAPP, June 2020)
At Calif. hearing, critics question CPRA’s timing
(IAPP, June 2020)
Web Conference: Everything You Need to Know about CPRA/CCPA 2.0
(IAPP, June 2020)
Web Conference: California Privacy Rights Act: What Lies Ahead?
(IAPP, May 2020)
LinkedIn Live: Discussing the California Privacy Rights Ballot Initiative
(IAPP, May 2020)
CPRA initiative moves to sampling, CCPA regs likely delayed
(IAPP, May 2020)
CPRA’s top-10 impactful provisions
(IAPP, May 2020)
CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’
(IAPP, May 2020)
Infographic: CCPA Enforcement
(IAPP, May 2020)
Web Conference: The CCPA Is Here: Lessons Learned from the First Few Months
(IAPP, May 2020)
Guide to collecting personal information under the California Consumer Privacy Act of 2018
(Termageddon, April 2020)
Are IP addresses ‘personal information’ under CCPA?
(IAPP, April 2020)
Infographic: The Top-10 Most Impactful Provisions of the CPRA
(IAPP, April 2020)
Data Protection Laws 101: The Recruiter’s Role in California’s Privacy Law
(Lever, February 2020)
CCPA FAQ: Cookies, AdTech & Service Providers
(Bryan Cave Leighton Paisner, February 2020)
Bryan Cave – CCPA Practical Guide
(IAPP, January 2020)
The Litigator’s Handbook: Answers to the Top 50 FAQs Concerning Litigation and the CCPA
(Bryan Cave Leighton Paisner, January 2020)
Are companies using semantics to get around CCPA’s ‘sale’ provision?
(IAPP, January 2020)
Survey of the Retail Industry’s Privacy Practices
(Bryan Cave Leighton Paisner, January 2020)
What you must know about ‘third parties’ under GDPR and CCPA
(IAPP, November 2019)
One law firm’s take on the new draft CCPA regulations
(IAPP, October 2019)
Critics say attorney general’s proposed CCPA regulations add confusion, not clarity
(IAPP, October 2019)
White Paper – 5 Steps You Must Take to Prepare for the CCPA
(IAPP, October 2019)
GDPR and CCPA: A compatibility story
(IAPP, October 2019)
The Privacy Advisor Podcast: Some industry perspective on amended CCPA
(IAPP, September 2019)
On keynote stage, Mactaggart addresses his ‘new’ CCPA
(IAPP, September 2019)
The Privacy Advisor Podcast: CCPA in its final form
(IAPP, September 2019)
A look at the latest CCPA amendment updates
(IAPP, September 2019)
CCPA amendment update: Changes to technical corrections and loyalty programs bills
(IAPP, September 2019)
Navigating disclosures and sales of personal information under the CCPA
(IAPP, August 2019)
A close-up on deidentified data under CCPA
(IAPP, August 2019)
What one CCPA co-architect will watch closely with Sacramento back in session
(IAPP, August 2019)
CCPA and GDPR Comparison Chart
(Practical Law, August 2019)
Implementing the CCPA: A Guide for Global Business, Second Edition
(IAPP, August 2019)
CCPA update: Senate committee pares back amendments
(IAPP, July 2019)
Preparing for CCPA: Start benchmarking now
(IAPP, June 2019)
A data processing addendum for the CCPA?
(IAPP, June 2019)
Comparing Maine and Nevada’s new privacy laws with the CCPA
(IAPP, June 2019)
TheScore’s privacy notice analyzed against the CCPA
(IAPP, May 2019)
Encryption, redaction and the CCPA
(IAPP, May 2019)
Competing CCPA amendments sculpt law’s scope
(IAPP, April 2019)
California lawmakers smooth over some of the CCPA’s rough edges
(IAPP, April 2019)
State legislature debates CCPA ad-tech carve out amendment
(IAPP, April 2019)
CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation
(IAPP, January 2019)
Comparing privacy laws: GDPR v. CCPA
(DataGuidance and the Future of Privacy Forum, December 2018)
Analysis: The California Consumer Privacy Act of 2018
(IAPP, July 2018)
GDPR matchup: The California Consumer Privacy Act 2018
(IAPP, July 2018)
Web Conference: Understanding the California Consumer Privacy Act of 2018
(IAPP, July 2018)
New California privacy law to affect more than half a million US companies
(IAPP, July 2018)
California Privacy Law, Fourth Edition
(IAPP, June 2018)
View More Resources

Compliance Resources

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

Web Conference: Your Roadmap to CPRA Compliance in 60 Days

Original broadcast date: 22 July 2021  The California Privacy Rights Act comes into effect on January 1, 2023. Among its new requirements is a new data retention provision. Personal and sensitive information must be disposed of when its purpose has been fulfilled, and the organization must disclose the retention policy at the time of collection. Additionally, the data retention policies apply to data collected on or after January 1, 2022. Under CPRA, companies can no longer simply hold individuals’ personal data forever; they must have robust data retention and disposal practices. Read More

Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws

Original broadcast date: Sept. 8, 2020 Join the IAPP and hear about LGPD Academico’s efforts to increase awareness about these obligations and rights, and how best to manage them at your organization. You’ll hear about requirements under multiple privacy laws affecting companies doing business globally including the General Data Protection Law, EU General Data Protection Regulation and the California Consumer Privacy Act, and how forward-thinking privacy teams are tackling obligations under various jurisdictions and across multiple business arms. The focus of this privacy education web conference will be on operationalizing these laws within your organization, and a basic understanding of the laws themselves and their requirements will be assumed, although a brief primer will be included. Read More

CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data
(Littler, April 2022)
CPRA for Employers: Vendor Contracting Requirements
(Littler, April 2022)
CCPA, CPRA’s hidden ‘third party business’ classification
(IAPP, October 2020)
The CCPA and employee data: A compliance checklist
(IAPP, August 2020)
Web Conference: The CCPA Landscape: Why Minimal Compliance Is Not Enough
(IAPP, June 2020)
Guide to collecting personal information under the California Consumer Privacy Act of 2018
(Termageddon, April 2020)
Web Conference: Processing DSARs – Lessons from the Early Days of CCPA
(IAPP, April 2020)
What does a HR director need to know about the CCPA?
(IAPP, March 2020)
Will private litigants be able to enforce the CCPA compliance provisions?
(IAPP, February 2020)
Infographic: Avoiding the pitfalls of CCPA non-compliance
(IAPP, December 2019)
White Paper – Negotiating with Service Providers and Third Parties under CCPA
(IAPP, December 2019)
CCPA Readiness: Third Wave
(IAPP, December 2019)
Web Conference: Preparing for the CCPA Without Boiling the Data Ocean
(IAPP, December 2019)
Google to allow sites to block targeted ads under CCPA
(IAPP, November 2019)
Potential impact of the CCPA in the automotive space: Part II
(IAPP, October 2019)
CCPA’s potential impact in the automotive space
(IAPP, October 2019)
Platform helps organizations take deep dives into GDPR, CCPA
(IAPP, October 2019)
Sample CCPA Privacy Notices
(IAPP, September 2019)
Employers receive last-minute reprieve from the most onerous CCPA compliance obligations
(IAPP, September 2019)
Aiming for CCPA compliance? Define those vendor relationships
(IAPP, September 2019)
CCPA exemption adds compliance considerations for bank CPOs
(IAPP, September 2019)
CCPA Readiness survey
(IAPP, August 2019)
The unique challenges CCPA poses for SMEs
(IAPP, September 2019)
Why the CCPA’s ‘verified consumer request’ is a business risk
(IAPP, August 2019)
Web Conference: What to Do When Consent Doesn’t Work Under CCPA
(IAPP, August 2019)
Web Conference: CCPA Compliance: Automating the Intake and Fulfillment of Consumer Requests
(IAPP, August 2019)
White Paper – California’s Consumer Privacy Act: Three requirements for effective compliance
(Exterro, August 2019)
Service allows companies to set up toll number ahead of CCPA
(IAPP, August 2019)
CCPA Compliance Guide
(Skaden, August 2019)
How to know if your vendor is a ‘service provider’ under CCPA
(IAPP, July 2019)
Infographic: Is Your Business in Need of a CCPA Intervention?
(Troutman Sanders, July 2019)
Does the CCPA regulate internal transfers?
(IAPP, June 2019)
CCPA: What health care, biotech and life sciences companies should know now
(IAPP, June 2019)
White Paper – CCPA Compliance Operation: Delivering Data Access via Accounts
(IAPP, June 2019)
Are there joint controllers under the CCPA?
(IAPP, May 2019)
Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance
(IAPP, May 2019)
Can organizations sell children’s data under the CCPA?
(IAPP, May 2019)
White Paper – Ready or not, here it comes: How prepared are organizations for the California Consumer Privacy Act?
(IAPP, April 2019)
What should employers do about the CCPA?
(IAPP, April 2019)
What does the CCPA mean for colleges and universities?
(IAPP, March 2019)
Where to begin to operationalize CCPA compliance
(IAPP, January 2019)
Web con: ‘California’s Privacy Law Changes and Its Impact on Brands’
(IAPP, November 2018)
How the CCPA could be great for startups
(IAPP, November 2018)
CCPA Transparency Chart
(IAPP, July 2018)
View More Resources