CCPA and CPRA

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

CCPA Law and Documents
California Consumer Privacy Act of 2018
- To view the text of the CCPA on the California Legislative Information website, click here.
CCPA Regulations
- To view the CCPA regulations in the California Code of Regulations, click here.
- NOTE: The CCPA regulations were reordered and renumbered to reflect the fact the California Privacy Protection Agency assumed rulemaking authority in April 2022. More information about these changes is available on the CPPA’s Regulations page.
- A summary of the timeline for the enacted CCPA regulations is here.
CCPA-/CPRA-Related Legislation Tracker
- There are bills pending in the California Legislature that would amend the CCPA and/or the California Privacy Rights Act or otherwise impact how organizations understand or approach each law. This tracker provides a brief summary of the proposed legislation, as well as the status and last legislative action.
How We Got Here
The CCPA came about largely due to the efforts of Alastair Mactaggart, a San Francisco real estate developer and investor. Mactaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill was “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevented the ballot initiative from moving forward.

On June 28, 2018, Gov. Jerry Brown, D-Calif., signed CCPA into law.
CPRA Law and Documents
In September 2019, Alastair Mactaggart, who was instrumental in getting the California Consumer Privacy Act enacted, launched a new ballot initiative to appear on the November 2020 ballot, the California Privacy Rights Act. On Nov. 3, 2020, the CPRA passed. The CPRA amends the CCPA and includes additional privacy protections for consumers. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022.

The California Privacy Rights Act of 2020
- To view the text of the CPRA on the California Legislative Information website, click here. The provisions that are not yet operative are listed after the CCPA provision in effect.
- To view the text of the CPRA ballot initiative, click here.
California Privacy Protection Agency
- The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.
- To view the CPPA page, including information about rulemaking activity, click here.
CPRA Regulations
- On October 21, 2021, the CPPA provided notice to the California attorney general it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the attorney general to the CPPA six months after this notice, per Sections 1798.185(d) and 1798.199.40(b).
- On April 21, 2022, rulemaking authority under the CCPA formally transferred to the CPPA.
- The CPPA has begun informal rulemaking activities. You can view its regulations page here.

Featured Resources Latest News and Resources Compliance Resources

Featured Resources

California Privacy Law

“California Privacy Law,” now in its newly updated fifth edition, provides businesses, attorneys, privacy officers and other professionals with the practical guidance and in-depth information to navigate the state’s strict policies.
Read More

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
Read More

CCPA-/CPRA-Related Legislation Tracker

There are bills pending in the California Legislature that would amend the CCPA and/or the CPRA or otherwise impact how organizations understand or approach each law. This tracker includes the bill number and a brief summary of the proposed legislation, as well as the status and last legislative action.
Read More

Latest News and Resources

CCPA enforcers emphasize compliance, downplay federal preemption

While the program at the IAPP Global Privacy Summit 2023 contained plenty of federal privacy law undertones, the U.S. regulatory talk fell squarely back to California's privacy regime. The focus was inevitable, after the first set of California Privacy Rights Act regulations were finalized in the days leading up to the conference. Members of California's privacy enforcement bodies — the California Privacy Protection Agency and the Office of the Attorney General of California — acknowledged the ... Read More

Save This

CPRA regulations finalized with OAL approval

New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February. The first rulemaking package addresses regulations concerning data processing agreements, consu... Read More

Save This

California legislative wrap-up: CCPA amendments, children’s privacy and more

Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10 proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Infor... Read More

Save This

Web Conference: California Privacy Rights Act: Are We There Yet?

Original broadcast date: 16 March 2023 This web conference addresses how companies have been proceeding with the CPRA, how to meet tech challenges required by the CPRA. the best practices for navigating uncertainty, and how to leverage CPRA solutions for other states. Read More

Save This

Does the CCPA as modified by the CPRA apply to your business?

The California Consumer Protection Act has been in effect since Jan. 1, 2020 and the California Privacy Rights Act, which modified the CCPA, went into effect Jan. 1, 2023. Now that the CPRA is in effect, one of the questions businesses are concerned about is the modification of the CCPA threshold test of "what is a business," and the implications this modification for small businesses, e.g., those under USD25 million in annual revenue, in light of the new compliance requirements for business-to... Read More

Save This

	Proposed CPRA regulations finalized; CPPA targets April effective date (IAPP, February 2023)
	Web Conference: CPRA is here. Now what? (IAPP, January 2023)
	All things ‘California Privacy Law’ with Lothar Determann (IAPP, January 2023)
	CPPA anticipates final CPRA regulations will be effective by April (IAPP, December 2022)
	White Paper – The Alignment Problem with “Sale of Data” (IAPP, December 2022)
	Cross-context behavioral advertising is ‘sale.’ It is time to get over it. (IAPP, December 2022)
	Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time (IAPP, November 2022)
	Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA (IAPP, November 2022)
	Web Conference: Countdown to the CPRA: 6 weeks to go (IAPP, November 2022)
	Home stretch: Finalization of CPRA regulations draws closer (IAPP, November 2022)
	Web Conference: Lessons from the First CCPA Enforcement Settlement: GPC and Beyond (IAPP, October 2022)
	CPPA publishes first modifications of CPRA draft regulations (IAPP, October 2022)
	CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition (IAPP, September 2022)
	CCPA/CPRA grace period for HR and B2B ends Jan. 1 (IAPP, September 2022)
	CCPA enforcement action: A case study at the intersection of privacy and marketing (IAPP, September 2022)
	The Sephora case: Do not sell – But are you selling? (IAPP, August 2022)
	CPPA restates American Data Privacy and Protection Act opposition to US House leaders (IAPP, August 2022)
	CPPA launches CPRA rulemaking process (IAPP, July 2022)
	Web Conference: Unpacking CPRA and 2023 Predictions (IAPP, June 2022)
	Complying with the California Consumer Privacy Act’s consumer request process (IAPP, June 2022)
	Web Conference: Ready For CPRA? Pragmatic Steps to Take Now (IAPP, June 2022)
	Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws (IAPP, June 2022)
	CPPA board moves CPRA rulemaking process forward (IAPP, June 2022)
	Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It (IAPP, June 2022)
	Privacy pros take stock of surprise CPRA draft regulations (IAPP, June 2022)
	CPPA board charts course for CPRA rulemaking (IAPP, May 2022)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	Web Conference: State of CCPA: A Look Back to Prepare for What’s to Come (IAPP, March 2022)
	CPRA regulations delayed past July 1 deadline, expected Q3 or Q4 (IAPP, February 2022)
	CPPA releases public comments for CPRA regs (IAPP, December 2021)
	Status of the California Privacy Protection Agency’s work (IAPP, December 2021)
	Brace for impact: PSR21 workshop focuses on CPRA considerations (IAPP, October 2021)
	Web Conference: From CCPA to CPRA: What’s Changed & What You Need to Do (IAPP, October 2021)
	FTC alum Ashkan Soltani selected to lead CPPA (IAPP, October 2021)
	CPRA could obstruct existing employment rights (IAPP, September 2021)
	Top-10 takeaways from the California AG’s CCPA enforcement case examples (IAPP, September 2021)
	How Defendants Are Attacking CCPA Claims (IAPP, August 2021)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	California attorney general offers CCPA enforcement update, launches reporting tool (IAPP, July 2021)
	A look at the California Privacy Protection Agency inaugural meeting (IAPP, June 2021)
	Comparison of Comprehensive Data Privacy Laws in Virginia and California (IAPP, May 2021)
	What the CPPA’s appointments say about enforcement priorities, strategy (IAPP, March 2021)
	A look at possible CPRA compliance challenges (IAPP, August 2021)
	New CCPA regulatory provisions seek to clarify business requirements (IAPP, March 2021)
	Analyzing the CPRA’s new contractual requirements for transfers of personal information (IAPP, March 2021)
	Ambiguity in CPRA imperils content intended for underrepresented communities (IAPP, November 2021)
	New categories, new rights: The CPRA’s opt-out provision for sensitive data (IAPP, February 2021)
	Summary of CPRA Contractual Obligations (IAPP, February 2021)
	Prop 24 passes in Calif., paving way for CPRA (IAPP, November 2020)
	Web Conference: Where We Stand with CPRA, and How This Impacts Your Organization (IAPP, November 2020)
	Whether yes or no, the stakes are high for Calif.’s Prop 24 (IAPP, October 2020)
	Podcast: Alastair Mactaggart on California’s Prop 24 (IAPP, October 2020)
	CCPA Litigation Overview (IAPP, October 2020)
	CCPA update: Calif. attorney general comments, new amendments signed into law (IAPP, October 2020)
	Benchmarking CCPA-related data subject requests (IAPP, October 2020)
	What does the CCPA’s ‘purpose limitation’ mean for businesses? (IAPP, September 2020)
	Web Conference: How to Limit Exposure and Minimize Your Risk Under the CCPA (IAPP, September 2020)
	The CCPA dog that didn’t bark: B2B and employee moratoria extended one year (IAPP, September 2020)
	Web Conference: Privacy and Regulations: What’s Next After CCPA? (IAPP, August 2020)
	CPRA promises short-term consumer benefits, long-term uncertainty (IAPP, July 2020)
	Calif. attorney general updates CCPA FAQ (IAPP, July 2020)
	CCPA draft regulations: Privacy notices and accessibility in the employment context (IAPP, July 2020)
	The new CCPA draft regulations: Identity verification (IAPP, June 2020)
	CCPA litigation: Shaping the contours of the private right of action (IAPP, June 2020)
	Web Conference: CCPA Enforcement: What to Expect after July 1 (IAPP, June 2020)
	Will CPRA prevail on November 3? (IAPP, June 2020)
	At Calif. hearing, critics question CPRA’s timing (IAPP, June 2020)
	Web Conference: Everything You Need to Know about CPRA/CCPA 2.0 (IAPP, June 2020)
	Web Conference: Lessons Learned Tackling CCPA Consumer Rights and GDPR Data Subject Rights (IAPP, June 2020)
	Web Conference: The Impact of CCPA and GDPR on Data Management (IAPP, May 2020)
	Web Conference: California Privacy Rights Act: What Lies Ahead? (IAPP, May 2020)
	CPRA initiative moves to sampling, CCPA regs likely delayed (IAPP, May 2020)
	CPRA’s top-10 impactful provisions (IAPP, May 2020)
	CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ (IAPP, May 2020)
	Infographic: CCPA Enforcement (IAPP, May 2020)
	Web Conference: The CCPA Is Here: Lessons Learned from the First Few Months (IAPP, May 2020)
	Are IP addresses ‘personal information’ under CCPA? (IAPP, April 2020)
	Infographic: The Top-10 Most Impactful Provisions of the CPRA (IAPP, April 2020)
	CCPA FAQ: Cookies, AdTech & Service Providers (Bryan Cave Leighton Paisner, February 2020)
	Are companies using semantics to get around CCPA’s ‘sale’ provision? (IAPP, January 2020)
	Survey of the Retail Industry’s Privacy Practices (Bryan Cave Leighton Paisner, January 2020)
	How the CCPA impacts civil litigation (IAPP, January 2020)
	With the CCPA now in effect, will other states follow? (IAPP, January 2020)
	What you must know about ‘third parties’ under GDPR and CCPA (IAPP, November 2019)
	One law firm’s take on the new draft CCPA regulations (IAPP, October 2019)
	Critics say attorney general’s proposed CCPA regulations add confusion, not clarity (IAPP, October 2019)
	White Paper – 5 Steps You Must Take to Prepare for the CCPA (IAPP, October 2019)
	GDPR and CCPA: A compatibility story (IAPP, October 2019)
	On keynote stage, Mactaggart addresses his ‘new’ CCPA (IAPP, September 2019)
	A look at the latest CCPA amendment updates (IAPP, September 2019)
	CCPA amendment update: Changes to technical corrections and loyalty programs bills (IAPP, September 2019)
	Navigating disclosures and sales of personal information under the CCPA (IAPP, August 2019)
	A close-up on deidentified data under CCPA (IAPP, August 2019)
	What one CCPA co-architect will watch closely with Sacramento back in session (IAPP, August 2019)
	Implementing the CCPA: A Guide for Global Business, Second Edition (IAPP, August 2019)
	CCPA update: Senate committee pares back amendments (IAPP, July 2019)
	Preparing for CCPA: Start benchmarking now (IAPP, June 2019)
	A data processing addendum for the CCPA? (IAPP, June 2019)
	Comparing Maine and Nevada’s new privacy laws with the CCPA (IAPP, June 2019)
	TheScore’s privacy notice analyzed against the CCPA (IAPP, May 2019)
	Encryption, redaction and the CCPA (IAPP, May 2019)
	Competing CCPA amendments sculpt law’s scope (IAPP, April 2019)
	California lawmakers smooth over some of the CCPA’s rough edges (IAPP, April 2019)
	State legislature debates CCPA ad-tech carve out amendment (IAPP, April 2019)
	CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation (IAPP, January 2019)
	Analysis: The California Consumer Privacy Act of 2018 (IAPP, July 2018)
	GDPR matchup: The California Consumer Privacy Act 2018 (IAPP, July 2018)
	New California privacy law to affect more than half a million US companies (IAPP, July 2018)

View More Resources

Compliance Resources

CCPA enforcers emphasize compliance, downplay federal preemption

Save This

Does the CCPA as modified by the CPRA apply to your business?

Save This

Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA

Original broadcast date: 11 Nov. 2022 This web conference will address how to develop processes and procedures to verify and respond to employee requests to data, discover what you need to know about new obligations for your B2B relationships and more. Read More

Save This

Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time

Original broadcast date: 14 Nov. 2022 In this web conference, panelists explain the key elements of the proposed rules and the consequences of failing to perform vendor due diligence and risk assessments. They cover the actions you can take now to ensure you can meet your regulatory requirements to verify your vendors’ compliance, create the new and required counter-party contracts, and your imminent obligation to audit your vendors. They also discuss real-life examples of what can go wrong and how new software can help. Read More

Save This

CCPA/CPRA grace period for HR and B2B ends Jan. 1

On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" ... Read More

Save This

	Implementing the CCPA: A Guide for Global Business, Second Edition (IAPP)
	Complying with the California Consumer Privacy Act’s consumer request process (IAPP, June 2022)
	Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws (IAPP, June 2022)
	Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It (IAPP, June 2022)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	Web Conference: CPRA: Challenges for Updating Your Privacy Program … Again (IAPP, January 2021)
	CCPA, CPRA’s hidden ‘third party business’ classification (IAPP, October 2020)
	Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws (IAPP, September 2020)
	The CCPA and employee data: A compliance checklist (IAPP, August 2020)
	Web Conference: The CCPA Landscape: Why Minimal Compliance Is Not Enough (IAPP, June 2020)
	Web Conference: Processing DSARs – Lessons from the Early Days of CCPA (IAPP, April 2020)
	Will private litigants be able to enforce the CCPA compliance provisions? (IAPP, February 2020)
	Infographic: Avoiding the pitfalls of CCPA non-compliance (IAPP, December 2019)
	White Paper – Negotiating with Service Providers and Third Parties under CCPA (IAPP, December 2019)
	CCPA Readiness: Third Wave (IAPP, December 2019)
	Web Conference: Preparing for the CCPA Without Boiling the Data Ocean (IAPP, December 2019)
	Google to allow sites to block targeted ads under CCPA (IAPP, November 2019)
	Potential impact of the CCPA in the automotive space: Part II (IAPP, October 2019)
	CCPA’s potential impact in the automotive space (IAPP, October 2019)
	Platform helps organizations take deep dives into GDPR, CCPA (IAPP, October 2019)
	Sample CCPA Privacy Notices (IAPP, September 2019)
	Employers receive last-minute reprieve from the most onerous CCPA compliance obligations (IAPP, September 2019)
	Aiming for CCPA compliance? Define those vendor relationships (IAPP, September 2019)
	CCPA exemption adds compliance considerations for bank CPOs (IAPP, September 2019)
	The unique challenges CCPA poses for SMEs (IAPP, September 2019)
	Why the CCPA’s ‘verified consumer request’ is a business risk (IAPP, August 2019)
	Web Conference: What to Do When Consent Doesn’t Work Under CCPA (IAPP, August 2019)
	Web Conference: CCPA Compliance: Automating the Intake and Fulfillment of Consumer Requests (IAPP, August 2019)
	Service allows companies to set up toll number ahead of CCPA (IAPP, August 2019)
	CCPA Compliance Guide (Skaden, August 2019)
	How to know if your vendor is a ‘service provider’ under CCPA (IAPP, July 2019)
	Infographic: Is Your Business in Need of a CCPA Intervention? (Troutman Sanders, July 2019)
	Does the CCPA regulate internal transfers? (IAPP, June 2019)
	CCPA: What health care, biotech and life sciences companies should know now (IAPP, June 2019)
	White Paper – CCPA Compliance Operation: Delivering Data Access via Accounts (IAPP, June 2019)
	Are there joint controllers under the CCPA? (IAPP, May 2019)
	Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance (IAPP, May 2019)
	Can organizations sell children’s data under the CCPA? (IAPP, May 2019)
	What should employers do about the CCPA? (IAPP, April 2019)
	What does the CCPA mean for colleges and universities? (IAPP, March 2019)
	Where to begin to operationalize CCPA compliance (IAPP, January 2019)
	Web con: ‘California’s Privacy Law Changes and Its Impact on Brands’ (IAPP, November 2018)
	How the CCPA could be great for startups (IAPP, November 2018)
	CCPA Transparency Chart (IAPP, July 2018)

View More Resources

ResourceCenter

All the privacy tools and information you need in one easy-to-find place

CCPA and CPRA

Featured Resources

California Privacy Law

Top-10 operational impacts of the CPRA

CCPA-/CPRA-Related Legislation Tracker

Latest News and Resources

CCPA enforcers emphasize compliance, downplay federal preemption

CPRA regulations finalized with OAL approval

California legislative wrap-up: CCPA amendments, children’s privacy and more

Web Conference: California Privacy Rights Act: Are We There Yet?

Does the CCPA as modified by the CPRA apply to your business?

Compliance Resources

CCPA enforcers emphasize compliance, downplay federal preemption

Does the CCPA as modified by the CPRA apply to your business?

Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA

Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time

CCPA/CPRA grace period for HR and B2B ends Jan. 1