CCPA and CPRA

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

CCPA Law and Documents
California Consumer Privacy Act of 2018
- To view the text of the CCPA on the California Legislative Information website, click here.
CCPA Regulations
- To view the CCPA regulations in the California Code of Regulations, click here.
- NOTE: The CCPA regulations were reordered and renumbered to reflect the fact the California Privacy Protection Agency assumed rulemaking authority in April 2022. More information about these changes is available on the CPPA’s Regulations page.
- A summary of the timeline for the enacted CCPA regulations is here.
CCPA-/CPRA-Related Legislation Tracker
- There are bills pending in the California Legislature that would amend the CCPA and/or the California Privacy Rights Act or otherwise impact how organizations understand or approach each law. This tracker provides a brief summary of the proposed legislation, as well as the status and last legislative action.
How We Got Here
The CCPA came about largely due to the efforts of Alastair Mactaggart, a San Francisco real estate developer and investor. Mactaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill was “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevented the ballot initiative from moving forward.

On June 28, 2018, Gov. Jerry Brown, D-Calif., signed CCPA into law.
CPRA Law and Documents
In September 2019, Alastair Mactaggart, who was instrumental in getting the California Consumer Privacy Act enacted, launched a new ballot initiative to appear on the November 2020 ballot, the California Privacy Rights Act. On Nov. 3, 2020, the CPRA passed. The CPRA amends the CCPA and includes additional privacy protections for consumers. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022.

The California Privacy Rights Act of 2020
- To view the text of the CPRA on the California Legislative Information website, click here. The provisions that are not yet operative are listed after the CCPA provision in effect.
- To view the text of the CPRA ballot initiative, click here.
California Privacy Protection Agency
- The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.
- To view the CPPA page, including information about rulemaking activity, click here.
CPRA Regulations
- On October 21, 2021, the CPPA provided notice to the California attorney general it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the attorney general to the CPPA six months after this notice, per Sections 1798.185(d) and 1798.199.40(b).
- On April 21, 2022, rulemaking authority under the CCPA formally transferred to the CPPA.
- The CPPA has begun informal rulemaking activities. You can view its regulations page here.

Featured Resources Latest News and Resources Compliance Resources

Featured Resources

CCPA enforcement action: A case study

The $1.2 million California Consumer Privacy Act fine against retailer Sephora put businesses on notice that the California attorney general’s office stands ready to crack down on data mishandling. The first-ever enforcement action under the CCPA also shows the attorney general’s interpretation of the law, particularly as it relates to data sales and consumer opt-outs. This article explains what the attorney general’s reading means for businesses moving forward.
Read More

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
Read More

CCPA-/CPRA-Related Legislation Tracker

There are bills pending in the California Legislature that would amend the CCPA and/or the CPRA or otherwise impact how organizations understand or approach each law. This tracker includes the bill number and a brief summary of the proposed legislation, as well as the status and last legislative action.
Read More

Latest News and Resources

CPPA publishes first modifications of CPRA draft regulations

The California Privacy Protection Agency released updated California Privacy Rights Act draft regulations with a summary of the latest modifications. These are the first updates to the initial draft rules published May 31 covering select topics under the CPRA, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement and privacy notice requirements. The CPPA filed its updates ahead of expected discussion on the draft regulations during its two-day ope... Read More

Save This

CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition

In an op-ed for The San Francisco Chronicle, California Privacy Protection Agency Board Chair Jennifer Urban reiterated the agency's position on how the proposed American Data Privacy and Protection Act would "undermine" Californians' privacy rights and businesses' "ability to confidently invest in more privacy-protective practices." Urban said companies "may be understandably confused about how to invest if Congress overturns this existing guidance" under the California Consumer Privacy Act. Sh... Read More

Save This

CCPA/CPRA grace period for HR and B2B ends Jan. 1

On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" ... Read More

Save This

The Sephora case: Do not sell – But are you selling?

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorn... Read More

Save This

California attorney general announces first CCPA enforcement action

There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale... Read More

Save This

	CPPA restates American Data Privacy and Protection Act opposition to US House leaders (IAPP, August 2022)
	CPPA launches CPRA rulemaking process (IAPP, July 2022)
	Web Conference: Unpacking CPRA and 2023 Predictions (IAPP, June 2022)
	Complying with the California Consumer Privacy Act’s consumer request process (IAPP, June 2022)
	Web Conference: Ready For CPRA? Pragmatic Steps to Take Now (IAPP, June 2022)
	Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws (IAPP, June 2022)
	CPPA board moves CPRA rulemaking process forward (IAPP, June 2022)
	Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It (IAPP, June 2022)
	Privacy pros take stock of surprise CPRA draft regulations (IAPP, June 2022)
	CPPA board charts course for CPRA rulemaking (IAPP, May 2022)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	Web Conference: State of CCPA: A Look Back to Prepare for What’s to Come (IAPP, March 2022)
	CPRA regulations delayed past July 1 deadline, expected Q3 or Q4 (IAPP, February 2022)
	CPPA releases public comments for CPRA regs (IAPP, December 2021)
	Status of the California Privacy Protection Agency’s work (IAPP, December 2021)
	Brace for impact: PSR21 workshop focuses on CPRA considerations (IAPP, October 2021)
	Web Conference: From CCPA to CPRA: What’s Changed & What You Need to Do (IAPP, October 2021)
	FTC alum Ashkan Soltani selected to lead CPPA (IAPP, October 2021)
	CPRA could obstruct existing employment rights (IAPP, September 2021)
	Top-10 takeaways from the California AG’s CCPA enforcement case examples (IAPP, September 2021)
	How Defendants Are Attacking CCPA Claims (IAPP, August 2021)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	California attorney general offers CCPA enforcement update, launches reporting tool (IAPP, July 2021)
	A look at the California Privacy Protection Agency inaugural meeting (IAPP, June 2021)
	Comparison of Comprehensive Data Privacy Laws in Virginia and California (IAPP, May 2021)
	What the CPPA’s appointments say about enforcement priorities, strategy (IAPP, March 2021)
	A look at possible CPRA compliance challenges (IAPP, August 2021)
	New CCPA regulatory provisions seek to clarify business requirements (IAPP, March 2021)
	Analyzing the CPRA’s new contractual requirements for transfers of personal information (IAPP, March 2021)
	Ambiguity in CPRA imperils content intended for underrepresented communities (IAPP, November 2021)
	New categories, new rights: The CPRA’s opt-out provision for sensitive data (IAPP, February 2021)
	Summary of CPRA Contractual Obligations (IAPP, February 2021)
	Prop 24 passes in Calif., paving way for CPRA (IAPP, November 2020)
	Web Conference: Where We Stand with CPRA, and How This Impacts Your Organization (IAPP, November 2020)
	Whether yes or no, the stakes are high for Calif.’s Prop 24 (IAPP, October 2020)
	Podcast: Alastair Mactaggart on California’s Prop 24 (IAPP, October 2020)
	LinkedIn Live: ‘Ask the Expert: Lothar Determann on California Consumer Privacy’ (IAPP, October 2020)
	Data brokers: A preview of the new edition of ‘California Privacy Law’ (IAPP, October 2020)
	CCPA Litigation Overview (IAPP, October 2020)
	CCPA update: Calif. attorney general comments, new amendments signed into law (IAPP, October 2020)
	Benchmarking CCPA-related data subject requests (IAPP, October 2020)
	What does the CCPA’s ‘purpose limitation’ mean for businesses? (IAPP, September 2020)
	Web Conference: How to Limit Exposure and Minimize Your Risk Under the CCPA (IAPP, September 2020)
	The CCPA dog that didn’t bark: B2B and employee moratoria extended one year (IAPP, September 2020)
	Considerations for digital media publishers and advertisers seeking to engage adtech companies as ‘CCPA Service Providers’ (Network Advertising Initiative, September 2020)
	Web Conference: Privacy and Regulations: What’s Next After CCPA? (IAPP, August 2020)
	CPRA promises short-term consumer benefits, long-term uncertainty (IAPP, July 2020)
	Calif. attorney general updates CCPA FAQ (IAPP, July 2020)
	CCPA draft regulations: Privacy notices and accessibility in the employment context (IAPP, July 2020)
	The new CCPA draft regulations: Identity verification (IAPP, June 2020)
	CCPA litigation: Shaping the contours of the private right of action (IAPP, June 2020)
	Web Conference: CCPA Enforcement: What to Expect after July 1 (IAPP, June 2020)
	Will CPRA prevail on November 3? (IAPP, June 2020)
	At Calif. hearing, critics question CPRA’s timing (IAPP, June 2020)
	Web Conference: Everything You Need to Know about CPRA/CCPA 2.0 (IAPP, June 2020)
	Web Conference: Lessons Learned Tackling CCPA Consumer Rights and GDPR Data Subject Rights (IAPP, June 2020)
	Web Conference: The Impact of CCPA and GDPR on Data Management (IAPP, May 2020)
	Web Conference: California Privacy Rights Act: What Lies Ahead? (IAPP, May 2020)
	LinkedIn Live: Discussing the California Privacy Rights Ballot Initiative (IAPP, May 2020)
	CPRA initiative moves to sampling, CCPA regs likely delayed (IAPP, May 2020)
	CPRA’s top-10 impactful provisions (IAPP, May 2020)
	CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ (IAPP, May 2020)
	Infographic: CCPA Enforcement (IAPP, May 2020)
	Web Conference: The CCPA Is Here: Lessons Learned from the First Few Months (IAPP, May 2020)
	Are IP addresses ‘personal information’ under CCPA? (IAPP, April 2020)
	Infographic: The Top-10 Most Impactful Provisions of the CPRA (IAPP, April 2020)
	Data Protection Laws 101: The Recruiter’s Role in California’s Privacy Law (Lever, February 2020)
	CCPA FAQ: Cookies, AdTech & Service Providers (Bryan Cave Leighton Paisner, February 2020)
	Bryan Cave – CCPA Practical Guide (IAPP, January 2020)
	The Litigator’s Handbook: Answers to the Top 50 FAQs Concerning Litigation and the CCPA (Bryan Cave Leighton Paisner, January 2020)
	Are companies using semantics to get around CCPA’s ‘sale’ provision? (IAPP, January 2020)
	Survey of the Retail Industry’s Privacy Practices (Bryan Cave Leighton Paisner, January 2020)
	How the CCPA impacts civil litigation (IAPP, January 2020)
	With the CCPA now in effect, will other states follow? (IAPP, January 2020)
	What you must know about ‘third parties’ under GDPR and CCPA (IAPP, November 2019)
	One law firm’s take on the new draft CCPA regulations (IAPP, October 2019)
	Critics say attorney general’s proposed CCPA regulations add confusion, not clarity (IAPP, October 2019)
	White Paper – 5 Steps You Must Take to Prepare for the CCPA (IAPP, October 2019)
	GDPR and CCPA: A compatibility story (IAPP, October 2019)
	The Privacy Advisor Podcast: Some industry perspective on amended CCPA (IAPP, September 2019)
	On keynote stage, Mactaggart addresses his ‘new’ CCPA (IAPP, September 2019)
	The Privacy Advisor Podcast: CCPA in its final form (IAPP, September 2019)
	A look at the latest CCPA amendment updates (IAPP, September 2019)
	CCPA amendment update: Changes to technical corrections and loyalty programs bills (IAPP, September 2019)
	Navigating disclosures and sales of personal information under the CCPA (IAPP, August 2019)
	A close-up on deidentified data under CCPA (IAPP, August 2019)
	What one CCPA co-architect will watch closely with Sacramento back in session (IAPP, August 2019)
	CCPA and GDPR Comparison Chart (Practical Law, August 2019)
	Implementing the CCPA: A Guide for Global Business, Second Edition (IAPP, August 2019)
	CCPA update: Senate committee pares back amendments (IAPP, July 2019)
	Preparing for CCPA: Start benchmarking now (IAPP, June 2019)
	A data processing addendum for the CCPA? (IAPP, June 2019)
	Comparing Maine and Nevada’s new privacy laws with the CCPA (IAPP, June 2019)
	TheScore’s privacy notice analyzed against the CCPA (IAPP, May 2019)
	Encryption, redaction and the CCPA (IAPP, May 2019)
	Competing CCPA amendments sculpt law’s scope (IAPP, April 2019)
	California lawmakers smooth over some of the CCPA’s rough edges (IAPP, April 2019)
	State legislature debates CCPA ad-tech carve out amendment (IAPP, April 2019)
	CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation (IAPP, January 2019)
	Analysis: The California Consumer Privacy Act of 2018 (IAPP, July 2018)
	GDPR matchup: The California Consumer Privacy Act 2018 (IAPP, July 2018)
	Web Conference: Understanding the California Consumer Privacy Act of 2018 (IAPP, July 2018)
	New California privacy law to affect more than half a million US companies (IAPP, July 2018)
	California Privacy Law, Fourth Edition (IAPP, June 2018)

View More Resources

Compliance Resources

CCPA/CPRA grace period for HR and B2B ends Jan. 1

Save This

Complying with the California Consumer Privacy Act’s consumer request process

The California Consumer Privacy Act gives California residents the right to know what personal information a business collects about them and how it is used. The law likewise imposes obligations on businesses to ensure consumers can exercise this right. Although the CCPA and its regulations provide a framework, operationalizing the consumer request process can be complex. Two compliance issues that present challenges for organizations covered by the CCPA are: The scope of information subject... Read More

Save This

Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws

Original broadcast date: 9 June 2022 In this web conference, you will learn the similarities and key differences between the comprehensive consumer privacy laws in California, Colorado, Connecticut, Utah and Virginia, how to draft privacy documents effectively without reduplicating effort and further changes via regulation or amendment to keep an eye on, and how to keep your documents up to date. Read More

Save This

Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It

Original broadcast date: 8 June 2022 In this web conference, panelists discuss how to fix your compliance strategy for smooth sailing across the CPRA waters. Key takeaways include, an overview of the CPRA’s requirements and new obligations imposed on businesses, why you need a strategic and defensible data retention framework to comply with the CPRA and key elements to successfully operationalize your CPRA compliance program. Read More

Save This

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

Save This

	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	Web Conference: CPRA: Challenges for Updating Your Privacy Program … Again (IAPP, January 2021)
	CCPA, CPRA’s hidden ‘third party business’ classification (IAPP, October 2020)
	Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws (IAPP, September 2020)
	The CCPA and employee data: A compliance checklist (IAPP, August 2020)
	Web Conference: The CCPA Landscape: Why Minimal Compliance Is Not Enough (IAPP, June 2020)
	Web Conference: Processing DSARs – Lessons from the Early Days of CCPA (IAPP, April 2020)
	Will private litigants be able to enforce the CCPA compliance provisions? (IAPP, February 2020)
	Infographic: Avoiding the pitfalls of CCPA non-compliance (IAPP, December 2019)
	White Paper – Negotiating with Service Providers and Third Parties under CCPA (IAPP, December 2019)
	CCPA Readiness: Third Wave (IAPP, December 2019)
	Web Conference: Preparing for the CCPA Without Boiling the Data Ocean (IAPP, December 2019)
	Google to allow sites to block targeted ads under CCPA (IAPP, November 2019)
	Potential impact of the CCPA in the automotive space: Part II (IAPP, October 2019)
	CCPA’s potential impact in the automotive space (IAPP, October 2019)
	Platform helps organizations take deep dives into GDPR, CCPA (IAPP, October 2019)
	Sample CCPA Privacy Notices (IAPP, September 2019)
	Employers receive last-minute reprieve from the most onerous CCPA compliance obligations (IAPP, September 2019)
	Aiming for CCPA compliance? Define those vendor relationships (IAPP, September 2019)
	CCPA exemption adds compliance considerations for bank CPOs (IAPP, September 2019)
	The unique challenges CCPA poses for SMEs (IAPP, September 2019)
	Why the CCPA’s ‘verified consumer request’ is a business risk (IAPP, August 2019)
	Web Conference: What to Do When Consent Doesn’t Work Under CCPA (IAPP, August 2019)
	Web Conference: CCPA Compliance: Automating the Intake and Fulfillment of Consumer Requests (IAPP, August 2019)
	White Paper – California’s Consumer Privacy Act: Three requirements for effective compliance (Exterro, August 2019)
	Service allows companies to set up toll number ahead of CCPA (IAPP, August 2019)
	CCPA Compliance Guide (Skaden, August 2019)
	How to know if your vendor is a ‘service provider’ under CCPA (IAPP, July 2019)
	Infographic: Is Your Business in Need of a CCPA Intervention? (Troutman Sanders, July 2019)
	Does the CCPA regulate internal transfers? (IAPP, June 2019)
	CCPA: What health care, biotech and life sciences companies should know now (IAPP, June 2019)
	White Paper – CCPA Compliance Operation: Delivering Data Access via Accounts (IAPP, June 2019)
	Are there joint controllers under the CCPA? (IAPP, May 2019)
	Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance (IAPP, May 2019)
	Can organizations sell children’s data under the CCPA? (IAPP, May 2019)
	What should employers do about the CCPA? (IAPP, April 2019)
	What does the CCPA mean for colleges and universities? (IAPP, March 2019)
	Where to begin to operationalize CCPA compliance (IAPP, January 2019)
	Web con: ‘California’s Privacy Law Changes and Its Impact on Brands’ (IAPP, November 2018)
	How the CCPA could be great for startups (IAPP, November 2018)
	CCPA Transparency Chart (IAPP, July 2018)

View More Resources

ResourceCenter

All the privacy tools and information you need in one easy-to-find place

CCPA and CPRA

Featured Resources

CCPA enforcement action: A case study

Top-10 operational impacts of the CPRA

CCPA-/CPRA-Related Legislation Tracker

Latest News and Resources

CPPA publishes first modifications of CPRA draft regulations

CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition

CCPA/CPRA grace period for HR and B2B ends Jan. 1

The Sephora case: Do not sell – But are you selling?

California attorney general announces first CCPA enforcement action

Compliance Resources

CCPA/CPRA grace period for HR and B2B ends Jan. 1

Complying with the California Consumer Privacy Act’s consumer request process

Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws

Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It

Implementing the CCPA: A Guide for Global Business, Second Edition