CCPA and CPRA

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

CCPA Law and Documents
California Consumer Privacy Act of 2018
- To view the text of the CCPA on the California Legislative Information website, click here.
CCPA Regulations
- To view the CCPA regulations in the California Code of Regulations, click here.
- The attorney general is seeking to reorder and renumber the CCPA regulations to reflect the fact the California Privacy Protection Agency will be assuming rulemaking authority. More information about these proposed changes is available on the attorney general’s CCPA Regulations page.
- A summary of the timeline for the enacted CCPA regulations is here.
CCPA-/CPRA-Related Legislation Tracker
- There are bills pending in the California Legislature that would amend the CCPA and/or the California Privacy Rights Act or otherwise impact how organizations understand or approach each law. This tracker provides a brief summary of the proposed legislation, as well as the status and last legislative action.
How We Got Here
The CCPA came about largely due to the efforts of Alastair Mactaggart, a San Francisco real estate developer and investor. Mactaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill was “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevented the ballot initiative from moving forward.

On June 28, 2018, Gov. Jerry Brown, D-Calif., signed CCPA into law.
CPRA Law and Documents
In September 2019, Alastair Mactaggart, who was instrumental in getting the California Consumer Privacy Act enacted, launched a new ballot initiative to appear on the November 2020 ballot, the California Privacy Rights Act. On Nov. 3, 2020, the CPRA passed. The CPRA amends the CCPA and includes additional privacy protections for consumers. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022.

The California Privacy Rights Act of 2020
- To view the text of the CPRA on the California Legislative Information website, click here. The provisions that are not yet operative are listed after the CCPA provision in effect.
- To view the text of the CPRA ballot initiative, click here.
California Privacy Protection Agency
- The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.
- To view the CPPA page, including information about rulemaking activity, click here.
CPRA Regulations
- On October 21, 2021, the CPPA provided notice to the California attorney general it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the attorney general to the CPPA six months after this notice, per Sections 1798.185(d) and 1798.199.40(b).
- The CPPA has begun informal rulemaking activities. You can view its regulations page here.

Featured Resources Latest News and Resources Compliance Resources

Featured Resources

State of CCPA: Prepare for What’s to Come

In this web conference you will learn how much the average organization is paying for their privacy programs, how many do-not-sell requests to expect once the California Privacy Rights Act goes into effect next year, what steps people are taking to reduce their online footprint, and what this means for businesses and why CPRA will likely increase costs for many businesses.
Read More

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
Read More

CCPA-/CPRA-Related Legislation Tracker

To help keep track of all this activity, the IAPP has put together the “CCPA-/CPRA-Related Legislation Tracker.” The grid includes the bill number with a link to the full bill, a brief summary of the amendment, subject, lead author, status and last legislative action.
Read More

Latest News and Resources

Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance

Original broadcast date: 7 April 2022 In this web conference, learn the results of the largest and most comprehensive CCPA & GDPR compliance research, including how some industries are complying better than others. Hear discussion on how automation can help companies become compliant with the latest privacy regulations swiftly and cost-effectively. Read More

Save This

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

Compliance activities loom large as organizations gear up for the California Privacy Rights Act to take force next year. Remaining measures depend largely on the substance of the California Privacy Protection Agency's much-anticipated CPRA rulemaking. The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law's Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. Whil... Read More

Save This

Status of the California Privacy Protection Agency’s work

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More

Save This

Brace for impact: PSR21 workshop focuses on CPRA considerations

With California playing host to the IAPP's Privacy. Security. Risk. 2021, it was only fitting that the California Privacy Rights Act took center stage from the get-go. Attendees were treated Wednesday to a CPRA Comprehensive workshop, a full-day event dedicated to providing information and advice on what to expect when the law takes effect Jan. 1, 2023, and how to best prepare for compliance in the leadup to the day. The workshop's panel sessions covered some of the most obvious and pressing qu... Read More

Save This

Web Conference: From CCPA to CPRA: What’s Changed & What You Need to Do

Original broadcast date: 5 October 2021 In this webinar our legal experts walk through the key differences between the CPRA and the CCPA, what areas of the CCPA will be amended with the passage of the CPRA, and what organizations should do to prepare for these changes. Read More

Save This

	CPPA releases public comments for CPRA regs (IAPP, December 2021)
	FTC alum Ashkan Soltani selected to lead CPPA (IAPP, October 2021)
	CPRA could obstruct existing employment rights (IAPP, September 2021)
	Top-10 takeaways from the California AG’s CCPA enforcement case examples (IAPP, September 2021)
	How Defendants Are Attacking CCPA Claims (IAPP, August 2021)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	California attorney general offers CCPA enforcement update, launches reporting tool (IAPP, July 2021)
	A look at the California Privacy Protection Agency inaugural meeting (IAPP, June 2021)
	Comparison of Comprehensive Data Privacy Laws in Virginia and California (IAPP, May 2021)
	What the CPPA’s appointments say about enforcement priorities, strategy (IAPP, March 2021)
	A look at possible CPRA compliance challenges (IAPP, August 2021)
	New CCPA regulatory provisions seek to clarify business requirements (IAPP, March 2021)
	Analyzing the CPRA’s new contractual requirements for transfers of personal information (IAPP, March 2021)
	Ambiguity in CPRA imperils content intended for underrepresented communities (IAPP, November 2021)
	New categories, new rights: The CPRA’s opt-out provision for sensitive data (IAPP, February 2021)
	Summary of CPRA Contractual Obligations (IAPP, February 2021)
	Prop 24 passes in Calif., paving way for CPRA (IAPP, November 2020)
	Web Conference: Where We Stand with CPRA, and How This Impacts Your Organization (IAPP, November 2020)
	Consumer Reports: CCPA — Are Consumers’ Digital Rights Protected (Consumer Reports, October 2020)
	Whether yes or no, the stakes are high for Calif.’s Prop 24 (IAPP, October 2020)
	Podcast: Alastair Mactaggart on California’s Prop 24 (IAPP, October 2020)
	LinkedIn Live: ‘Ask the Expert: Lothar Determann on California Consumer Privacy’ (IAPP, October 2020)
	Data brokers: A preview of the new edition of ‘California Privacy Law’ (IAPP, October 2020)
	CCPA Litigation Overview (IAPP, October 2020)
	CCPA update: Calif. attorney general comments, new amendments signed into law (IAPP, October 2020)
	Benchmarking CCPA-related data subject requests (IAPP, October 2020)
	What does the CCPA’s ‘purpose limitation’ mean for businesses? (IAPP, September 2020)
	Web Conference: How to Limit Exposure and Minimize Your Risk Under the CCPA (IAPP, September 2020)
	The CCPA dog that didn’t bark: B2B and employee moratoria extended one year (IAPP, September 2020)
	Considerations for digital media publishers and advertisers seeking to engage adtech companies as ‘CCPA Service Providers’ (Network Advertising Initiative, September 2020)
	Web Conference: Privacy and Regulations: What’s Next After CCPA? (IAPP, August 2020)
	CPRA promises short-term consumer benefits, long-term uncertainty (IAPP, July 2020)
	Calif. attorney general updates CCPA FAQ (IAPP, July 2020)
	CCPA draft regulations: Privacy notices and accessibility in the employment context (IAPP, July 2020)
	The new CCPA draft regulations: Identity verification (IAPP, June 2020)
	CCPA litigation: Shaping the contours of the private right of action (IAPP, June 2020)
	Web Conference: CCPA Enforcement: What to Expect after July 1 (IAPP, June 2020)
	Will CPRA prevail on November 3? (IAPP, June 2020)
	At Calif. hearing, critics question CPRA’s timing (IAPP, June 2020)
	Web Conference: Everything You Need to Know about CPRA/CCPA 2.0 (IAPP, June 2020)
	Web Conference: California Privacy Rights Act: What Lies Ahead? (IAPP, May 2020)
	LinkedIn Live: Discussing the California Privacy Rights Ballot Initiative (IAPP, May 2020)
	CPRA initiative moves to sampling, CCPA regs likely delayed (IAPP, May 2020)
	CPRA’s top-10 impactful provisions (IAPP, May 2020)
	CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ (IAPP, May 2020)
	Infographic: CCPA Enforcement (IAPP, May 2020)
	Web Conference: The CCPA Is Here: Lessons Learned from the First Few Months (IAPP, May 2020)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, April 2020)
	Are IP addresses ‘personal information’ under CCPA? (IAPP, April 2020)
	Infographic: The Top-10 Most Impactful Provisions of the CPRA (IAPP, April 2020)
	Data Protection Laws 101: The Recruiter’s Role in California’s Privacy Law (Lever, February 2020)
	CCPA FAQ: Cookies, AdTech & Service Providers (Bryan Cave Leighton Paisner, February 2020)
	Bryan Cave – CCPA Practical Guide (IAPP, January 2020)
	The Litigator’s Handbook: Answers to the Top 50 FAQs Concerning Litigation and the CCPA (Bryan Cave Leighton Paisner, January 2020)
	Are companies using semantics to get around CCPA’s ‘sale’ provision? (IAPP, January 2020)
	Survey of the Retail Industry’s Privacy Practices (Bryan Cave Leighton Paisner, January 2020)
	What you must know about ‘third parties’ under GDPR and CCPA (IAPP, November 2019)
	One law firm’s take on the new draft CCPA regulations (IAPP, October 2019)
	Critics say attorney general’s proposed CCPA regulations add confusion, not clarity (IAPP, October 2019)
	White Paper – 5 Steps You Must Take to Prepare for the CCPA (IAPP, October 2019)
	GDPR and CCPA: A compatibility story (IAPP, October 2019)
	The Privacy Advisor Podcast: Some industry perspective on amended CCPA (IAPP, September 2019)
	On keynote stage, Mactaggart addresses his ‘new’ CCPA (IAPP, September 2019)
	The Privacy Advisor Podcast: CCPA in its final form (IAPP, September 2019)
	A look at the latest CCPA amendment updates (IAPP, September 2019)
	CCPA amendment update: Changes to technical corrections and loyalty programs bills (IAPP, September 2019)
	Navigating disclosures and sales of personal information under the CCPA (IAPP, August 2019)
	A close-up on deidentified data under CCPA (IAPP, August 2019)
	What one CCPA co-architect will watch closely with Sacramento back in session (IAPP, August 2019)
	CCPA and GDPR Comparison Chart (Practical Law, August 2019)
	Implementing the CCPA: A Guide for Global Business, Second Edition (IAPP, August 2019)
	CCPA update: Senate committee pares back amendments (IAPP, July 2019)
	Preparing for CCPA: Start benchmarking now (IAPP, June 2019)
	A data processing addendum for the CCPA? (IAPP, June 2019)
	Comparing Maine and Nevada’s new privacy laws with the CCPA (IAPP, June 2019)
	TheScore’s privacy notice analyzed against the CCPA (IAPP, May 2019)
	Encryption, redaction and the CCPA (IAPP, May 2019)
	Competing CCPA amendments sculpt law’s scope (IAPP, April 2019)
	California lawmakers smooth over some of the CCPA’s rough edges (IAPP, April 2019)
	State legislature debates CCPA ad-tech carve out amendment (IAPP, April 2019)
	CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation (IAPP, January 2019)
	Comparing privacy laws: GDPR v. CCPA (DataGuidance and the Future of Privacy Forum, December 2018)
	Analysis: The California Consumer Privacy Act of 2018 (IAPP, July 2018)
	GDPR matchup: The California Consumer Privacy Act 2018 (IAPP, July 2018)
	Web Conference: Understanding the California Consumer Privacy Act of 2018 (IAPP, July 2018)
	New California privacy law to affect more than half a million US companies (IAPP, July 2018)
	California Privacy Law, Fourth Edition (IAPP, June 2018)

View More Resources

Compliance Resources

Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance

Save This

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

Save This

Web Conference: Your Roadmap to CPRA Compliance in 60 Days

Original broadcast date: 22 July 2021 The California Privacy Rights Act comes into effect on January 1, 2023. Among its new requirements is a new data retention provision. Personal and sensitive information must be disposed of when its purpose has been fulfilled, and the organization must disclose the retention policy at the time of collection. Additionally, the data retention policies apply to data collected on or after January 1, 2022. Under CPRA, companies can no longer simply hold individuals’ personal data forever; they must have robust data retention and disposal practices. Read More

Save This

Web Conference: CPRA: Challenges for Updating Your Privacy Program … Again

Original broadcast date: 19 January 2021 This panel will feature experts with deep experience in California's privacy legislative and regulatory landscape, with a focus on helping you consider some of the most challenging complexities under the CPRA. Read More

Save This

Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws

Original broadcast date: Sept. 8, 2020 Join the IAPP and hear about LGPD Academico’s efforts to increase awareness about these obligations and rights, and how best to manage them at your organization. You’ll hear about requirements under multiple privacy laws affecting companies doing business globally including the General Data Protection Law, EU General Data Protection Regulation and the California Consumer Privacy Act, and how forward-thinking privacy teams are tackling obligations under various jurisdictions and across multiple business arms. The focus of this privacy education web conference will be on operationalizing these laws within your organization, and a basic understanding of the laws themselves and their requirements will be assumed, although a brief primer will be included. Read More

Save This

	CCPA, CPRA’s hidden ‘third party business’ classification (IAPP, October 2020)
	The CCPA and employee data: A compliance checklist (IAPP, August 2020)
	Web Conference: The CCPA Landscape: Why Minimal Compliance Is Not Enough (IAPP, June 2020)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, April 2020)
	Web Conference: Processing DSARs – Lessons from the Early Days of CCPA (IAPP, April 2020)
	What does a HR director need to know about the CCPA? (IAPP, March 2020)
	Will private litigants be able to enforce the CCPA compliance provisions? (IAPP, February 2020)
	Infographic: Avoiding the pitfalls of CCPA non-compliance (IAPP, December 2019)
	White Paper – Negotiating with Service Providers and Third Parties under CCPA (IAPP, December 2019)
	CCPA Readiness: Third Wave (IAPP, December 2019)
	Web Conference: Preparing for the CCPA Without Boiling the Data Ocean (IAPP, December 2019)
	Google to allow sites to block targeted ads under CCPA (IAPP, November 2019)
	Potential impact of the CCPA in the automotive space: Part II (IAPP, October 2019)
	CCPA’s potential impact in the automotive space (IAPP, October 2019)
	Platform helps organizations take deep dives into GDPR, CCPA (IAPP, October 2019)
	Sample CCPA Privacy Notices (IAPP, September 2019)
	Employers receive last-minute reprieve from the most onerous CCPA compliance obligations (IAPP, September 2019)
	Aiming for CCPA compliance? Define those vendor relationships (IAPP, September 2019)
	CCPA exemption adds compliance considerations for bank CPOs (IAPP, September 2019)
	CCPA Readiness survey (IAPP, August 2019)
	The unique challenges CCPA poses for SMEs (IAPP, September 2019)
	Why the CCPA’s ‘verified consumer request’ is a business risk (IAPP, August 2019)
	Web Conference: What to Do When Consent Doesn’t Work Under CCPA (IAPP, August 2019)
	Web Conference: CCPA Compliance: Automating the Intake and Fulfillment of Consumer Requests (IAPP, August 2019)
	White Paper – California’s Consumer Privacy Act: Three requirements for effective compliance (Exterro, August 2019)
	Service allows companies to set up toll number ahead of CCPA (IAPP, August 2019)
	CCPA Compliance Guide (Skaden, August 2019)
	How to know if your vendor is a ‘service provider’ under CCPA (IAPP, July 2019)
	Infographic: Is Your Business in Need of a CCPA Intervention? (Troutman Sanders, July 2019)
	Does the CCPA regulate internal transfers? (IAPP, June 2019)
	CCPA: What health care, biotech and life sciences companies should know now (IAPP, June 2019)
	White Paper – CCPA Compliance Operation: Delivering Data Access via Accounts (IAPP, June 2019)
	Are there joint controllers under the CCPA? (IAPP, May 2019)
	Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance (IAPP, May 2019)
	Can organizations sell children’s data under the CCPA? (IAPP, May 2019)
	White Paper – Ready or not, here it comes: How prepared are organizations for the California Consumer Privacy Act? (IAPP, April 2019)
	What should employers do about the CCPA? (IAPP, April 2019)
	What does the CCPA mean for colleges and universities? (IAPP, March 2019)
	Where to begin to operationalize CCPA compliance (IAPP, January 2019)
	Web con: ‘California’s Privacy Law Changes and Its Impact on Brands’ (IAPP, November 2018)
	How the CCPA could be great for startups (IAPP, November 2018)
	CCPA Transparency Chart (IAPP, July 2018)

View More Resources

ResourceCenter

All the privacy tools and information you need in one easy-to-find place

CCPA and CPRA

Featured Resources

State of CCPA: Prepare for What’s to Come

Top-10 operational impacts of the CPRA

CCPA-/CPRA-Related Legislation Tracker

Latest News and Resources

Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

Status of the California Privacy Protection Agency’s work

Brace for impact: PSR21 workshop focuses on CPRA considerations

Web Conference: From CCPA to CPRA: What’s Changed & What You Need to Do

Compliance Resources

Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance

Implementing the CCPA: A Guide for Global Business, Second Edition

Web Conference: Your Roadmap to CPRA Compliance in 60 Days

Web Conference: CPRA: Challenges for Updating Your Privacy Program … Again

Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws