CCPA and CPRA

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

CCPA Law and Documents
California Consumer Privacy Act of 2018
- To view the text of the CCPA on the California Legislative Information website, click here.
CCPA Regulations
- To view the CCPA regulations in the California Code of Regulations, click here.
- NOTE: The CCPA regulations were reordered and renumbered to reflect the fact the California Privacy Protection Agency assumed rulemaking authority in April 2022. More information about these changes is available on the CPPA’s Regulations page.
- A summary of the timeline for the enacted CCPA regulations is here.
CCPA-/CPRA-Related Legislation Tracker
- There are bills pending in the California Legislature that would amend the CCPA and/or the California Privacy Rights Act or otherwise impact how organizations understand or approach each law. This tracker provides a brief summary of the proposed legislation, as well as the status and last legislative action.
How We Got Here
The CCPA came about largely due to the efforts of Alastair Mactaggart, a San Francisco real estate developer and investor. Mactaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill was “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevented the ballot initiative from moving forward.

On June 28, 2018, Gov. Jerry Brown, D-Calif., signed CCPA into law.
CPRA Law and Documents
In September 2019, Alastair Mactaggart, who was instrumental in getting the California Consumer Privacy Act enacted, launched a new ballot initiative to appear on the November 2020 ballot, the California Privacy Rights Act. On Nov. 3, 2020, the CPRA passed. The CPRA amends the CCPA and includes additional privacy protections for consumers. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022.

The California Privacy Rights Act of 2020
- To view the text of the CPRA on the California Legislative Information website, click here. The provisions that are not yet operative are listed after the CCPA provision in effect.
- To view the text of the CPRA ballot initiative, click here.
California Privacy Protection Agency
- The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.
- To view the CPPA page, including information about rulemaking activity, click here.
CPRA Regulations
- On October 21, 2021, the CPPA provided notice to the California attorney general it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the attorney general to the CPPA six months after this notice, per Sections 1798.185(d) and 1798.199.40(b).
- On April 21, 2022, rulemaking authority under the CCPA formally transferred to the CPPA.
- The CPPA has begun informal rulemaking activities. You can view its regulations page here.

Featured Resources Latest News and Resources Compliance Resources

Featured Resources

California Privacy Law

“California Privacy Law,” now in its newly updated fifth edition, provides businesses, attorneys, privacy officers and other professionals with the practical guidance and in-depth information to navigate the state’s strict policies.
Read More

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
Read More

CPRA is here. Now what?

This web conference discusses CPRA privacy benchmarks and ways to prepare ahead of CPRA rulemaking to come.
Read More

Latest News and Resources

CCPA-/CPRA-Related Legislation Tracker

There are bills pending in the California Legislature that would amend the CCPA and/or the CPRA or otherwise impact how organizations understand or approach each law. This tracker includes the bill number and a brief summary of the proposed legislation, as well as the status and last legislative action. Read More

Save This

All things 'California Privacy Law' with Lothar Determann

California has led the way on many privacy-related laws, going back to at least 2002 when it passed the first data breach notification law in the U.S. More recently, passage of the California Consumer Privacy Act and the California Privacy Rights Act has prompted other states to follow suit. Lothar Determann has long practiced and taught international data privacy law, and beginning in 2013, published the book, “California Privacy Law.” Now in its fifth edition and published by the IAPP for the... Read More

Save This

CPPA anticipates final CPRA regulations will be effective by April

The anticipated finalization of California Privacy Rights Act regulations has been pushed back again. While the CPRA takes effect in just under two weeks — on Jan. 1, 2023 — the California Privacy Protection Agency is still working to promulgate final rules. During a Dec. 16 board meeting, CPPA Executive Director Ashkan Soltani said the final rules will likely be released in late January. Under that timeline, with a 30-day review by the California Office of Administrative Law, the regulations w... Read More

Save This

White Paper – The Alignment Problem with "Sale of Data"

This white paper provides insights on how privacy professionals responded to the Sephora enforcement action, and how they are updating their practices to account for the expansion of "sale." Read More

Save This

Cross-context behavioral advertising is ‘sale.’ It is time to get over it.

It seems like at the start of every year there are new privacy laws. The 2020 new year brought us the California Consumer Privacy Act. The 2023 new year will bring us the California Privacy Rights Act and the Virginia Consumer Data Protection Act, with new legislation from Colorado, Connecticut and Utah arriving a bit later in the year. So yet again, cross-functional privacy teams from across the digital advertising industry are trying to decipher what companies can and can’t do under new state... Read More

Save This

	Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time (IAPP, November 2022)
	Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA (IAPP, November 2022)
	Web Conference: Countdown to the CPRA: 6 weeks to go (IAPP, November 2022)
	Home stretch: Finalization of CPRA regulations draws closer (IAPP, November 2022)
	Web Conference: Lessons from the First CCPA Enforcement Settlement: GPC and Beyond (IAPP, October 2022)
	CPPA publishes first modifications of CPRA draft regulations (IAPP, October 2022)
	CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition (IAPP, September 2022)
	CCPA/CPRA grace period for HR and B2B ends Jan. 1 (IAPP, September 2022)
	CCPA enforcement action: A case study at the intersection of privacy and marketing (IAPP, September 2022)
	The Sephora case: Do not sell – But are you selling? (IAPP, August 2022)
	CPPA restates American Data Privacy and Protection Act opposition to US House leaders (IAPP, August 2022)
	CPPA launches CPRA rulemaking process (IAPP, July 2022)
	Web Conference: Unpacking CPRA and 2023 Predictions (IAPP, June 2022)
	Complying with the California Consumer Privacy Act’s consumer request process (IAPP, June 2022)
	Web Conference: Ready For CPRA? Pragmatic Steps to Take Now (IAPP, June 2022)
	Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws (IAPP, June 2022)
	CPPA board moves CPRA rulemaking process forward (IAPP, June 2022)
	Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It (IAPP, June 2022)
	Privacy pros take stock of surprise CPRA draft regulations (IAPP, June 2022)
	CPPA board charts course for CPRA rulemaking (IAPP, May 2022)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	Web Conference: State of CCPA: A Look Back to Prepare for What’s to Come (IAPP, March 2022)
	CPRA regulations delayed past July 1 deadline, expected Q3 or Q4 (IAPP, February 2022)
	CPPA releases public comments for CPRA regs (IAPP, December 2021)
	Status of the California Privacy Protection Agency’s work (IAPP, December 2021)
	Brace for impact: PSR21 workshop focuses on CPRA considerations (IAPP, October 2021)
	Web Conference: From CCPA to CPRA: What’s Changed & What You Need to Do (IAPP, October 2021)
	FTC alum Ashkan Soltani selected to lead CPPA (IAPP, October 2021)
	CPRA could obstruct existing employment rights (IAPP, September 2021)
	Top-10 takeaways from the California AG’s CCPA enforcement case examples (IAPP, September 2021)
	How Defendants Are Attacking CCPA Claims (IAPP, August 2021)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	California attorney general offers CCPA enforcement update, launches reporting tool (IAPP, July 2021)
	A look at the California Privacy Protection Agency inaugural meeting (IAPP, June 2021)
	Comparison of Comprehensive Data Privacy Laws in Virginia and California (IAPP, May 2021)
	What the CPPA’s appointments say about enforcement priorities, strategy (IAPP, March 2021)
	A look at possible CPRA compliance challenges (IAPP, August 2021)
	New CCPA regulatory provisions seek to clarify business requirements (IAPP, March 2021)
	Analyzing the CPRA’s new contractual requirements for transfers of personal information (IAPP, March 2021)
	Ambiguity in CPRA imperils content intended for underrepresented communities (IAPP, November 2021)
	New categories, new rights: The CPRA’s opt-out provision for sensitive data (IAPP, February 2021)
	Summary of CPRA Contractual Obligations (IAPP, February 2021)
	Prop 24 passes in Calif., paving way for CPRA (IAPP, November 2020)
	Web Conference: Where We Stand with CPRA, and How This Impacts Your Organization (IAPP, November 2020)
	Whether yes or no, the stakes are high for Calif.’s Prop 24 (IAPP, October 2020)
	Podcast: Alastair Mactaggart on California’s Prop 24 (IAPP, October 2020)
	LinkedIn Live: ‘Ask the Expert: Lothar Determann on California Consumer Privacy’ (IAPP, October 2020)
	Data brokers: A preview of the new edition of ‘California Privacy Law’ (IAPP, October 2020)
	CCPA Litigation Overview (IAPP, October 2020)
	CCPA update: Calif. attorney general comments, new amendments signed into law (IAPP, October 2020)
	Benchmarking CCPA-related data subject requests (IAPP, October 2020)
	What does the CCPA’s ‘purpose limitation’ mean for businesses? (IAPP, September 2020)
	Web Conference: How to Limit Exposure and Minimize Your Risk Under the CCPA (IAPP, September 2020)
	The CCPA dog that didn’t bark: B2B and employee moratoria extended one year (IAPP, September 2020)
	Considerations for digital media publishers and advertisers seeking to engage adtech companies as ‘CCPA Service Providers’ (Network Advertising Initiative, September 2020)
	Web Conference: Privacy and Regulations: What’s Next After CCPA? (IAPP, August 2020)
	CPRA promises short-term consumer benefits, long-term uncertainty (IAPP, July 2020)
	Calif. attorney general updates CCPA FAQ (IAPP, July 2020)
	CCPA draft regulations: Privacy notices and accessibility in the employment context (IAPP, July 2020)
	The new CCPA draft regulations: Identity verification (IAPP, June 2020)
	CCPA litigation: Shaping the contours of the private right of action (IAPP, June 2020)
	Web Conference: CCPA Enforcement: What to Expect after July 1 (IAPP, June 2020)
	Will CPRA prevail on November 3? (IAPP, June 2020)
	At Calif. hearing, critics question CPRA’s timing (IAPP, June 2020)
	Web Conference: Everything You Need to Know about CPRA/CCPA 2.0 (IAPP, June 2020)
	Web Conference: Lessons Learned Tackling CCPA Consumer Rights and GDPR Data Subject Rights (IAPP, June 2020)
	Web Conference: The Impact of CCPA and GDPR on Data Management (IAPP, May 2020)
	Web Conference: California Privacy Rights Act: What Lies Ahead? (IAPP, May 2020)
	LinkedIn Live: Discussing the California Privacy Rights Ballot Initiative (IAPP, May 2020)
	CPRA initiative moves to sampling, CCPA regs likely delayed (IAPP, May 2020)
	CPRA’s top-10 impactful provisions (IAPP, May 2020)
	CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ (IAPP, May 2020)
	Infographic: CCPA Enforcement (IAPP, May 2020)
	Web Conference: The CCPA Is Here: Lessons Learned from the First Few Months (IAPP, May 2020)
	Are IP addresses ‘personal information’ under CCPA? (IAPP, April 2020)
	Infographic: The Top-10 Most Impactful Provisions of the CPRA (IAPP, April 2020)
	Data Protection Laws 101: The Recruiter’s Role in California’s Privacy Law (Lever, February 2020)
	CCPA FAQ: Cookies, AdTech & Service Providers (Bryan Cave Leighton Paisner, February 2020)
	Bryan Cave – CCPA Practical Guide (IAPP, January 2020)
	The Litigator’s Handbook: Answers to the Top 50 FAQs Concerning Litigation and the CCPA (Bryan Cave Leighton Paisner, January 2020)
	Are companies using semantics to get around CCPA’s ‘sale’ provision? (IAPP, January 2020)
	Survey of the Retail Industry’s Privacy Practices (Bryan Cave Leighton Paisner, January 2020)
	How the CCPA impacts civil litigation (IAPP, January 2020)
	With the CCPA now in effect, will other states follow? (IAPP, January 2020)
	What you must know about ‘third parties’ under GDPR and CCPA (IAPP, November 2019)
	One law firm’s take on the new draft CCPA regulations (IAPP, October 2019)
	Critics say attorney general’s proposed CCPA regulations add confusion, not clarity (IAPP, October 2019)
	White Paper – 5 Steps You Must Take to Prepare for the CCPA (IAPP, October 2019)
	GDPR and CCPA: A compatibility story (IAPP, October 2019)
	The Privacy Advisor Podcast: Some industry perspective on amended CCPA (IAPP, September 2019)
	On keynote stage, Mactaggart addresses his ‘new’ CCPA (IAPP, September 2019)
	The Privacy Advisor Podcast: CCPA in its final form (IAPP, September 2019)
	A look at the latest CCPA amendment updates (IAPP, September 2019)
	CCPA amendment update: Changes to technical corrections and loyalty programs bills (IAPP, September 2019)
	Navigating disclosures and sales of personal information under the CCPA (IAPP, August 2019)
	A close-up on deidentified data under CCPA (IAPP, August 2019)
	What one CCPA co-architect will watch closely with Sacramento back in session (IAPP, August 2019)
	Implementing the CCPA: A Guide for Global Business, Second Edition (IAPP, August 2019)
	CCPA update: Senate committee pares back amendments (IAPP, July 2019)
	Preparing for CCPA: Start benchmarking now (IAPP, June 2019)
	A data processing addendum for the CCPA? (IAPP, June 2019)
	Comparing Maine and Nevada’s new privacy laws with the CCPA (IAPP, June 2019)
	TheScore’s privacy notice analyzed against the CCPA (IAPP, May 2019)
	Encryption, redaction and the CCPA (IAPP, May 2019)
	Competing CCPA amendments sculpt law’s scope (IAPP, April 2019)
	California lawmakers smooth over some of the CCPA’s rough edges (IAPP, April 2019)
	State legislature debates CCPA ad-tech carve out amendment (IAPP, April 2019)
	CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation (IAPP, January 2019)
	Analysis: The California Consumer Privacy Act of 2018 (IAPP, July 2018)
	GDPR matchup: The California Consumer Privacy Act 2018 (IAPP, July 2018)
	Web Conference: Understanding the California Consumer Privacy Act of 2018 (IAPP, July 2018)
	New California privacy law to affect more than half a million US companies (IAPP, July 2018)

View More Resources

Compliance Resources

Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA

Original broadcast date: 11 Nov. 2022 This web conference will address how to develop processes and procedures to verify and respond to employee requests to data, discover what you need to know about new obligations for your B2B relationships and more. Read More

Save This

Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time

Original broadcast date: 14 Nov. 2022 In this web conference, panelists explain the key elements of the proposed rules and the consequences of failing to perform vendor due diligence and risk assessments. They cover the actions you can take now to ensure you can meet your regulatory requirements to verify your vendors’ compliance, create the new and required counter-party contracts, and your imminent obligation to audit your vendors. They also discuss real-life examples of what can go wrong and how new software can help. Read More

Save This

CCPA/CPRA grace period for HR and B2B ends Jan. 1

On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" ... Read More

Save This

Complying with the California Consumer Privacy Act’s consumer request process

The California Consumer Privacy Act gives California residents the right to know what personal information a business collects about them and how it is used. The law likewise imposes obligations on businesses to ensure consumers can exercise this right. Although the CCPA and its regulations provide a framework, operationalizing the consumer request process can be complex. Two compliance issues that present challenges for organizations covered by the CCPA are: The scope of information subject... Read More

Save This

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

Save This

	Web Conference: The CPRA and Beyond: Compliance with Upcoming State Privacy Laws (IAPP, June 2022)
	Web Conference: The Top Reasons Why Your CPRA Compliance Strategy Is Broken and How to Fix It (IAPP, June 2022)
	Guide to collecting personal information under the California Consumer Privacy Act of 2018 (Termageddon, May 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data (Littler, April 2022)
	CPRA for Employers: Vendor Contracting Requirements (Littler, April 2022)
	Web Conference: Your Roadmap to CPRA Compliance in 60 Days (IAPP, July 2021)
	Web Conference: CPRA: Challenges for Updating Your Privacy Program … Again (IAPP, January 2021)
	CCPA, CPRA’s hidden ‘third party business’ classification (IAPP, October 2020)
	Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws (IAPP, September 2020)
	The CCPA and employee data: A compliance checklist (IAPP, August 2020)
	Web Conference: The CCPA Landscape: Why Minimal Compliance Is Not Enough (IAPP, June 2020)
	Web Conference: Processing DSARs – Lessons from the Early Days of CCPA (IAPP, April 2020)
	Will private litigants be able to enforce the CCPA compliance provisions? (IAPP, February 2020)
	Infographic: Avoiding the pitfalls of CCPA non-compliance (IAPP, December 2019)
	White Paper – Negotiating with Service Providers and Third Parties under CCPA (IAPP, December 2019)
	CCPA Readiness: Third Wave (IAPP, December 2019)
	Web Conference: Preparing for the CCPA Without Boiling the Data Ocean (IAPP, December 2019)
	Google to allow sites to block targeted ads under CCPA (IAPP, November 2019)
	Potential impact of the CCPA in the automotive space: Part II (IAPP, October 2019)
	CCPA’s potential impact in the automotive space (IAPP, October 2019)
	Platform helps organizations take deep dives into GDPR, CCPA (IAPP, October 2019)
	Sample CCPA Privacy Notices (IAPP, September 2019)
	Employers receive last-minute reprieve from the most onerous CCPA compliance obligations (IAPP, September 2019)
	Aiming for CCPA compliance? Define those vendor relationships (IAPP, September 2019)
	CCPA exemption adds compliance considerations for bank CPOs (IAPP, September 2019)
	The unique challenges CCPA poses for SMEs (IAPP, September 2019)
	Why the CCPA’s ‘verified consumer request’ is a business risk (IAPP, August 2019)
	Web Conference: What to Do When Consent Doesn’t Work Under CCPA (IAPP, August 2019)
	Web Conference: CCPA Compliance: Automating the Intake and Fulfillment of Consumer Requests (IAPP, August 2019)
	Service allows companies to set up toll number ahead of CCPA (IAPP, August 2019)
	CCPA Compliance Guide (Skaden, August 2019)
	How to know if your vendor is a ‘service provider’ under CCPA (IAPP, July 2019)
	Infographic: Is Your Business in Need of a CCPA Intervention? (Troutman Sanders, July 2019)
	Does the CCPA regulate internal transfers? (IAPP, June 2019)
	CCPA: What health care, biotech and life sciences companies should know now (IAPP, June 2019)
	White Paper – CCPA Compliance Operation: Delivering Data Access via Accounts (IAPP, June 2019)
	Are there joint controllers under the CCPA? (IAPP, May 2019)
	Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance (IAPP, May 2019)
	Can organizations sell children’s data under the CCPA? (IAPP, May 2019)
	What should employers do about the CCPA? (IAPP, April 2019)
	What does the CCPA mean for colleges and universities? (IAPP, March 2019)
	Where to begin to operationalize CCPA compliance (IAPP, January 2019)
	Web con: ‘California’s Privacy Law Changes and Its Impact on Brands’ (IAPP, November 2018)
	How the CCPA could be great for startups (IAPP, November 2018)
	CCPA Transparency Chart (IAPP, July 2018)

View More Resources

ResourceCenter

All the privacy tools and information you need in one easy-to-find place

CCPA and CPRA

Featured Resources

California Privacy Law

Top-10 operational impacts of the CPRA

CPRA is here. Now what?

Latest News and Resources

CCPA-/CPRA-Related Legislation Tracker

All things 'California Privacy Law' with Lothar Determann

CPPA anticipates final CPRA regulations will be effective by April

White Paper – The Alignment Problem with "Sale of Data"

Cross-context behavioral advertising is ‘sale.’ It is time to get over it.

Compliance Resources

Web Conference: How to align your teams for Jan. 1, 2023: HR and B2B changes under CPRA

Web Conference: You’re Not Ready for the CPRA if Your Vendors Aren’t, But There’s Still Time

CCPA/CPRA grace period for HR and B2B ends Jan. 1

Complying with the California Consumer Privacy Act’s consumer request process

Implementing the CCPA: A Guide for Global Business, Second Edition