Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.

CCPA and CPRA
 

Resource Center / Topic Pages / CCPA and CPRA

Image

CCPA and CPRA

TOPIC PAGE

This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources regarding the California Consumer Privacy Act and California Privacy Rights Act.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020.

The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

  • expand_more

    CCPA Law and Documents

    California Consumer Privacy Act of 2018

    • To view the text of the CCPA on the California Legislative Information website, click here.

    CCPA Regulations

    • To view the CCPA regulations in the California Code of Regulations, click here.
    • The CCPA regulations were reordered and renumbered to reflect the fact the California Privacy Protection Agency assumed rulemaking authority in April 2022. More information about these changes is available on the CPPA’s Regulations page.

    How we got here

    The CCPA came about largely due to the efforts of Alastair Mactaggart, a San Francisco real estate developer and investor. Mactaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

    Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill was “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

    For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevented the ballot initiative from moving forward.

    On June 28, 2018, Gov. Jerry Brown, D-Calif., signed CCPA into law.

  • expand_more

    CPRA Law and Documents

    In September 2019, Alastair Mactaggart, who was instrumental in getting the California Consumer Privacy Act enacted, launched a new ballot initiative to appear on the November 2020 ballot, the California Privacy Rights Act. On Nov. 3, 2020, the CPRA passed. The CPRA amends the CCPA and includes additional privacy protections for consumers. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022.

    The California Privacy Rights Act of 2020

    • To view the text of the CPRA on the California Legislative Information website, click here. The provisions that are not yet operative are listed after the CCPA provision in effect.
    • To view the text of the CPRA ballot initiative, click here.

    California Privacy Protection Agency

    • The CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.
    • To view the CPPA page, including information about rulemaking activity, click here. The CPPA additionally published a separate guidance page to help Californians better understand and protect their privacy rights, available here.

    CPRA Regulations

    On October 21, 2021, the CPPA provided notice to the California attorney general it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the attorney general to the CPPA six months after this notice, per Sections 1798.185(d) and 1798.199.40(b).

    • On April 21, 2022, rulemaking authority under the CCPA formally transferred to the CPPA.
    • The CPPA has begun informal rulemaking activities. You can view its regulations page here.

Featured Resources

Back to top

BOOK

California Privacy Law

“California Privacy Law” provides practical guidance and in-depth information to navigate the state’s strict policies.
Read More

CHART

California Privacy and AI Legislation Tracker

This tracker highlights any California data law with potential privacy or AI governance implications across sectors.
Read More

ARTICLE

New California laws look to future of privacy and AI

This article covers California’s 2023-24 legislative session, which saw a flurry of privacy and AI bills signed into law.
Read More

ARTICLE

Piecing together the CCPA’s opt-in, -out requirements

Complying with the CCPA can feel like assembling a tedious jigsaw puzzle. This article discusses processing requirements under the CCPA.
Read More

ARTICLE SERIES

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act.
Read More

CHART

California Rulemaking Process Overview

This chart provides a roadmap for the California rulemaking process as the CPPA continues to promulgate regulations delegated to it by California legislators and voters.
Read More

Back to Top

Back to top

Additional News and Resources

CPPA trims requirements from proposed ADMT rules

ARTICLE

California legislators challenge independence of CPPA rulemaking authority

ARTICLE

4 critical compliance areas companies should review after CPPA’s Honda settlement

ARTICLE

CPPA Board approves data broker regulations

ARTICLE

CPPA to initiate formal ADMT rulemaking process as executive director set to depart

ARTICLE

CPPA to conduct data broker registry sweep

ARTICLE

The CPPA’s evolving cooperation with DPAs, bodies around the world

ARTICLE

Questions of scope, impact delay CPPA formal ADMT rulemaking

ARTICLE

IAPP GPS 2024: CPPA’s Soltani details agency’s packed agenda

ARTICLE

CPPA issues first enforcement advisory

ARTICLE

Checking in on proposed California privacy and AI legislation

ARTICLE

State appeals court rules first CPRA regulations enforceable

ARTICLE

California proposes CCPA children’s privacy gap fix

ARTICLE

After contentious meeting, CPPA moves ADMT rules forward

ARTICLE

Immediate action required: Navigating CPRA compliance and enforcement in 2024

WEB CONFERENCE

California privacy: 2022-23 legislative wrap-up

ARTICLE

CPPA releases initial automated decision-making rules proposal

ARTICLE

CPPA’s draft automated decision-making rules unpacked

ARTICLE

The CPPA’s upcoming rulemaking process

ARTICLE

The California Delete Act: Implications for data brokers and privacy

VIDEO

Comparison: CCPA’s Notice of Financial Incentive and Colorado Privacy Act’s Bona Fide Loyalty Program Rules

REPORT

CPPA debuts new CPRA complaint form

ARTICLE

CPRA is here – How to get ahead

WEB CONFERENCE

Court decision pushes CPRA regulations enforcement to March 2024

ARTICLE

CCPA enforcers emphasize compliance, downplay federal preemption

ARTICLE

CPRA regulations finalized with OAL approval

ARTICLE

California legislative wrap-up: CCPA amendments, children’s privacy and more

ARTICLE

California Privacy Rights Act: Are We There Yet?

WEB CONFERENCE

Does the CCPA as modified by the CPRA apply to your business?

ARTICLE

Proposed CPRA regulations finalized; CPPA targets April effective date

ARTICLE

All things ‘California Privacy Law’ with Lothar Determann

PODCAST EPISODE

CPPA anticipates final CPRA regulations will be effective by April

ARTICLE

The Alignment Problem with “Sale of Data”

WHITE PAPER

Cross-context behavioral advertising is ‘sale.’ It is time to get over it.

ARTICLE

Home stretch: Finalization of CPRA regulations draws closer

ARTICLE

Lessons from the First CCPA Enforcement Settlement: GPC and Beyond

WEB CONFERENCE

CPPA publishes first modifications of CPRA draft regulations

ARTICLE

CPPA Board chair doubles down on proposed American Data Privacy and Protection Act opposition

ARTICLE

CCPA/CPRA grace period for HR and B2B ends Jan. 1

ARTICLE

CCPA enforcement action: A case study at the intersection of privacy and marketing

ARTICLE

The Sephora case: Do not sell – But are you selling?

ARTICLE

California attorney general announces first CCPA enforcement action

ARTICLE

CPPA restates American Data Privacy and Protection Act opposition to US House leaders

ARTICLE

CPPA launches CPRA rulemaking process

ARTICLE

Complying with the California Consumer Privacy Act’s consumer request process

ARTICLE

CPPA board moves CPRA rulemaking process forward

ARTICLE

Privacy pros take stock of surprise CPRA draft regulations

ARTICLE

CPPA board charts course for CPRA rulemaking

ARTICLE

Guide to collecting personal information under the California Consumer Privacy Act of 2018

GUIDANCE

CPRA for Employers: Developing and Posting a Privacy Notice for Human Resources Data

GUIDANCE

CPRA for Employers: Vendor Contracting Requirements

GUIDANCE

State of CCPA: A Look Back to Prepare for What’s to Come

WEB CONFERENCE

CPRA regulations delayed past July 1 deadline, expected Q3 or Q4

ARTICLE

CPPA releases public comments for CPRA regs

ARTICLE

Status of the California Privacy Protection Agency’s work

ARTICLE

Brace for impact: PSR21 workshop focuses on CPRA considerations

ARTICLE

FTC alum Ashkan Soltani selected to lead CPPA

ARTICLE

CPRA could obstruct existing employment rights

ARTICLE

Top-10 takeaways from the California AG’s CCPA enforcement case examples

ARTICLE

How Defendants Are Attacking CCPA Claims

TOOL

California attorney general offers CCPA enforcement update, launches reporting tool

ARTICLE

A look at the California Privacy Protection Agency inaugural meeting

ARTICLE

What the CPPA’s appointments say about enforcement priorities, strategy

ARTICLE

New CCPA regulatory provisions seek to clarify business requirements

ARTICLE

Analyzing the CPRA’s new contractual requirements for transfers of personal information

ARTICLE

Ambiguity in CPRA imperils content intended for underrepresented communities

ARTICLE

New categories, new rights: The CPRA’s opt-out provision for sensitive data

ARTICLE

Summary of CPRA Contractual Obligations

CHART

Prop 24 passes in Calif., paving way for CPRA

ARTICLE

Whether yes or no, the stakes are high for Calif.’s Prop 24

ARTICLE

Podcast: Alastair Mactaggart on California’s Prop 24

PODCAST EPISODE

Data brokers: A preview of the new edition of ‘California Privacy Law’

ARTICLE

CCPA Litigation Overview

CHART

CCPA update: Calif. attorney general comments, new amendments signed into law

ARTICLE

Benchmarking CCPA-related data subject requests

ARTICLE

What does the CCPA’s ‘purpose limitation’ mean for businesses?

ARTICLE

The CCPA dog that didn’t bark: B2B and employee moratoria extended one year

ARTICLE

Privacy and Regulations: What’s Next After CCPA?

WEB CONFERENCE

CPRA promises short-term consumer benefits, long-term uncertainty

ARTICLE

CCPA draft regulations: Privacy notices and accessibility in the employment context

ARTICLE

The new CCPA draft regulations: Identity verification

ARTICLE

CCPA litigation: Shaping the contours of the private right of action

ARTICLE

Will CPRA prevail on November 3?

ARTICLE

At Calif. hearing, critics question CPRA’s timing

ARTICLE

CPRA initiative moves to sampling, CCPA regs likely delayed

ARTICLE

CPRA’s top-10 impactful provisions

ARTICLE

CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’

ARTICLE

CCPA Enforcement Infographic

INFOGRAPHIC

Are IP addresses ‘personal information’ under CCPA?

ARTICLE

The Top 10 Most Impactful Provisions of the CPRA

INFOGRAPHIC

CCPA FAQ: Cookies, AdTech & Service Providers

GUIDANCE

Are companies using semantics to get around CCPA’s ‘sale’ provision?

ARTICLE

Survey of the Retail Industry’s Privacy Practices

REPORT

How the CCPA impacts civil litigation

ARTICLE

With the CCPA now in effect, will other states follow?

ARTICLE

What you must know about ‘third parties’ under GDPR and CCPA

ARTICLE

One law firm’s take on the new draft CCPA regulations

ARTICLE

Critics say attorney general’s proposed CCPA regulations add confusion, not clarity

ARTICLE

5 Steps You Must Take to Prepare for the CCPA

WHITE PAPER

GDPR and CCPA: A compatibility story

ARTICLE

On keynote stage, Mactaggart addresses his ‘new’ CCPA

ARTICLE

Sample CCPA Privacy Notices

GUIDANCE

A look at the latest CCPA amendment updates

ARTICLE

CCPA amendment update: Changes to technical corrections and loyalty programs bills

ARTICLE

Navigating disclosures and sales of personal information under the CCPA

ARTICLE

A close-up on deidentified data under CCPA

ARTICLE

What one CCPA co-architect will watch closely with Sacramento back in session

ARTICLE

Implementing the CCPA: A Guide for Global Business, Second Edition

BOOK

CCPA update: Senate committee pares back amendments

ARTICLE

Does the CCPA regulate internal transfers?

ARTICLE

Preparing for CCPA: Start benchmarking now

ARTICLE

A data processing addendum for the CCPA?

ARTICLE

Comparing Maine and Nevada’s new privacy laws with the CCPA

ARTICLE

TheScore’s privacy notice analyzed against the CCPA

ARTICLE

Encryption, redaction and the CCPA

ARTICLE

Competing CCPA amendments sculpt law’s scope

ARTICLE

California lawmakers smooth over some of the CCPA’s rough edges

ARTICLE

State legislature debates CCPA ad-tech carve out amendment

ARTICLE

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

ARTICLE

Analysis: The California Consumer Privacy Act of 2018

ARTICLE

GDPR matchup: The California Consumer Privacy Act 2018

ARTICLE

New California privacy law to affect more than half a million US companies

ARTICLE

Back to top

Back to Top

Back to top