🔒

CCPA & CPRA Overview

Sep 3, 2025

Overview

This resource page from the IAPP provides a comprehensive overview and curated set of materials regarding the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including legal background, enforcement updates, compliance tools, and news analysis for privacy professionals.

Legal Background and Evolution

  • The CCPA was signed into law in June 2018, granting new privacy rights for Californians and data protection obligations for businesses.
  • CCPA went into effect on Jan. 1, 2020, with enforcement by the California Office of the Attorney General.
  • The CPRA, passed in Nov. 2020 via ballot initiative, amends the CCPA and adds further privacy protections.
  • The CPRA created the California Privacy Protection Agency (CPPA), transferring rulemaking and enforcement authority from the Attorney General to the agency as of April 2022.
  • Most CPRA provisions are effective Jan. 1, 2023, with some retroactive application to data collected since Jan. 1, 2022.

Key Regulatory and Enforcement Developments

  • The CPPA oversees implementation, rulemaking, and enforcement for both the CCPA and CPRA.
  • New rules cover risk assessment, cybersecurity audits, automated decision-making technology (ADMT), and data broker regulations.
  • Courts have recently ruled on the enforceability and scope of CPRA regulations.
  • The Attorney General retains civil enforcement powers in addition to the CPPA’s authority.

Resources and Tools for Compliance

  • The page offers curated news articles, research reports, infographics, and white papers covering legal changes and compliance best practices.
  • Tools include legislation trackers, sample privacy notices, and summaries of contractual obligations.
  • Infographics and charts help organizations understand requirements for transparency, data sales, enforcement, and operational impacts.
  • Podcasts and videos provide expert insights and updates from CPPA officials and privacy professionals.

Major Topics in News and Analysis

  • Coverage addresses enforcement actions, regulatory clarification, legislative amendments, and operational impacts on businesses.
  • Subjects include opt-in/opt-out requirements for sensitive personal information, children’s privacy, data subject requests, and third-party data transfers.
  • Analysis compares CCPA/CPRA with other privacy laws (e.g., GDPR, state-level privacy legislation).

Recommendations / Advice

  • Organizations subject to CCPA/CPRA should regularly monitor CPPA rulemaking and enforcement updates.
  • Utilize provided tools and trackers to benchmark compliance and adapt policies to evolving requirements.
  • Pay attention to contractual, notice, and data management obligations highlighted in research articles.
  • Review recent enforcement actions and case studies to identify risk areas and emerging regulatory priorities.

View note source

https://iapp.org/resources/topics/ccpa-and-cpra/