close
View other resources
header image

Official Guide to CCPA

Unpacking California’s Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is the first comprehensive consumer privacy law in the United States. The law, effective on January 1, 2020, outlines requirements for businesses collecting personal data about California residents, including how and when they can do so, and what they can do with that information.

The California Privacy Rights Act (CPRA) amended the CCPA with enhanced privacy protections for Californians upon passage in 2020.

At the beginning of 2023, the CPRA amendment became effective, and in the March 2023, California’s Office of Administrative Law (OAL) approved the updated regulations put forth by a new governing body, the California Privacy Protection Agency (CPPA).

In this guide, DataGrail unpacks and explains the CCPA’s critical points and provides insights into the new governing body, the CPPA. We’ll dive into best practices for supercharging your privacy program to help your company build consumer trust, reduce business risk, and avoid penalties.

Note: On Friday, June 30, 2023, the Superior Court of California, County of Sacramento, complicated matters by issuing an order delaying enforcement of OAL-approved regulations from March 2023 by one year, moving enforcement to March 2024. This ruling may give the impression that businesses need not comply with CCPA for another year — this is not the case.

CPRA and the original CCPA are fully enforceable. Consumer transparency, privacy requests, do not share/sell, etc., are still enforceable.

The OAL-approved regulations put forth by the CPPA from March 2023 are less about creating new rules and more about clarifying existing obligations.

Highlights: The Impact of CCPA

The CCPA timeline

  • Jan 2020
    timeline marker
    CCPA goes into effect
  • Jan 2021
    timeline marker
    CPRA made law and CPPA is established
  • Jan 2022
    timeline marker
    12-month lookback period for collected data commences
  • Jul 2022
    timeline marker
    CPPA commences process to update existing and adopt new regulations
  • Jan 2023
    timeline marker
    CPRA amendment becomes effective
  • Mar 2023
    timeline marker
    OAL approves CPPA’s proposed regulations
  • Jun 2023
    timeline marker
    CA Superior Court issues one-year delay for OAL-approved CPRA regulations from March 2023
  • Jul 2023
    timeline marker
    CPRA statute becomes enforceable by the CPPA

The Basics: CCPA, CPRA, and CPPA

Privacy is complex, and so are the acronyms.

CPRA amended the CCPA with enhanced privacy protections for Californians upon passage in 2020. At the beginning of 2023, the CPRA amendment became effective, and in March 2023, California’s Office of Administrative Law (OAL) approved the updated regulations put forth by the CPPA.

The CPPA (“the Agency,” for clarity’s sake) is a regulatory body with full administrative power to interpret the provisions of the CCPA and enforce prescribed sanctions and penalties for violations. The Agency is initially operating with an annual budget of $10 million to hire staff, enforce the law, and drive awareness.

The Agency has four primary functions:

  • Education: Promote public awareness around data privacy
  • Rulemaking: Issue new rules or update existing ones
  • Enforcement: Investigate violations, impose necessary fines, and go to court in a civil action to recover unpaid fines
  • Certification: Accredit organizations falling outside the scope of the CCPA that still wish to certify their privacy programs
continue reading