The Short Version
California has two major consumer privacy laws that work together: the California Consumer Privacy Act (CCPA), which took effect January 1, 2020, and the California Privacy Rights Act (CPRA), which took effect January 1, 2023 and significantly amended the CCPA.
Think of it this way: the CCPA was Version 1.0 of California's privacy framework, and the CPRA was Version 2.0 β an upgrade that added new rights, created a new enforcement agency, and closed several loopholes that businesses had been exploiting.
Today, when people refer to "California privacy law," they typically mean the CCPA as amended by the CPRA. The full set of regulations is often just called "CCPA/CPRA."
The CCPA: Where It All Began (2018β2020)
The California Consumer Privacy Act was signed into law on June 28, 2018 β the same day that its sponsors had threatened to put a ballot initiative before California voters. The tech industry, fearful of an even stricter law passing by popular vote, worked with legislators to pass the CCPA instead.
The CCPA gave California consumers four core rights: the right to know what personal information businesses collect about them, the right to request deletion of that information, the right to opt out of the sale of their personal information, and the right not to be discriminated against for exercising these rights.
It applied to for-profit businesses in California with annual revenue over $25 million, businesses that process data of 50,000+ consumers (now 100,000+), or businesses that earn 50%+ of annual revenue from selling personal data.
The CCPA took effect January 1, 2020, with enforcement beginning July 1, 2020.
Key CCPA Shortcomings
Almost immediately, privacy advocates identified significant gaps in the CCPA:
The "sharing" loophole: The CCPA only allowed opt-out of "sale" β defined as exchanging data for money or valuable consideration. Many argued that sharing data with advertising networks like Google's didn't technically constitute a "sale" because no direct payment changed hands, even though data flowed freely. This loophole allowed massive behavioral tracking to continue.
No right to correct: The original CCPA let you delete your data but not correct it if it was wrong. This was a significant omission β inaccurate data in credit reports, background checks, and insurance databases can cause real harm.
No dedicated enforcement agency: The California Attorney General was the sole enforcer, which limited the pace and scope of enforcement given the AG's other responsibilities.
No sensitive data category: The CCPA treated a Social Security number the same as a cookie preference β all personal data had the same level of protection regardless of how sensitive it was.
The CPRA: Closing the Gaps (2020β2023)
In November 2020, California voters approved Proposition 24 β the California Privacy Rights Act β with 56.2% of the vote. The CPRA was drafted by Alastair Mactaggart, the same real estate developer who funded the original CCPA ballot initiative threat.
The CPRA made sweeping changes to the CCPA, effective January 1, 2023:
New opt-out right for "sharing": The CPRA added a right to opt out of "sharing" personal data for cross-context behavioral advertising β closing the loophole that let targeted advertising continue despite CCPA opt-outs.
New right to correct: Consumers can now request correction of inaccurate personal information.
Sensitive Personal Information (SPI): A new category of data β SSNs, precise geolocation, health data, racial origin, religious beliefs, sexual orientation, biometrics β with enhanced protections and a separate right to limit use.
California Privacy Protection Agency (CPPA): A new dedicated state agency with rulemaking authority and enforcement power β the first of its kind in the U.S.
Data minimization: Businesses can now only collect and use data that is reasonably necessary and proportionate for the disclosed purpose.
Increased thresholds: The data processing threshold increased from 50,000 to 100,000 consumers or households.
Your Complete Rights Under CCPA/CPRA Today
As a California resident, you currently have all of the following rights:
β Right to Know: Request what personal information a business has collected about you, from where, why, and who it's shared with β for the past 12 months (or longer under certain circumstances).
β Right to Delete: Request deletion of your personal information, with exceptions for legal obligations, security purposes, and necessary service operations.
β Right to Correct: Request correction of inaccurate personal information a business holds about you.
β Right to Portability: Receive a copy of your personal information in a portable, machine-readable format.
β Right to Opt Out of Sale: Prevent the sale of your personal information to third parties.
β Right to Opt Out of Sharing: Prevent sharing of your personal information for cross-context behavioral advertising.
β Right to Limit Sensitive Data Use: Restrict how businesses use your sensitive personal information to necessary purposes.
β Right re: Automated Decisions: Opt out of automated decision-making technology in certain contexts.
β Right to Non-Discrimination: Businesses cannot discriminate against you for exercising any of these rights.
Enforcement: From AG to CPPA
One of the most significant changes the CPRA made was creating the California Privacy Protection Agency (CPPA) β a fully independent state agency with its own board, staff, and rulemaking authority, modeled roughly on the FTC but focused exclusively on privacy.
Before the CPPA, enforcement rested solely with the California Attorney General, who had limited resources and a wide mandate beyond just privacy. The CPPA changes this equation significantly β it can issue regulations, investigate violations, and levy fines without waiting for the AG to prioritize privacy cases.
Penalties remain at $2,500 per unintentional violation and $7,500 per intentional violation, with a separate civil penalty for data breaches involving children's information ($7,500 per child per incident). The private right of action for data breaches remains: $100β$750 per consumer per incident.
Since 2023, the CPPA has been actively engaged in rulemaking on automated decision-making, cybersecurity audits, and data protection assessments for high-risk processing activities.