The California Attorney General’s Office rightly claims a ‘landmark’ privacy law was delivered when the California Consumer Privacy Act of 2018 (CCPA) was signed into law on June 28, 2018.

It began as a ballot initiative in October 2017 by a group of privacy advocates who organized under the name Californians for Consumer Privacy. The text of the initiative, titled The Consumer Right to Privacy Act of 2018 noted “the Californian Legislature has adopted specific mechanisms to safeguard Californians’ privacy”, including the Shine the Light law “intended to give Californians the who, what, where and when of how businesses handle consumer’s personal information. But technology has advanced exponentially and business practices have changed dramatically.”

Key privacy concerns raised in the initiative included:

    • Businesses track consumers’ behavior and locations, such as online activities, health information, financial information, and social networks – “You should have the right to know what personal information businesses collect about you and your children, and what they do with it, including to whom they sell it”CCPA compliance
    • Businesses profit from collecting and selling personal information
    • Consumers lack control over their personal information, “which limits Californians’ ability to properly protect and safeguard their privacy”
    • Data breaches expose personal information – businesses must take reasonable steps to safeguard Californian consumers’ personal information and must be held “accountable if such information is compromised as a result of a security breach”.

An amended version of the text was then tabled in February 2018 by Edwin Chau, a member of the California State Assembly. In late June 2018, Californians for Consumer Privacy agreed to withdraw the original ballot initiative if the California Consumer Privacy Act (CCPA) is passed. While an agreement was quickly reached and the act became law on June 28, 2018, lobbying for amendments by privacy advocates and businesses alike continues.

How CCPA Regulations Changed the Privacy Landscape

As the first consumer data privacy and data breach law in the US the CCPA heralded major transformations across the privacy landscape well beyond California’s state boundaries. 

The day it was signed, Senator Bill Dodd, who backed Senate Bill 1211, said in a media release: “Once again, California is taking the lead in protecting consumers and holding bad actors accountable. My hope is other states will follow…”

Assembly Member Chau, in the same media release, described the act as a historic step to “protect children and consumers by giving them control of their own personal data. Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice.”

Founder of Californians for Consumer Privacy, Alastair Mactaggart, was reported by Reuters as saying the Act was “a landmark accomplishment, which is the strictest privacy bill in the history of the country”.

Since its enactment the CCPA has served as both a blueprint and a testbed for enforcing the protection of consumer privacy rights in several US states, including Virginia, Colorado, and Washington.

The CCPA was updated with the California Privacy Rights Act (CPRA), which became enforceable by the California Privacy Protection Agency on July 1, 2023. The Office of the California Attorney General explains: “CPRA amends the CCPA; it does not create a separate, new law. As a result, our office typically refers to the law as CCPA or CCPA, as amended.”

[For more information on how CCPA was amended by CPRA, read Summary of the California Privacy Rights Act (CPRA) Main Rules.]

Summary of Californian Consumers’ Privacy Rights Under CCPA

Californian consumers’ privacy rights were strengthened by CCPA regulations with several new rules addressing concerns about businesses using increasingly complex data collection and tracking technologies and profiting from the sale of personal information.

The California Consumer Privacy Act delivered four important privacy rights related to personal information:

    1. Right to know what personal information is collected by a business, and how it is used, shared, and sold
    2. Right to delete records of personal information
    3. Right to opt-out of sharing and/or sale of personal information
    4. Right to non-discrimination for exercising privacy rights under CCPA.

In 2020, the CCPA as amended by CPRA, adding two important new rights which became effective on January 1, 2023:

  1. Right to correct inaccurate records of personal information about a consumer held by a business; and
  2. Right to limit use and sharing of sensitive personal information to only activities that are reasonably necessary for a business to provide the service/s or product/s requested by the consumer.

CCPA compliance

Definition Of ‘Consumer’ With Rights Under CCPA

The Office of the Attorney General’s guide to CCPA explains, “only California residents have rights under the CCPA”. The text defines a ‘consumer’ as:

“A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.”

California Consumer Privacy Act: Key Dates

california big techCalifornian privacy advocates have spent decades railing against the growing influence of some of the world’s biggest technology companies headquartered in their state, such as Amazon, Apple, Meta (Facebook), Google, and Microsoft. 

Likewise, these companies continue to lobby hard against restraints to their massive data collection activities because they earn billions from targeted advertising. An article in The Atlantic on June 1, 2023, reported advertising earnings contributed especially huge percentages to the revenues of Google (80%) and Meta (more than 90%); and several media outlets including Wired and The Register have also called out ‘big tech’ for talking up privacy while trying to kill privacy legislation.

Arguably, the very public lobbying by big technology companies against California’s landmark privacy regulations simply accelerated the passing of the CCPA (and its CPRA amendment).

As privacy battle lines are still being fought publicly in California (and other states), the timeline below highlights key dates relating to the proposal, enactment, and enforcement of the legislation:

    • October 12, 2017 – Rick Arney, Alastair Mactaggart and Mary Stone Ross of the privacy advocacy group which became known as Californians for Consumer Privacy file The Consumer Right to Privacy Act of 2018 ballot initiative
    • December 18, 2017 – The ballot initiative is approved by the California Department of Justice and California Secretary of State Alex Padilla announces the advocacy group may begin collecting Californian voters’ signatures so it can be voted on in a November 2018 ballot. The group is given 180 days to collect 365,880 signatures
    • February 13, 2018 – Assemblymember Chau and Senator Robert Hertzberg introduce Senate Bill 1121 with the Senate Committee on Rules. It includes swathes of text from the ballot initiative, with slightly fewer restrictions on businesses 
    • May 25, 2018 On the same day the GDPR becomes effective, California’s Senate Committee on Appropriations votes 5–2 to pass Senate Bill 1121, sending it to the Senate
    • May 30, 2018 – The California Senate votes 22–13 to pass Senate Bill 1121
    • June 21, 2018 – Californians for Consumer Privacy agree that if Senate Bill 1121 is passed the privacy advocacy group will withdraw its ballot initiative – this puts pressure on the Senate as the initiative must be withdrawn by June 28, 2018, otherwise it will go on the ballot in November 2018
    • June 25, 2018California Secretary of State Alex Padilla announces the consumer privacy rights ballot initiative is eligible for the November 2018 ballot
    • June 28, 2018 – Governor Jerry Brown signs the California Consumer Privacy Act (CCPA) into law, triggering the withdrawal of the more detailed Californians for Consumer Privacy ballot initiative 
    • January 1, 2020 – California Consumer Privacy Act becomes effective
    • July 1, 2020 – Enforcement of CCPA begins.

Access More Information from TrustArc About CCPA Regulations and Compliance

This background brief is part of a series of briefs by TrustArc experts on the California Consumer Privacy Act, which includes a summary of the main rules, a compliance checklist, a technical brief, and expert commentary on CCPA implications

We recommend you access TrustArc’s CCPA & CPRA Compliance Solutions & Tools and read How the California Privacy Rights Act Updates the California Consumer Privacy Act.