CCPA/CPRA Portal: The California Consumer Privacy Act and the California Privacy Rights Act (CPRA)
Join IA

CCPA/CPRA Portal

Practical guidance, model language, and updates for insights, research, and analytics teams on the California Consumer Privacy Act (CCPA) / California Consumer Privacy Rights Act (CPRA).

CCPA/CPRA Portal

The California Consumer Privacy Act (CCPA) /California Privacy Rights Act (CPRA)

A complicated, confusing and comprehensive state privacy regime that impacts most insights, market research and data analytics companies and departments, and covers almost all personal information, online or otherwise. CCPA/CPRA require extensive disclosure about data collection, use and sharing, and consumer rights to data access, deletion and opt out (from data sharing/sale). CCPA/CPRA also further expanded penalties for data security breaches, punishable by private lawsuits.

The California Privacy Protection Agency (CPPA) has wide latitude to enforce the law and issue new regulations.

California

Privacy Law Updates & Insights

Stay current with the rapidly evolving landscape of California privacy law. This section provides year-by-year summaries, regulatory analyses, and legislative updates affecting the insights and analytics industry. From early CCPA amendments to the latest CPRA regulations and emerging requirements around neural data, browser-based opt outs, automated decision making, and data security, these resources help insights professionals understand their responsibilities and stay compliant.

2019: Early Amendments

2019 CCPA Amendments

The first round of CCPA amendments included several key Insights Association legislative wins.

Read more
2020: Early Amendments


Analyzing the California Privacy Rights Act

Proposition 24 (CPRA), passed in 2020, added new consumer rights, expanded business obligations, tightened rules around sensitive data, and eliminated the 30-day cure period.

Read more
2021: Legislative Activity


CCPA-CPRA Year-End Legislative Roundup

A summary of California’s 2021 legislative wins and losses related to CCPA/CPRA amendments.

Read more
2022: Youth Protections & Broader Privacy Changes

California Age Appropriate Design Code Act (A.B. 2273)

A.B. 2273, signed into law on September 15, 2022, restricts the creation of goods, services or product features likely to be accessed by anyone under 18 and restrict collection or use of their data. It goes well beyond the federal Children’s Online Privacy Protection Act (COPPA) in definitions, scope and application.

Read more

2022 California Privacy Legislation Round-Up

An overview of IA wins and losses in 2022 across CCPA/CPRA and related privacy and data security bills.

Read more
2023: Enforcement & Emerging Issues


Final CPRA Regulations Take Effect (Summer 2023)

The final rules implementing the California Privacy Rights Act (CPRA) came into effect just in time for the law’s enforcement on July 1, 2023. Insights professionals need to get acquainted with the new regulations.

Read more

California 2023 Legislative Updates

The insights industry had wins and losses in 2023 in California, as legislators tackled consumer privacy and data security (and HR and AI).

Read more
2024: Rapid Regulatory Shifts


New CPRA Rules Take Immediate Effect (Court Decision)

A February 9, 2024 ruling made new CCPA/CPRA regulations instantly enforceable.

Read more

S.B. 1223 — Neural Data Added as Sensitive Data

Enacted in 2024, this law designates consumer neural data as sensitive information under CCPA/CPRA.

Read more

A.B. 1008 — New Definition Challenges for Personal Information

This 2024 law complicates the definition of personal information by including AI systems “capable of outputting personal information.”

Read more

A.B. 1824 — New M&A Opt-Out Requirements

Requires businesses acquiring personal information through mergers, acquisitions, or bankruptcy to honor the transferor’s consumer opt-out.

Read more

2025: New Rules, new Rights, New Risks


New California Privacy & Cybersecurity Regulations (July 2025)

Newly adopted rules include requirements for cybersecurity audits, privacy impact assessments, and automated decisionmaking technology, including systems used for research incentives.

Read more

A.B. 566 — Browser-Automated Opt-Out Signals

A 2025 law requiring browsers to send opt-out preference signals automatically, significantly reducing the data accessible to insights companies.

Read more

S.B. 446 — Data Breach Notification Timelines

Requires disclosures within 30 days of discovering a breach, with a 15-day notification deadline for the Attorney General after consumer notice.

Read more

A.B. 45 — Privacy Restrictions Near Health Care Providers

Restricts collection, use, sharing, or retention of personal information for individuals located at or near health care service providers or family planning centers.

Read more

2026: Expanded CPPA Rulemaking


New CCPA–CPRA Rules Effective January 1, 2026

These regulations introduce updated privacy provisions and new requirements for cybersecurity audits, privacy impact assessments, and automated decisionmaking technology, including automation used with research incentive programs.

Read more

Model Contracts/Clauses for CCPA/CPRA

Unilateral CCPA Contract Provision for Vendors/Suppliers

Provides a one-way CCPA compliance clause businesses can apply to vendors without requiring mutual execution. (A benefit exclusively for IA company members, available on the Model Contracts & Clauses page)

Data Privacy Contract Addendum for CCPA for clients

Applies CCPA-compliant data privacy standards to clients sharing or processing personal information in research engagements. (A benefit exclusively for IA company members, available on the Model Contracts & Clauses page)

Data Privacy Contract Addendum for CCPA for vendors

Extends CCPA data protection and compliance requirements to vendors handling consumer data. (A benefit exclusively for IA company members, available on the Model Contracts & Clauses page)

CCPA Disclosure/Disclaimer Language for a Telephone Research Call

Provides compliant wording for informing participants about data collection and CCPA privacy rights during phone research. (A benefit exclusively for IA company members, available on the Model Contracts & Clauses page)

Data Broker

Registry & Requirements

California continues to expand its Data Broker Registry requirements, adding broader definitions, stronger disclosure rules, and new tools like mass deletion and the upcoming centralized DROP opt-out system that all registered data brokers must follow.

California Data Broker Registry in Now Online - Is Your Insights Company Registered?

Other insights companies are listed in the California Attorney General’s new data broker registry. It is past time to determine if your company needs to register, too.

Read More
California Data Broker Registry to Add Mass Deletion Button

The governor signed California S.B. 362 into law on October 10, 2023, updating the state data broker registry law and providing consumers a one-stop deletion request mechanism to which all data brokers will need to comply.

Read More
CPPA Expands California Data Broker Definition for Registry

On November 8, 2024, the California Privacy Protection Agency (CPPA) adopted new rules for the state data broker registry, expanding who counts as a data broker.

Read More
California Proposed DROP Rules on Centralized Consumer Requests for Data Brokers

California is preparing regulations to launch the Delete Request and Opt-out Platform (DROP), a centralized data deletion request mechanism for all registered data brokers.

Read More
California Law S.B. 361 Expands Data Broker Disclosure Requirements

2025 California law S.B. 361 expands disclosure requirements for registered data brokers and adds a time limit to one aspect of the upcoming centralized Data Removal and Opt-Out Platform (DROP).

Read More
CCPA/CPRA 

Frequently Asked Questions

Explains how CCPA defines a "sale" and clarifies the distinction between "businesses," "service providers," and "third parties."

Clarifies whether not-for-profit organizations are covered under CCPA.

Guidance on how to respond when a company receives a CCPA “Right to Know” request from a consumer.

Details how to determine whether an organization is a business or service provider (or both), and when written contracts are required for service provider status.

Addresses how CCPA applies to blinded research, including necessary disclosures and whether the research sponsor must be revealed.

Use the CCPA Compliance Checklist, a concise, step-by-step resource from IA outside counsel Stuart Pardau to help IA members get ready for CCPA obligations.

See Big Privacy Laws Starting in 2023 in Five States for practical tips on navigating CCPA/CPRA alongside other comprehensive state privacy laws that took effect starting in 2023.

Read Privacy and Data Security Compliance Is Manageable When You Focus on These 5 Things for five practical strategies from IA outside counsel Stuart Pardau that apply to CCPA and other privacy/data security laws.

Review Healthline $1.55M CCPA Settlement: A Wake-Up Call for analysis of the July 1, 2025 settlement and what it signals for insights professionals handling sensitive data, especially health information and ad tech.

A quick overview of what CCPA covers, who must comply, key definitions (like “personal information” and “sale”), core requirements, enforcement risks, and how it applies to children.https://www.insightsassociation.org/News-Updates/Articles/ArticleID/424/CCPA-Frequently-Asked-Questions-FAQs

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

  • Back to top