California was the first U.S. state to pass a comprehensive privacy law: the CCPA (enacted 2018, effective Jan 1, 2020), later amended and extended by the CPRA (passed late 2020, effective Jan 1, 2023), which also created the CPPA.
California's privacy framework timeline
Law
Action
Enacted/Passed
Effective
CCPA
First state comprehensive law
2018
January 1, 2020
CPRA
Amended and extended the CCPA; created the CPPA
Late 2020
January 1, 2023
The CPRA made California's framework even more GDPR-like and created the CPPA, a dedicated privacy regulator widely viewed as California's answer to the EU practice of using a DPA to investigate complaints and enforce rights.
💡 As California goes...
California was first on data breach notification (2003) and data security (2004) too. The saying "as California goes, so goes the nation" captures why its comprehensive law is expected to spread - all 50 states now have breach notification laws.
⚠️ Don't confuse CCPA effective date with CPRA passage
The CCPA was enacted in 2018 but effective Jan 1, 2020. The CPRA passed late 2020 and became effective Jan 1, 2023. The exam may juxtapose these dates to trip you up.
Key terms - quick answers
What is “CCPA”?
The California Consumer Privacy Act, enacted 2018 with an effective date of January 1, 2020; the first U.S. state comprehensive privacy law.
What is “CPRA”?
The California Privacy Rights Act, a ballot initiative that passed in late 2020, amended and extended the CCPA, and became effective January 1, 2023.
What is “CPPA”?
The California Privacy Protection Agency, a dedicated privacy regulator created by the CPRA, seen as analogous to an EU data protection authority.
What is “DPA”?
A data protection authority - an independent public authority dedicated to data protection enforcement, the EU model the CPPA mirrors.