Article updated 5/1/2025
The California Consumer Privacy Act (CCPA) was enacted in 2018 and became effective on January 1, 2020. It is one of the most stringent privacy laws in the United States and was the first comprehensive Consumer Privacy Act in the country, which led to a cascade of similar laws across the nation.
This law establishes new protections and limitations for the processing of consumers’ personal information, granting them rights such as access, deletion, correction, data portability, and opt-out options. Although it is a California law, any business outside California must also comply if it conducts business with California residents (natural persons).
This Act has been amended several times to address operational issues in the original law, expand certain rights and protections, and reflect new developments in the industry, including technological advancements and regulatory trends.
Here is a summary of the amendments to the CCPA that have reshaped this Act over the past few years:
SB 1121/2018
SB-1121 was not intended to alter the spirit or purpose of the CCPA, but rather to clarify, narrow, and refine its initial provisions, particularly regarding enforcement and scope. It was the first of several amendments leading up to the introduction of the California Privacy Rights Act (CPRA) in 2020, which further expanded and refined the CCPA. The main changes included:
- Limiting the Private Right of Action: SB-1121 restricted the private right of action to instances involving data breaches of unencrypted or unredacted personal information resulting from a business’s failure to implement reasonable security measures.
- Clarifying Enforcement Authority: The bill affirmed that only the California Attorney General can enforce the CCPA, eliminating the possibility of enforcement by other state or local agencies.
- Exempting Certain Data: The amendments clarified that personal information already regulated under federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), is exempt from the CCPA provisions.
AB 713/2018
Harmonized the CCPA with existing medical rules to ensure it does not apply to medical information governed by the Confidentiality of Medical Information Act (CMIA), personal health information governed by the HIPAA Privacy and Security Rules, information deidentified per federal law, information derived from patient information (originally subject to HIPAA, CMIA, the Common Rule), or information collected, used, or disclosed for research purposes (under HIPAA, the Common Rule, or international guidelines, or FDA requirements).
AB 1281/2018
Extended exemptions for information collected about communications and transactions with job applicants, employees, owners, directors, officers, medical staff members, and contractors until January 1, 2022.
AB 25/2019
Focused on providing exemptions for employee and job applicant data and limited consumer rights for employees.
AB 874/2019
Refined the definition of “personal information” by removing the “reasonably capable of being associated with” expression to reduce overreach and help organizations in determining what is considered personal information. Exempted de-identified and publicly available data, defined as information lawfully made available from federal, state, or local government records.
AB 1146/2019
Created an exemption for vehicle information for warranty/recall purposes.
AB 1564/2019
Modified how businesses must offer methods for consumers to submit data requests (e.g., toll-free number or online form).
SB 41/2019
Addressed HIPAA-covered entities and clarified that CCPA doesn’t apply to protected health information.
AB 1355/2019
This bill corrects cross-references and drafting errors in the CCPA and is referenced as a clean-up bill. This bill incorporates changes from other bills, including SB 41, AB 874, and AB 25, with broader adjustments throughout the law. The primary focus of this bill was to:
- introduce a temporary exemption for B2B (business-to-business) and employee data;
- clarify that the CCPA does not apply to de-identified or aggregate consumer information; and
- refine the definition of publicly available information, ensuring it refers specifically to information lawfully made available from government records.
The California Privacy Rights and Enforcement Act of 2020 (Ballot Initiative):
The California Privacy Rights Act (CPRA) is an amendment to the CCPA, which combines to form a single data privacy regime in California. The CPRA became effective on January 1, 2023, and is enforceable by the California Privacy Protection Agency starting on July 1, 2023.
Some of the more notable changes include:
- Raised CCPA application thresholds;
- Added protections for employee personal data rights and B2B (business-to-business) personal data rights for California citizens;
- Employers were required to establish data collection and privacy protocols by January 1, 2023, to comply with CPRA rules;
- Adds three new rights for individuals, whether they are covered as consumers, employees, or participants in B2B relationships, including:
- Right to limit use of sensitive personal information, including limits on how long a company can keep personal information in its records;
- Right to correct personal information by requesting changes to any of their personal information held in a company’s data records; and
- Right to opt out of automated decision-making technology.
- Updates several existing consumer rights already covered by the CCPA, including:
- Right to know what categories and pieces of personal information are collected, disclosed, or sold by companies and the purpose/s,
- Right to delete personal information, by requesting permanent removal of personal information from a company’s data records,
- Right to opt out of the sale or sharing of personal information by a company to any other company,
- Right of non-retaliation by a company if an individual exercises their data privacy rights.
AB 1194/2023
Clarified that information about consumers accessing, procuring, or searching for contraception, pregnancy, or perinatal care is not exempt from CCPA obligations because this information does not pertain to a person being at risk of death or physical injury.
AB 947/2023
Modified the definition of sensitive personal information to include citizenship and immigration status.
SB-1223/2024
Modified the definition of sensitive personal information to now explicitly include neural data. This refers to information directly generated from measurements of a consumer’s nervous system activity (central or peripheral) and is not derived from non-neural sources.
AB-1008/2024
Specified that personal information can exist in various formats: physical (like paper documents, printed images, vinyl records, video tapes), digital (text, image, audio, video files), and abstract digital (compressed files, metadata, AI systems).
AB-1824/ 2024
This amendment requires organizations that have acquired personal information as part of a merger, acquisition, bankruptcy, or other transaction to respect the individual’s opt-out preferences regarding the sale of their personal data, as provided to the original organization.
Your U.S. Privacy Playbook
Cut through complexity of U.S. privacy laws. Our Privacy Knowledge Experts break down state-by-state differences, key requirements, and strategic insights to help you stay compliant and in control.
Download the handbook
Privacy Studio: Compliance Meets Trust
Orchestrate seamless privacy journeys—from cookie consent to DSR fulfillment. Automate consent and requests, personalize preferences, and prove your privacy commitment at every touchpoint.
Explore Privacy Studio
