What You Need to Know About California Consumer Privacy Act Updates | TrustArc

This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.

Source URL: https://trustarc.com/resource/california-consumer-privacy-act-updates/

Content Type: resource

Section 1

Article updated 5/1/2025 California Consumer Privacy Act (CCPA) was enacted in 2018 and became effective on January 1, 2020. It is one of the most stringent privacy laws in the United States and was the first comprehensive Consumer Privacy Act in the country, which led to a cascade of similar laws across the nation. This law establishes new protections and limitations for the processing of consumers’ personal information, granting them rights such as access, deletion, correction, data portability, and opt-out options. Although it is a California law, any business outside California must also comply if it conducts business with California residents (natural persons). This Act has been amended several times to address operational issues in the original law, expand certain

Section 2

rights and protections, and reflect new developments in the industry, including technological advancements and regulatory trends. Here is a summary of the amendments to the CCPA that have reshaped this Act over the past few years: SB-1121 was not intended to alter the spirit or purpose of the CCPA, but rather to clarify, narrow, and refine its initial provisions, particularly regarding enforcement and scope. It was the first of several amendments leading up to the introduction of the California Privacy Rights Act (CPRA) in 2020, which further expanded and refined the CCPA. The main changes included:​ Limiting the Private Right of Action: SB-1121 restricted the private right of action to instances involving data breaches of unencrypted or unredacted personal information

Section 3

resulting from a business’s failure to implement reasonable security measures. ​ Clarifying Enforcement Authority: The bill affirmed that only the California Attorney General can enforce the CCPA, eliminating the possibility of enforcement by other state or local agencies.​ Exempting Certain Data: The amendments clarified that personal information already regulated under federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) , is exempt from the CCPA provisions.​ Harmonized the CCPA with existing medical rules to ensure it does not apply to medical information governed by the Confidentiality of Medical Information Act (CMIA) , personal health information governed by the HIPAA Privacy and , information deidentified per federal law, information derived from patient information (originally subject

Section 4

to HIPAA, CMIA, the Common Rule), or information collected, used, or disclosed for research purposes (under HIPAA, the Common Rule, or international guidelines, or FDA requirements). Extended exemptions for information collected about communications and transactions with job applicants, employees, owners, directors, officers, medical staff members, and contractors until January 1, 2022. Focused on providing exemptions for employee and job applicant data and limited consumer rights for employees. Refined the definition of “personal information” by removing the “reasonably capable of being associated with” expression to reduce overreach and help organizations in determining what is considered personal information. Exempted de-identified and publicly available data, defined as information lawfully made available from federal, state, or local government records. Created an exemption for vehicle

Section 5

information for warranty/recall purposes. Modified how businesses must offer methods for consumers to submit data requests (e.g., toll-free number or online form). Addressed HIPAA-covered entities and clarified that CCPA doesn’t apply to protected health information. This bill corrects cross-references and drafting errors in the CCPA and is referenced as a clean-up bill. This bill incorporates changes from other bills, including SB 41, AB 874, and AB 25, with broader adjustments throughout the law. The primary focus of this bill was to: temporary exemption for B2B (business-to-business) and employee data; clarify that the CCPA does not apply to de-identified or aggregate consumer information; and refine the definition of publicly available information, ensuring it refers specifically to information lawfully made available from

Section 6

government records. The California Privacy Rights and Enforcement Act of 2020 (Ballot Initiative): The California Privacy Rights Act (CPRA) is an amendment to the CCPA, which combines to form a single data privacy regime in California. The CPRA became effective on January 1, 2023, and is enforceable by the California Privacy Protection Agency starting on July 1, 2023. Some of the more notable changes include: Raised CCPA application thresholds; Added protections for employee personal data rights and B2B (business-to-business) personal data rights for California citizens; Employers were required to establish data collection and privacy protocols by January 1, 2023, to comply with CPRA rules; three new rights for individuals , whether they are covered as consumers, employees, or participants in

Section 7

B2B relationships, including: Right to limit use of sensitive personal information, including limits on how long a company can keep personal information in its records; Right to correct personal information by requesting changes to any of their personal information held in a company’s data records; and Right to opt out of automated decision-making technology. Updates several existing consumer rights already covered by the CCPA, including: Right to know what categories and pieces of personal information are collected, disclosed, or sold by companies and the purpose/s, Right to delete personal information, by requesting permanent removal of personal information from a company’s data records, Right to opt out of the sale or sharing of personal information by a company to any other

Section 8

company, Right of non-retaliation by a company if an individual exercises their data privacy rights. Clarified that information about consumers accessing, procuring, or searching for contraception, pregnancy, or perinatal care is not exempt from CCPA obligations because this information does not pertain to a person being at risk of death or physical injury. Modified the definition of sensitive personal information to include citizenship and immigration status. Modified the definition of sensitive personal information to now explicitly include neural data. This refers to information directly generated from measurements of a consumer’s nervous system activity (central or peripheral) and is not derived from non-neural sources. Specified that personal information can exist in various formats: physical (like paper documents, printed images, vinyl records,

Section 9

video tapes), digital (text, image, audio, video files), and abstract digital (compressed files, metadata, AI systems). This amendment requires organizations that have acquired personal information as part of a merger, acquisition, bankruptcy, or other transaction to respect the individual’s opt-out preferences regarding the sale of their personal data, as provided to the original organization. Your U.S. Privacy Playbook Cut through complexity of U.S. privacy laws. Our Privacy Knowledge Experts break down state-by-state differences, key requirements, and strategic insights to help you stay compliant and in control. Privacy Studio: Compliance Meets Trust