California Privacy News – Five Board Members Appointed to New California Privacy Protection Agency
What is your dream job? Astronaut, celebrity chef, professional golfer, or Chief Justice of the United States Supreme Court? Most attorneys would probably pick the latter - unless they are privacy attorneys. On March 17, 2021, Governor Gavin Newsom, Attorney General Xavier Becerra, Senate President pro Tempore Toni G. Atkins, and Assembly Speaker Anthony Rendon announced the inaugural appointees to the board of the California Privacy Protection Agency (CPPA). The five board members include Jennifer M. Urban (appointed as Chair of the board), John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le.
Four of those five appointees are attorneys. Since I do not live in California, I had no chance of being appointed to the board. It would have, however, been my dream job. Why? The CPPA is the first of its kind state agency devoted to consumer privacy. The new board members will play an instrumental role in guiding this ground-breaking agency as it shapes the future of consumer privacy issues in the state. Their jobs may not, to borrow from Neil Armstrong, take us to the moon with “one giant leap for mankind,” but they will be taking more than “one small step for [privacy].”
Background on New State Privacy Agency
The California Privacy Rights Act (CPRA), the ballot initiative approved by California voters in November 2020, amends the California Consumer Privacy Act (CCPA) to provide a number of new privacy protections to California residents and impose a number of new obligations on businesses subject to the CPRA. The CPRA also “established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to Implement and enforce the California Consumer Privacy Act.” This new state agency will perform, among other things, the following additional key functions:
- Regulatory Rulemaking - On and after the earlier of July 1, 2021, or within six months of providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under the CPRA, adopt, amend, and rescind regulations to implement the requirements of the CPRA.
- Consumer Protection - Through the implementation of the CPRA, protect the fundamental privacy rights of natural persons regarding the use of their personal information.
- Consumer Education - Provide guidance to consumers on their rights under the CPRA and promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of their personal information, including the rights of minors regarding their own information.
- Risk Assessments - Provide public reports summarizing the risk assessments required to be filed with the agency by certain businesses.
- Business Guidance - Provide guidance to businesses regarding their duties and responsibilities under the CPRA.
- Business Audits - Appoint a Chief Privacy Auditor to conduct audits of businesses to ensure their compliance with the requirements of the CPRA.
- Legislative Advice and Assistance - Provide technical assistance and advice to the state legislature, upon request, regarding privacy-related legislation.
- Monitor Advances in Technology - Monitor relevant developments relating to the protection of personal information, and in particular, the development of information and communication technologies and commercial practices.
- Multi-jurisdictional Scope - Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.
- CPRA Volunteers - Establish a mechanism for persons doing business in California that do not meet the definition of business, as set forth under the CPRA, but that want to voluntarily certify that they are in compliance with the CPRA and make a list of such entitles available to the public.
- Catch-all Powers - Perform all other acts that may be necessary or appropriate in the exercise of the agency’s power, authority, and jurisdiction.
For most businesses, the CPPA’s enforcement powers take center stage. The CPPA may, upon the sworn affidavit of any person or on its own initiative, investigate possible violations of the CPRA by any business, service provider, contractor, or person. Although the Attorney General’s office has been sending notices of noncompliance to a number of businesses since July 1, 2020, it has not yet taken any formal enforcement actions against any businesses. The new board of the CPPA will be instrumental in determining the future enforcement focus and activity level of the new agency. A good bet is that they will be more active in the enforcement space.
Key Takeaways
As Governor Newsom noted in the announcement, “[t]hese appointees represent a new day in online consumer protection and business accountability.” Even if your dream job is something other than being a board member of the new CPPA, your business should monitor the news from this new state agency. They will soon be releasing a number of proposed and final regulations to implement all of the new requirements under the CPRA. It may not be the same as piloting a rocket ship to Mars, signing a multi-million-dollar deal for your new cooking show, or winning the Masters, but staying on top of the changes in California will help you and your business pro-actively prepare for another new day, the January 1, 2023 effective date of the CPRA.