One of the main changes brought about by the California Privacy Rights Act is the establishment of the California Privacy Protection Agency as an “independent watchdog” whose mission is both to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.”
The CPPA will be governed by a five‐member board and, although the CPRA provides for a 90-day window for appointments, it is expected the board members will be announced by the end of January 2021. The board will select a chairman and hire an executive director shortly thereafter.
In terms of the mandate, the CPPA will significantly go beyond the functions currently performed by the California Attorney General’s Office. In addition to enforcement and rulemaking, the CPPA will have an important educational function.
In terms of rulemaking, the CPRA requires rulemaking regarding three times as many issues as the CCPA. During 2021 and 2022, it is expected the new agency will undertake not only the update of the existing CCPA rules, but also the issuance of new ones addressing areas such as:
- The specifics of opt-out mechanisms from “selling” and “sharing” for cross-context behavioral advertising purposes with the goal of promoting clarity and ensuring such mechanisms are consumer-friendly.
- How often and under what circumstances consumers may request the correction of their personal information, including defining the exceptions to the right to correct and how accuracy concerns may be resolved. As the existing personnel data carve-out will expire at the time the CPRA goes into effect, the rules will likely address the mechanics of correction request in the context of employment-related personal information.
- The standard governing whether, in response to an access request, businesses will be required to provide information beyond the 12-month look-back window.
- The standards for annual cybersecurity audits and risk assessments that may have to be conducted by businesses whose processing activities present “significant risks.”
- Access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.
In addition, the CPPA “is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act.” However, as opposed to the U.S. Federal Trade Commission authority under Section 5 of the Federal Trade Commission Act, the CPPA will be able to impose fines for violations that do not rise to “knowing” violations. The fines that the CPPA may impose are identical to the ones that apply under CCPA, except that violations that relate to the data of minors are tripled (to $7,500 per violation). CPPA enforcement will not start until six months after the CPRA goes into effect July 1, 2023. It is important to note that the California attorney general retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA.
The CPPA will appoint a chief privacy auditor to conduct audits of businesses to ensure compliance with the CPRA. In addition, because the CPPA will have the power to cooperate with other privacy enforcement agencies in the state, as well as in “other states, territories, and countries,” it is expected that it will coordinate its investigatory actions with regulators in other jurisdictions, including European data protection authorities.
The CPPA will have an educational function and is charged with promoting “public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” This includes providing guidelines not only for consumers, but also for businesses with regards to their duties under the CPRA. The CPPA also has the power to award grants from its budget for educational purposes.
Finally, upon request, the CPPA will provide technical assistance and advice to the California Legislature with respect to privacy‐related legislation, “monitor” the developments in the field of personal information protection, and establish a mechanism for organizations that are not subject to the CPRA to voluntarily self-certify compliance.
In sum, the CPPA is set to become a key privacy regulator not only in California, but across the U.S. and the globe.