The California Privacy Protection Agency

The California Privacy Rights Act (CPRA), approved by ballot initiative in 2020, made a lot of significant changes to the state’s existing data privacy law, the California Consumer Privacy Act (CCPA). These changes include adding new consumer rights, altering the threshold requirements for businesses, and much more. One of the most consequential provisions of the CPRA may end up being the creation of the California Privacy Protection Agency (CPPA).

The CPPA is a first-of-its-kind state agency that will be taking over most of the CCPA enforcement and rulemaking responsibilities from the California Attorney General. The agency’s board members have already been appointed, staff has been hired, and it is working on new regulations. On July 1, 2023, enforcement activities will begin.

Here are some of the agency’s most important features and how it will likely affect enforcement of the privacy law in the future.

Primary Duties of the CPPA

Under the original CCPA, all regulatory and enforcement authority is vested in the Office of the Attorney General. The CPRA transfers most of those powers to the newly created CPPA, along with other responsibilities like educating the public and advising the legislature.

The CPPA’s primary duties are:

1. Protect the fundamental privacy rights of California residents with respect to the use of their personal information
2. Administer, implement, and enforce the CCPA

   This includes conducting its own administrative hearings to determine whether a business has violated the state law and what penalties are appropriate.

3. Adopt, amend, and rescind regulations

   The CPPA will be releasing new regulations to reflect the changes and additions in the CPRA, and will have exclusive regulation-making authority going forward.

4. Promote public awareness and understanding of data privacy issues

   This includes publishing risk assessments from businesses whose processing of consumers’ personal information presents a significant risk to their privacy or security.

5. Provide guidance to consumers regarding their CCPA rights

   Beyond publishing educational materials, this suggests the CPPA will be set up to respond to individual consumers’ questions and concerns.

6. Provide guidance to businesses regarding their CCPA responsibilities

   The agency will likely be providing advisory opinions as well as responding to queries from individual businesses.

7. Appoint a Chief Privacy Auditor

   As the name suggests, this person will conduct audits of businesses to ensure CCPA compliance.

8. Monitor relevant developments in the field of data privacy

   This primarily means keeping up with changes in information and communication technologies and commercial practices.

9. Provide technical assistance to the state legislature

   The CPPA will have an advisory role in any future personal data privacy legislation in California.

10. Establish voluntary CCPA compliance certification

    Businesses that voluntarily choose to become CCPA compliant can register with the state and will probably be allowed to display a logo certifying their compliance.

These duties represent a significant expansion of scope beyond the responsibilities of the Attorney General in the original CCPA. This expansion, along with the degree of specialization needed to carry out these duties, underscores why the state thought it necessary to create a dedicated privacy protection agency.

The Future of CCPA Enforcement Under the CPPA

How will enforcement of the CCPA change under the new agency? For the many businesses that have been holding off on CCPA compliance, this is the big question. Though nobody will know for sure until it happens, the conventional wisdom is that there will be a major increase in enforcement actions.

The CPPA is already fully funded, with an annual budget of $10 million (adjusted yearly for inflation). This will likely lead to more enforcement for two reasons. First, the agency will have the resources and staff it needs to carry out its duties. Second, having allocated this money to the CPPA, the state will want to see results. Whereas all enforcement previously fell under the very wide umbrella of the Office of the Attorney General, the CPPA is dedicated exclusively to data privacy. It will have to show something to justify its budget, and that means putting numbers on the board: how many cure notices it has sent out, how much money it has collected in fines, etc.

The CPRA also made a big change to the legal mechanism for enforcement. Under the original CCPA, the Attorney General had to file a civil action against alleged violators in state court. The CPPA, however, will conduct its own administrative hearings that determine whether a business violated the law and what penalties are appropriate. The hearings will be before an administrative law judge and have to conform to due process standards, but they will likely be more streamlined than a normal civil court case.

How to Prepare Your Business

All of these developments indicate a desire at the state level to see stronger and more frequent enforcement of the CCPA in order to protect Californians’ privacy rights. Once the CPPA is fully established and the new law is in force, businesses that are non-compliant will face a higher likelihood of receiving a 30-day cure notice and, potentially, administrative fines. The best course of action is to become CCPA compliant before coming to the new agency’s attention.

CCPA compliance is a significant undertaking, but TrueVault Polaris automates the process, reducing time-consuming tasks and helping your business avoid costly mistakes. Our attorney-designed software guides you all the way from data mapping to handling consumer privacy requests.

To reach CCPA compliance faster and more cost-effectively, contact our team today.