The California Privacy Rights Act (CPRA), approved by ballot initiative in 2020, made a lot of significant changes to the state’s existing data privacy law, the California Consumer Privacy Act (CCPA). These changes include adding new consumer rights, altering the threshold requirements for businesses, and much more. One of the most consequential provisions of the CPRA may end up being the creation of the California Privacy Protection Agency (CPPA).

The CPPA is a first-of-its-kind state agency that will be taking over most of the CCPA enforcement and rulemaking responsibilities from the California Attorney General. The agency’s board members have already been appointed, staff has been hired, and it is working on new regulations. On July 1, 2023, enforcement activities will begin.

Here are some of the agency’s most important features and how it will likely affect enforcement of the privacy law in the future.

Primary Duties of the CPPA

Under the original CCPA, all regulatory and enforcement authority is vested in the Office of the Attorney General. The CPRA transfers most of those powers to the newly created CPPA, along with other responsibilities like educating the public and advising the legislature.

The CPPA’s primary duties are:

1. Protect the fundamental privacy rights of California residents with respect to the use of their personal information
2. Administer, implement, and enforce the CCPA This includes conducting its own administrative hearings to determine whether a business has violated the state law and what penalties are appropriate.
3. Adopt, amend, and rescind regulations The CPPA will be releasing new regulations to reflect the changes and additions in the CPRA, and will have exclusive regulation-making authority going forward.
4. Promote public awareness and understanding of data privacy issues This includes publishing risk assessments from businesses whose processing of consumers’ personal information presents a significant risk to their privacy or security.
5. Provide guidance to consumers regarding their CCPA rights Beyond publishing educational materials, this suggests the CPPA will be set up to respond to individual consumers’ questions and concerns.
6. Provide guidance to businesses regarding their CCPA responsibilities The agency will likely be providing advisory opinions as well as responding to queries from individual businesses.
7. Appoint a Chief Privacy Auditor As the name suggests, this person will conduct audits of businesses to ensure CCPA compliance.
8. Monitor relevant developments in the field of data privacy This primarily means keeping up with changes in information and communication technologies and commercial practices.
9. Provide technical assistance to the state legislature The CPPA will have an advisory role in any future personal data privacy legislation in California.
10. Establish voluntary CCPA compliance certification Businesses that voluntarily choose to become CCPA compliant can register with the state and will probably be allowed to display a logo certifying their compliance.

These duties represent a significant expansion of scope beyond the responsibilities of the Attorney General in the original CCPA. This expansion, along with the degree of specialization needed to carry out these duties, underscores why the state thought it necessary to create a dedicated privacy protection agency.

The Future of CCPA Enforcement Under the CPPA

How will enforcement of the CCPA change under the new agency? For the many businesses that have been holding off on CCPA compliance, this is the big question. Though nobody will know for sure until it happens, the conventional wisdom is that there will be a major increase in enforcement actions.

The CPPA is already fully funded, with an annual budget of $10 million (adjusted yearly for inflation). This will likely lead to more enforcement for two reasons. First, the agency will have the resources and staff it needs to carry out its duties. Second, having allocated this money to the CPPA, the state will want to see results. Whereas all enforcement previously fell under the very wide umbrella of the Office of the Attorney General, the CPPA is dedicated exclusively to data privacy. It will have to show something to justify its budget, and that means putting numbers on the board: how many cure notices it has sent out, how much money it has collected in fines, etc.

The CPRA also made a big change to the legal mechanism for enforcement. Under the original CCPA, the Attorney General had to file a civil action against alleged violators in state court. The CPPA, however, will conduct its own administrative hearings that determine whether a business violated the law and what penalties are appropriate. The hearings will be before an administrative law judge and have to conform to due process standards, but they will likely be more streamlined than a normal civil court case.