One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
The California Privacy Rights Act (CPRA), approved by ballot initiative in 2020, made a lot of significant changes to the state’s existing data privacy law, the California Consumer Privacy Act (CCPA). These changes include adding new consumer rights, altering the threshold requirements for businesses, and much more. One of the most consequential provisions of the CPRA may end up being the creation of the California Privacy Protection Agency (CPPA).
The CPPA is a first-of-its-kind state agency that will be taking over most of the CCPA enforcement and rulemaking responsibilities from the California Attorney General. The agency’s board members have already been appointed, staff has been hired, and it is working on new regulations. On July 1, 2023, enforcement activities will begin.
Here are some of the agency’s most important features and how it will likely affect enforcement of the privacy law in the future.
Under the original CCPA, all regulatory and enforcement authority is vested in the Office of the Attorney General. The CPRA transfers most of those powers to the newly created CPPA, along with other responsibilities like educating the public and advising the legislature.
The CPPA’s primary duties are:
These duties represent a significant expansion of scope beyond the responsibilities of the Attorney General in the original CCPA. This expansion, along with the degree of specialization needed to carry out these duties, underscores why the state thought it necessary to create a dedicated privacy protection agency.
How will enforcement of the CCPA change under the new agency? For the many businesses that have been holding off on CCPA compliance, this is the big question. Though nobody will know for sure until it happens, the conventional wisdom is that there will be a major increase in enforcement actions.
The CPPA is already fully funded, with an annual budget of $10 million (adjusted yearly for inflation). This will likely lead to more enforcement for two reasons. First, the agency will have the resources and staff it needs to carry out its duties. Second, having allocated this money to the CPPA, the state will want to see results. Whereas all enforcement previously fell under the very wide umbrella of the Office of the Attorney General, the CPPA is dedicated exclusively to data privacy. It will have to show something to justify its budget, and that means putting numbers on the board: how many cure notices it has sent out, how much money it has collected in fines, etc.
The CPRA also made a big change to the legal mechanism for enforcement. Under the original CCPA, the Attorney General had to file a civil action against alleged violators in state court. The CPPA, however, will conduct its own administrative hearings that determine whether a business violated the law and what penalties are appropriate. The hearings will be before an administrative law judge and have to conform to due process standards, but they will likely be more streamlined than a normal civil court case.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.