The recent passage of the California Privacy Rights Act (“CPRA”) has ushered in the first agency in the United States created for the sole purpose of protecting the privacy rights of Californians: the California Privacy Protection Agency (“CPPA”). The CPPA will have the full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act (“CCPA”) and the CPRA. Because of the potential for exposure due to violations, businesses should familiarize themselves with the new law and the accompanying requirements before enforcement commences. The CPPA is governed by a five-member board, consisting of Jennifer M. Urban, John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le, whose appointments were recently announced. The CPPA will have three main functions: education, rulemaking, and enforcement. Below is a synopsis of the CPPA’s predominant functions.
The CPPA’s educational efforts will be aimed at promoting public awareness and an understanding of the “risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” The CPPA will provide guidelines for businesses and consumers alike and may also award grants for educational purposes from its allotted budget.
The CPPA is expected to update existing CCPA rules, provide guidance as to remaining issues in the CPRA, and issue new rules relating to various issues, including access and opt-out rights of consumers. Guidance is also expected in the area of whether businesses will be required to provide information beyond the 12-month look-back window in response to a consumer’s access request. After passage of the CCPA, the California Attorney General’s office issued four sets of regulations over a nearly two-year period. A similar path is expected to be followed relative to the CPRA.
In addition to implementing and enforcing the CCPA and CPRA, the CPPA will be able to impose fines for violations, even if they do not meet the level of “knowing” violations. Violations relating to the data of minors may be up to $7,500 per violation, while other violations may be up to $2,500 per violation. The CPPA’s enforcement efforts will begin on July 1, 2023, six months after the CPRA goes into effect.
What You Should Do Now
Due to the CPPA’s creation and imminent enforcement start date, businesses should ensure that they are already in compliance with CCPA-related guidelines and undergoing the proper protocols with respect to consumers’ personal information. Businesses also need to become well-acquainted with the CPRA’s additional regulations before the CPRA goes into effect on January 1, 2023. Given the 12-month lookback requirement under the CPRA, steps need to be taken immediately, and certainly before January 1, 2022 – which is only nine months away.