California Privacy Protection Agency is faceless, for now

In November, California voters passed the Consumer Privacy Rights Act, which will replace the California Consumer Privacy Act. The CPRA provides for a new enforcement agency, and not everyone think's it's the right move.

In November, California voters approved Proposition 24, the Consumer Privacy Rights Act (CPRA). The  law will replace the California Consumer Privacy Act (CCPA) when it comes into force in January 2023. Its passage was seen by some as a major compliance headache. Organizations that had just steeled themselves to comply with the CCPA, no easy task on its own, now have to work toward a new goalpost. 

The CPRA aims to add clarity to some of the CCPA’s provisions, but it also moves the California law closer to resembling the EU’s General Data Protection Regulation. It introduces the “right to rectification,” the right to “restriction” and a new tier of data classification: “sensitive personally identifiable information.” 

Importantly, it also establishes a new enforcement agency. In the EU, data protection authorities handle complaints from data subjects, investigate potential GDPR violations and help advise companies in areas of uncertainty. Similarly, the California Privacy Protection Agency will act as an advisory body to companies aiming to do the right thing according to the law, but will also enforce the law, taking enforcement out of the California attorney general’s hands. 

The agency was created so that a dedicated body could handle privacy regulation, given the California Attorney General has many other mandates and restraints. According to predictions by the attorney general’s office soon after the CCPA passed, it would have only been able to fund enforcement of about three CCPA cases per year.

It’s hard to say how “enforcement” will compare after this change of regulatory hands. That’s because the California attorney general has still been in the process of finalizing its regulations. While the CCPA passed in 2018 and came into effect in January 2020, just two weeks ago the attorney general released its fourth set of proposed modifications to the law’s regulations. The collaborative process was slow and painful; thousands of groups and individuals submitted comments for the attorney general's consideration  as each iteration was drafted. 

As such, there have not yet been any enforcement actions under the CCPA. To be clear, there have been countless CCPA-based lawsuits filed in the state. But the courts haven't yet issued rulings, and plaintiffs are struggling to even get to courtroom because companies have thus far been successful in getting class-actions dismissed early. 

Under the CPRA, the new agency can begin its rulemaking in July 2021. The law allows for the agency to issue fines three times as high as the attorney general could under the CCPA if the violation involves users under the age of 16. Enforcement of the CPRA itself can begin no sooner than July 1, 2023. Until then, the CCPA applies. 

But it’s unclear how the CPRA will approach enforcement. That’s, in part, because it’s not yet clear who will staff the agency. What we do know is the agency will be governed by a five-member board. The chair and one member of the board will be appointed by California’s governor. Under the law, any appointment members should be California residents “with expertise in the areas of privacy, technology and consumer rights.”  

Tanya Forsheit, chair of Frankfurt Kurnit Klein + Selz’s privacy and data security group, has long been an opponent of the CPRA in general. She advises companies aiming to comply with the CCPA, and she didn’t think the CPRA was “needed at all.” She also doesn’t think establishing the new agency was the right move.

“I thought, and l still think, that the attorney general is best positioned to be the state’s privacy cop,” Forsheit said. “I don’t buy that the attorney general doesn’t have the resources (to enforce), since, even under the CCPA, the attorney general gets to keep the money from enforcement actions, which could be a lot.” 

She explained that fines for data breaches are set at $2500 to $7500 per person affected. So if millions of records are breached, that’s a lot of money coming at the attorney general's office. 

Joe Jerome, director for multistate policy at Common Sense Media, is more optimistic. He thinks creating a dedicated privacy enforcer could be a “game changer,” and that the resources being dedicated to the new agency, $10 million per year, are “no joke.” 

He said he’d like to see some longstanding privacy advocates in leadership roles there.

“There’s no shortage of privacy experts that were involved in the creation of the CCPA and its subsequent regulations that could be good picks,” he said. 

Forsheit, though she’s a lawyer herself, said the agency shouldn’t be staffed by lawyers wholesale. She’d like to see individuals who understand privacy law and its history in the state of California. 

“I would love to see someone like Joanne McNabb, who ran the California Office of Privacy Protection back in the day and is not a lawyer,” she said. “But I don’t get a say in this.” 

No matter what happens, Jerome said, the agency creates another important voice in privacy debates. 

“We follow the FTC’s work, we follow attorney general enforcement,” he said. “No matter what the CPPA does, it’s going to be setting precedent that’s relevant to companies conducting business in California. There’s a huge opportunity for this agency to shake up the world.”