A Closer Look AT THE CPRA – PART II: Establishment of a New Agency
On Election Day, California voters approved the California Privacy Rights Act of 2020 (the “CPRA”) through a ballot measure. The CPRA amends the California Consumer Privacy Act (“CCPA”), which the California legislature passed in 2018, significantly broadening the control that California residents have over their personal information and imposing new obligations on businesses subject to the law.
Last month we looked into the individual rights afforded to California residents under the CPRA, and this month we focus on the new enforcement arm of the CPRA, the California Privacy Protection Agency. With the creation of the California Privacy Protection Agency, California will become the first state with its own privacy regulator.
While most of the CPRA’s provisions will not be operative until January 1, 2023, the provisions regarding the establishment and funding of the agency are operative immediately upon the CPRA’s effective date, which will occur shortly after certification of the election results. The creation of this agency will receive considerable attention as businesses and consumer privacy advocates try to understand how the new agency will implement and enforce the law.
The new agency will be governed by a five member board. Appointments to the board will be made by (1) the governor (who will appoint both the chair and a member), (2) the California attorney general, (3) the U.S. Senate Committee on Rules and Administration, and (4) speaker of the California Assembly. Members are required to be “Californians with expertise in the areas of privacy, technology, and consumer rights.” The CPRA does not designate a specific term length for members, but rather states that members shall “serve at the pleasure of their appointing authority.” The CRPA is clear that members may not serve longer than eight consecutive years. Upon leaving the board, members are subject to certain restrictions regarding their employment The CPRA contains provisions that sets forth restrictions designed to avoid any suggestion former board members could use their previous position to improperly influence the agency or advance a business’ interest.
Staff support for the agency is to be provided by the California Office of Attorney General until the California Privacy Protection Agency is able to hire its own staff, including an executive director and a chief privacy officer.
The funding mechanism for the agency is included in the CPRA, which directs an appropriation from California’s General Fund of $5 million during fiscal year 2020–21, and $10 million each fiscal year thereafter. This funding provision is operative on the effective date of the CPRA.
The “regulations” provision of the CPRA also will be effective immediately. The attorney general will initially have rulemaking authority under the CPRA (as he does now under CCPA), but the agency will assume these rulemaking responsibilities by July 1, 2021, or within six months of the agency providing notice to the attorney general that it is ready to do so. Final CPRA regulations are required to be adopted by July 1, 2022, a year ahead of its enforcement.
Enforcement will not begin until July 1, 2023. Until then, the CCPA will remain the governing privacy regime.
The CPRA requires the agency to “administer, implement, and enforce” the law “through administrative actions,” while the attorney general retains its civil enforcement powers.
In addition to rulemaking and enforcement, the agency has a number of other required functions, including:
- Education and public awareness of “the risks, rules, responsibilities, safeguards, and rights” related to personal information;
- Guidance to consumers and businesses;
- Technical assistance and advice to the legislature on privacy related legislation; and
- Cooperation with other agencies with jurisdiction over privacy laws, including other states, territories, and countries.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section