The New Sheriff in Town: the California Privacy Rights Act Establishes the First Dedicated Privacy Agency in the United States

The California Privacy Rights Act 2020, which was approved by the state voters on November 3, 2020 and became the law on December 9, establishes a new state agency – California Privacy Protection Agency (CPPA), with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act, as amended by the CPRA.

The CPPA will be the first dedicated privacy agency in the United States.  The agency will be governed by a 5-member board comprised of privacy, technology, and consumer rights experts serving 8-year terms.  The Chair and one of the board members will be appointed by the California Governor, with the remaining board members appointed by the Attorney General, Senate Rules Committee, and the Speaker of the Assembly.

The CPPA’s responsibilities will include administering, implementing, and enforcing the CCPA; adopting, amending, and rescinding the CCPA Regulations (currently the province of the Attorney General); protecting fundamental privacy rights of natural persons; promoting public awareness and understanding of the rights, risks, and responsibilities regarding collection, use, sale, and disclosure of personal information; providing guidance to consumers regarding their privacy rights; providing guidance to businesses regarding their duties and responsibilities under the privacy law; appointing a Chief Privacy Auditor to conduct audits of businesses; providing technical assistance and advice to the lawmakers regarding privacy-related legislation; and monitoring of technological developments related to protection of personal information.

The CPPA will be empowered to investigate possible violations of the CCPA, make probable cause determinations of its violations, institute administrative proceedings upon finding of probable cause, subpoena documents and witnesses, conduct evidentiary administrative hearings, issue cease and desist orders, order payment of administrative fines, and bring civil actions to enforce payment of administrative penalties.  Any CPPA decision related to a complaint against a business or a penalty will be subject to review by the state courts.

The California Privacy Protection Agency will assume the rulemaking authority from the Attorney General by July 1, 2021, and will have to issue final regulations required by the CPRA by July 1, 2022. The CPRA’s provisions will become operative on January 1, 2023 and the Agency will be able to bring CPRA enforcement actions beginning on July 1, 2023 but only for violations occurring on or after that day.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.