CPRA update: Board appointments announced for California Privacy Protection Agency

Keypoint: The appointment of the five California Privacy Protection Agency board members is the first significant step to the California Privacy Rights Act becoming fully operative in 2023.

<a href="https://www.freepik.com/photos/background">Background photo created by rawpixel.com - www.freepik.com</a>

On March 17, California officials announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (CPPA). The CPPA was established by the California Privacy Rights Act (CPRA), which California voters approved in the November election. The CPPA will take over rulemaking duties from the California Attorney General’s office and will administratively enforce the CPRA. Given that California has the world’s fifth largest economy, the CPPA has the potential to be one of the most important data privacy authorities in the world.

Appointed Board Members

Governor Newsome appointed Jennifer Urban as the Chair of the CPPA. She is a Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law.

Governor Newsome also appointed John Christopher Thompson as a board member. He is Senior Vice President of Government Relations at LA 2028.

Attorney General Becerra appointed Angela Sierra. She previously served as Chief Assistant Attorney General of the Public Rights Division.

The President Pro Tem of the California Senate appointed Lydia de la Torre, formerly of-counsel at Squire Patton Boggs.

Assembly Speaker Anthony Rendon appointed Vinhcent Le, who currently serves as a Technology Equity attorney at the Greenlining Institute.

Further information as to the background of the appointees can be found here.

Brief Overview of the CPPA

Pursuant to § 1798.199.40(b), the CPPA will assume rulemaking responsibilities from the California Attorney General’s office “on or after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities.” However, there is contrary language in § 1798.185(d), which states that the CPPA will assume rulemaking “the later of July 1, 2020 or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking.”

Whatever the official start date, the CPPA must now adopt final regulations by July 1, 2022, i.e., in the next sixteen months. Further, the CPRA significantly expands the topics upon which regulations must be issued – from seven to twenty-two – and also modifies many of the existing seven topics. For reference, the legislature passed the CCPA on June 28, 2018 (through Assembly Bill 375) and the California Attorney General’s office submitted final regulations on seven topics to the Office of Administrative Law on June 1, 2020–an approximately twenty-three-month time period.

In addition to rulemaking, the CPPA will – eventually – be charged with bringing administrative enforcement actions for violations of the CPRA; however, that authority will not begin until July 1, 2023 and shall only apply to violations occurring after that date.

The CPPA will have a $5 million appropriation for the fiscal year 2020-2021 and a $10 million appropriation every year thereafter.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

ON DEMAND: Apple Mac computer use is growing in the corporate space. Having the solutions and the knowledge base to respond to events that include Mac computers is just as important as their Windows counterparts.