California is well-known as a trailblazer in privacy law within the United States. Its California Consumer Privacy Act (the “CCPA”), enacted in 2018, granted U.S. consumers unprecedented control over their personal information. Then, just two years later in 2020, California voters approved Proposition 24, the California Privacy Rights Act (“CPRA”), which further extended consumer privacy protections and created a privacy law enforcement body, the California Privacy Protection Agency (“CPPA” or “the Agency”).
While privacy regulators are a foundation of European privacy law, the CPPA is the first such agency in the United States to have “…full administrative power, authority, and jurisdiction to enforce the California Consumer Privacy Act of 2018.” Cal. Civ. Code § 1798.199.10. The Agency’s stated mission is to “…protect consumer privacy, ensure consumers and businesses are well-informed about their rights and obligations, and vigorously enforce the California Consumer Privacy Act.”
The Agency is governed by a five-member board – all appointed by different branches of the California government: two members are appointed by the Governor, one appointed by the Attorney General, one by the President Pro Tem, and one by the Speaker. The board’s composition reflects a balance of expertise in privacy, technology, and law, and it is responsible for overseeing the Agency’s operations and making key decisions about its strategic direction. Cal. Civ. Code §1798.15
As mentioned above, a critical role of the Agency is to advise on and clarify the requirements of the CCPA and CPRA. One of its primary methods of doing so is via the Agency website at https://privacy.ca.gov/ where it posts numerous public resources including a response to frequently asked questions at https://cppa.ca.gov/faq.html.
Critical to the Agency’s statutory requirement to enforce the CCPA, it has wide investigative powers over any business, service provider, contractor, or person that collects, processes, or sells Californian consumers’ personal information. Cal. Civ. Code § 1798.199.45. These investigatory powers may be triggered by an individual consumer or by the CPPA’s initiative. Cal. Code Regs. tit. 11 § 7300 and 7301. Either way, “[t]he Agency may conduct an audit to investigate possible violations of the CCPA. Alternatively, the Agency may conduct an audit if the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law.” Cal. Code Regs. tit. 11 § 7304.
Where the Agency finds a violation of either the CCPA or CPRA, it has the power to impose fines and penalties on the offending business. Cal. Civ. Code §1798.199.55.
In addition to its investigatory and enforcement powers, the Agency has rulemaking ability. Consistent with its mission to inform the public and businesses on California privacy rights and related obligations, the Agency conducts a series of pre-rulemaking activities such as holding public hearings and posting the proposed text of new regulations under consideration on the Agency’s website and the California Regulatory Notice Register. The Agency then allows a period of public comment followed by its consideration thereof. When the Agency Board votes to adopt a new regulation, it files it with the California Office of Administrative Law (OAL) for a review period. Once approved by the OAL, the regulations become effective immediately.
The CPPA is a pioneering regulatory body that is set to shape the landscape of data privacy in California and potentially across the United States. Its actions will have far-reaching implications for businesses, consumers, and the broader discourse on privacy rights and protections. And, as the agency evolves, its influence on privacy law, business practices, and consumer empowerment will be closely watched by stakeholders across the US and abroad.