March 25, 2021

March 2021—In accordance with increased privacy protections that were passed into law by the California Privacy Rights Act (“CPRA”) in the November 2020 election, state officials announced the names of appointees to the new California Privacy Protection Agency (CPPA) on 17 March. The CPRA mandated the creation of the CPPA. This agency, charged with protecting Californian’s privacy rights, is the first of its kind in the United States. The CPPA will assume powers previously held exclusively by the California Attorney General and is expected to begin rule-making as early as July of this year. The five new board members have backgrounds in privacy, technology, and consumer rights.

New Chair of the CPPA

Jennifer M. Urban, the newly appointed chair of the CPPA, is a law professor from UC Berkeley. She has directed technology law clinics at Berkeley, USC, and Stanford. Other board members include: (1) John Thompson, a senior vice president of government relations at LA2028 who previously held positions at Southern California Edison and in the US Senate and House of Representatives; (2) Angela Sierra, a recent Chief Assistant Attorney General of the California Public Rights Division, including overseeing the Consumer Protection Section’s Privacy Unit; (3) Lydia de la Torre, an of-counsel privacy attorney for Squire Patton Boggs and a privacy law professor at Santa Clara University Law School, where she co-directed the Privacy Certificate Program; (4) and Vincent Le, a technology equity attorney at the Greenlining Institute who focuses on consumer privacy, closing the digital divide, and biases in algorithms.

Emphasizing the importance of the CPPA, California AG Becerra stated, “The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights. [ ]The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

The New CCPA Agency

For companies that are already complying with the California Consumer Privacy Act (also referred to as the CCPA, making the list of acronyms extra confusing), California’s landmark privacy legislation that went into effect in January 2020, the creation of the CPPA indicates a move towards increased regulatory enforcement of existing privacy law as well as an expectation of increased rulemaking around consumer privacy issues as the new agency starts work. While there was little in the way of enforcement under the Attorney General in 2020, the new agency has been given a substantial budget dedicated entirely to privacy, strongly suggesting that enforcement will be ratcheted up under the auspices of the CPPA.

The new agency has the authority to both implement and enforce the California Consumer Privacy Act (already in effect) and the new California Privacy Rights Act (which goes into effect in 2023). The new board will oversee the appointment of an executive director, officers, and employees for the fledgling agency. Any enforcement actions the new agency brings will go before an administrative law judge, but the California Attorney General will also retain the ability to enforce both the CCPA and the CPRA. Some of the new agency’s first actions will undoubtedly include the creation of additional rules around the implementation of the CPRA, including setting up audit and risk assessment rules.

To learn more about SixFifty and how we can help you on your way towards compliance with the CCPA, click here.

DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding legal requirements. It is not intended to provide legal advice or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.