'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot, as 56% of California voters favored the law. It amends and strengthens consumer data privacy rights. In addition, the CPRA imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023). To read more about the CPRA, read this article.
The California Privacy Rights Act (CPRA) is sometimes referred to as “California privacy law 2020.”
The passing of the CPRA established the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction to interpret the provisions of the CPRA and enforce the prescribed sanctions and penalties in case of any violations. The sole purpose of the agency is to protect the privacy rights of Californians.
As per the CPRA, the CPPA shall be governed by a five-member board, including a chairperson. The CPPA shall be able to hire staff, including an executive director. It shall have four primary functions:
The CPPA is responsible for undertaking educational initiatives to promote public awareness and understand the “risks, rules, responsibilities, safeguards, and rights of the collection, use, sale and disclosure of personal information.” The CPPA will provide clear guidelines for organizations and consumers. It may also award grants for educational purposes from its allotted budget.
The CPPA has also been entrusted with providing technical advice, guidance, and expertise to the California Legislature on privacy-related legislation. The CPPA also needs to provide guidance to businesses on complying with the CPRA and is also mandated to appoint “Chief Privacy Auditors” to covered businesses for conducting audits to ensure they are complying.
The second and perhaps most important duty of the CPPA is to adopt and update existing CCPA rules made by the California Attorney General by July 1st, 2021, or within six months of the agency providing notice that it is prepared to do so. Currently, the CPPA has elected not to send the notice to the California Attorney General.
The agency is also expected to provide guidance on the remaining unaddressed issues introduced by the amendments in the CPRA by making new regulations. The CPRA increased the number of rule-making topics from 7 to 22, and considering it took the California Attorney General 23 months from the passing of the CCPA to finalize the rules. It will probably take the CPPA a long time to finalize the final regulations.
The CPPA can issue new rules related to issues such as:
Finally, the CPPA has the mandate to investigate possible violations of the CPRA, conduct administrative hearings, impose fines for violations and go to court in a civil action to recover unpaid fines.
Violations of CPRA may range from $2,500 per unintentional violation to $7500 per intentional violation, including violations involving minor’s data. Enforcement efforts will begin on July 1, 2023, six months after the CPRA goes into effect on January 1st, 2023.
It is important to note that the California Attorney General retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA.
Initially, the CPPA will have an annual budget of $10 million. This funding will be used primarily for two reasons:
97% of the proceeds collected from fines shall be invested for profit for the benefit of the CPPA. In comparison, 3% shall be earmarked for grants the CPPA can make for educational and non-profit projects for increasing consumer awareness about data privacy issues.
The CPPA holds power to certify businesses and entities who do not fall within the scope of the law but who wish to voluntarily certify their data privacy program to be compliant with the CPRA.
CPPA’s voluntary certification might become a global standard for data privacy protection because of its comprehensive privacy protection requirements and California’s leadership position in protecting user privacy.
The effect of this provision could be similar to how the EU’s GDPR adequacy decisions influenced other countries around the world to pass data privacy laws and regulations modeled around the GDPR to improve data privacy as a whole. We could see international industries and companies voluntarily certifying with the CPPA to be CPRA compliant.