What is the California Privacy Protection Agency?

The Primary Duties of the CPPA Explained

Education

The CPPA is responsible for undertaking educational initiatives to promote public awareness and understand the “risks, rules, responsibilities, safeguards, and rights of the collection, use, sale and disclosure of personal information.” The CPPA will provide clear guidelines for organizations and consumers. It may also award grants for educational purposes from its allotted budget.

The CPPA has also been entrusted with providing technical advice, guidance, and expertise to the California Legislature on privacy-related legislation. The CPPA also needs to provide guidance to businesses on complying with the CPRA and is also mandated to appoint “Chief Privacy Auditors” to covered businesses for conducting audits to ensure they are complying.

Rulemaking

The second and perhaps most important duty of the CPPA is to adopt and update existing CCPA rules made by the California Attorney General by July 1st, 2021, or within six months of the agency providing notice that it is prepared to do so. Currently, the CPPA has elected not to send the notice to the California Attorney General. 

The agency is also expected to provide guidance on the remaining unaddressed issues introduced by the amendments in the CPRA by making new regulations. The CPRA increased the number of rule-making topics from 7 to 22, and considering it took the California Attorney General 23 months from the passing of the CCPA to finalize the rules. It will probably take the CPPA a long time to finalize the final regulations. 

The CPPA can issue new rules related to issues such as:

• Access and opt-out rights of consumers concerning automated decision-making technology. 
• Whether businesses will be required to provide information beyond the 12-month look-back window in response to a consumer’s access request. 
• The criteria to choose which businesses will be audited by the Chief Privacy Auditor.
• Which processing operations shall require businesses to conduct regular risk assessments/cybersecurity audits.
• Define ‘precise geolocation’ and how and where it can be used.
• Review and evaluate existing California insurance laws and regulations relating to consumer privacy.
• The frequency and circumstances under which consumers can request the correction of their personal information, including defining the exceptions to the right to correct, and how the organization may resolve accuracy concerns. 
• The CPRA shall apply to employees and their data when CCPA expires.
• The specifics of opt-out mechanisms from “selling” and “sharing” personal data for cross-context behavioral advertising purposes and ensure such mechanisms are consumer-friendly.
• The mechanism for businesses to honor universal opt-out consent mechanisms shall be detailed within the rules.

Violations

Finally, the CPPA has the mandate to investigate possible violations of the CPRA, conduct administrative hearings, impose fines for violations and go to court in a civil action to recover unpaid fines. 

Violations of CPRA may range from $2,500 per unintentional violation to $7500 per intentional violation, including violations involving minor’s data. Enforcement efforts will begin on July 1, 2023, six months after the CPRA goes into effect on January 1st, 2023.

It is important to note that the California Attorney General retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA.