Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

What is the California Privacy Protection Agency?

By Securiti Research Team

Published July 8, 2021 / Updated August 23, 2023

Background of the California Privacy Rights Act (CPRA) of 2020

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot, as 56% of California voters favored the law. It amends and strengthens consumer data privacy rights. In addition, the CPRA imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023). To read more about the CPRA, read this article.

The California Privacy Rights Act (CPRA) is sometimes referred to as “California privacy law 2020.”

What is the California Privacy Protection Agency (CPPA)?

The passing of the CPRA established the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction to interpret the provisions of the CPRA and enforce the prescribed sanctions and penalties in case of any violations. The sole purpose of the agency is to protect the privacy rights of Californians.

As per the CPRA, the CPPA shall be governed by a five-member board, including a chairperson. The CPPA shall be able to hire staff, including an executive director. It shall have four primary functions:

Education
Rulemaking
Enforcement
Certification

The Primary Duties of the CPPA Explained

Education

The CPPA is responsible for undertaking educational initiatives to promote public awareness and understand the “risks, rules, responsibilities, safeguards, and rights of the collection, use, sale and disclosure of personal information.” The CPPA will provide clear guidelines for organizations and consumers. It may also award grants for educational purposes from its allotted budget.

The CPPA has also been entrusted with providing technical advice, guidance, and expertise to the California Legislature on privacy-related legislation. The CPPA also needs to provide guidance to businesses on complying with the CPRA and is also mandated to appoint “Chief Privacy Auditors” to covered businesses for conducting audits to ensure they are complying.

Rulemaking

The second and perhaps most important duty of the CPPA is to adopt and update existing CCPA rules made by the California Attorney General by July 1st, 2021, or within six months of the agency providing notice that it is prepared to do so. Currently, the CPPA has elected not to send the notice to the California Attorney General.

The agency is also expected to provide guidance on the remaining unaddressed issues introduced by the amendments in the CPRA by making new regulations. The CPRA increased the number of rule-making topics from 7 to 22, and considering it took the California Attorney General 23 months from the passing of the CCPA to finalize the rules. It will probably take the CPPA a long time to finalize the final regulations.

The CPPA can issue new rules related to issues such as:

Access and opt-out rights of consumers concerning automated decision-making technology.
Whether businesses will be required to provide information beyond the 12-month look-back window in response to a consumer’s access request.
The criteria to choose which businesses will be audited by the Chief Privacy Auditor.
Which processing operations shall require businesses to conduct regular risk assessments/cybersecurity audits.
Define ‘precise geolocation’ and how and where it can be used.
Review and evaluate existing California insurance laws and regulations relating to consumer privacy.
The frequency and circumstances under which consumers can request the correction of their personal information, including defining the exceptions to the right to correct, and how the organization may resolve accuracy concerns.
The CPRA shall apply to employees and their data when CCPA expires.
The specifics of opt-out mechanisms from “selling” and “sharing” personal data for cross-context behavioral advertising purposes and ensure such mechanisms are consumer-friendly.
The mechanism for businesses to honor universal opt-out consent mechanisms shall be detailed within the rules.

Violations

Finally, the CPPA has the mandate to investigate possible violations of the CPRA, conduct administrative hearings, impose fines for violations and go to court in a civil action to recover unpaid fines.

Violations of CPRA may range from $2,500 per unintentional violation to $7500 per intentional violation, including violations involving minor’s data. Enforcement efforts will begin on July 1, 2023, six months after the CPRA goes into effect on January 1st, 2023.

It is important to note that the California Attorney General retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA.

How much funding will the CPPA have?

Initially, the CPPA will have an annual budget of $10 million. This funding will be used primarily for two reasons:

Have the resources and staff to carry out its duties and pay its board members for their service.
Offset the costs of operations to catch data privacy violations, issue fines and send out remediation notices.

97% of the proceeds collected from fines shall be invested for profit for the benefit of the CPPA. In comparison, 3% shall be earmarked for grants the CPPA can make for educational and non-profit projects for increasing consumer awareness about data privacy issues.

Voluntary Certification

The CPPA holds power to certify businesses and entities who do not fall within the scope of the law but who wish to voluntarily certify their data privacy program to be compliant with the CPRA.

CPPA’s voluntary certification might become a global standard for data privacy protection because of its comprehensive privacy protection requirements and California’s leadership position in protecting user privacy.

Conclusion

The effect of this provision could be similar to how the EU’s GDPR adequacy decisions influenced other countries around the world to pass data privacy laws and regulations modeled around the GDPR to improve data privacy as a whole. We could see international industries and companies voluntarily certifying with the CPPA to be CPRA compliant.

The California Privacy Protection Agency (CPPA) is responsible for enforcing and implementing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It oversees data privacy regulations, investigates complaints, issues guidelines, and educates the public about their privacy rights.

The new privacy agency in California is the California Privacy Protection Agency (CPPA). It was established to enhance and enforce data privacy regulations, following the passage of the California Privacy Rights Act (CPRA).

The California Privacy Protection Regulation (CPPR) refers to the regulatory framework established by the California Privacy Rights Act (CPRA). It enhances data privacy rights and protections for California residents and imposes stricter rules on businesses handling personal information.

The equivalent of GDPR (General Data Protection Regulation) in California is the California Privacy Rights Act (CPRA), which builds upon the California Consumer Privacy Act (CCPA) to enhance data privacy rights for residents of California.

Yes, the CCPA (California Consumer Privacy Act) is a data privacy law that is specific to the state of California. It grants California residents certain rights over their personal information held by businesses operating in California.

What is the California Privacy Protection Agency?

Get California Privacy Rights Act (CPRA) Readiness Assessment

Background of the California Privacy Rights Act (CPRA) of 2020

What is the California Privacy Protection Agency (CPPA)?

The Primary Duties of the CPPA Explained

Education

Rulemaking

Violations

How much funding will the CPPA have?

Voluntary Certification

Conclusion

Frequently Asked Questions (FAQs)

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

What is the California Privacy Protection Agency?

Get California Privacy Rights Act (CPRA) Readiness Assessment

Background of the California Privacy Rights Act (CPRA) of 2020

What is the California Privacy Protection Agency (CPPA)?

The Primary Duties of the CPPA Explained

Education

Rulemaking

Violations

How much funding will the CPPA have?

Voluntary Certification

Conclusion

Frequently Asked Questions (FAQs)

Join Our Newsletter

Share

More Stories that May Interest You

Right of Access to Personal Data: What To Know

Kuwait’s DPPR

The UK GDPR & Data Protection Act (DPA) 2018: Explained

Newsletter

Company

Resources

Terms

Get in touch