California Privacy Protection Agency Provides Update on Board Activities

On Nov. 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which created the California Privacy Protection Agency (CPPA), a state-level agency for consumer privacy regulation in the state of California. The CPRA amended and expanded upon California's existing consumer privacy law, the California Consumer Privacy Act (CCPA). The CPPA is vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA and the CPRA once the CPRA goes fully into effect on Jan. 1, 2023.

The CPPA is governed by a five-member board: two members were appointed by Gov. Gavin Newsom, and the attorney general, senate rules committee and speaker of the assembly each appointed a member. The board members have well-respected careers in the data privacy sector. They have the "qualifications, experience, and skills" in the relevant areas required to perform their duties as required under CPRA. (See Cal. Civ. Code §1798.199.15.) Sometime in the coming months, the CPPA will replace the state attorney general as the primary enforcer of the CCPA.

The CPPA held a virtual meeting on Sept. 7-8, 2021, which included public and closed sessions. The meeting expanded discussions related to the inaugural meeting agenda in what continues to be a full schedule for the CPPA going into next year.

The Meeting Agenda

The CPPA Board shared an agenda and related materials ahead of the meeting. The public meeting, which lasted more than five hours, provided attendees with details regarding the activities the board has performed since the last meeting and future tasks.

Hiring. Chairperson Jennifer M. Urban provided a detailed update regarding the hiring process for its executive director of the CPPA. At the time of the meeting, the application process had closed, and the Board was reviewing potential candidates.

Location. The Board is looking at options for an office location, pricing and related matters; no location has been chosen as of the date of the meeting.

Board Priorities. Priorities for the Board include hiring of staff, establishing internal processes and procedures and making progress on the regulations, including review, revisions, drafting and guidance regarding the same.

Regulations. CPRA requires the CPPA to adopt final regulations by July 1, 2022, and the Board seemed to recognize that California's protracted rulemaking process could make this timeline even more challenging. The Board announced that it expects the CPPA to initiate preliminary rulemaking activities this fall, including information gathering, soliciting comments from the public and holding informational hearings. In addition, the Board created three subcommittees for rulemaking-related tasks: one to focus on updates to the existing CCPA regulations necessary to account for changes in CPRA; a second subcommittee to draft new rules regarding items not addressed in the current regulations; and a third charged with coordinating the rulemaking process.

This winter, the CPPA will start the formal rulemaking process with publication of a notice of proposed rulemaking, issuance of draft regulation and a statement of reasons that is required to explain the purpose and necessity of each regulation. There will then be a 45-day public comment period, and the CPPA will hold public hearings, likely to take place later this year and early next year. The CPPA is required to respond to every comment, and substantial modifications to the draft regulations will trigger another public comment window.

Public Awareness. The Board discussed the activities and possible staffing needs of the CPPA to provide the public and regulated entities with guidance on best practice.

Closed Session. At the end of the public meeting, the Board went into a closed session to review and discuss hiring of an executive director.

Upcoming Meetings

The Board is holding another closed session on Sept. 24, 2021, to discuss and possibly appoint an executive director and a chief privacy auditor under authority of Government Code 11126(a)(1).

Additional closed sessions regarding hiring will be held on Oct. 18, 2021, and Nov. 15, 2021.

We Can Help

For more information about the CCPA, CPRA, CPPA, guidance interpreting privacy laws or questions on establishing a compliant privacy program at your company, contact the authors or Mark Melodia, chair of Holland & Knight's Data Strategy, Security & Privacy Team. To stay informed on the latest data privacy news, sign up for the Holland & Knight Cybersecurity and Privacy Blog.