California officials today announced their nominees to be the five inaugural members of the California Privacy Protection Agency (“CPPA”) Board. Created by the California Privacy Rights Act (“CPRA”), the CPPA will become a powerful, state-level privacy regulator long before its enforcement authority becomes effective in 2023, and today’s appointments move the CPPA one large step closer to beginning its work. This post provides an overview of the CPPA’s authority, examines the issues that might be on its agenda, and outlines a few ways companies can start to get ready for potential regulations.
The five inaugural nominees of the CPPA Board are:
- Jennifer Urban, who was appointed as Chair of the CPPA by Governor Gavin Newsom. Urban is a clinical professor at UC Berkeley School of Law.
- John Christopher Thompson, who was appointed by Governor Newsom and is Senior Vice President of Government Relations at LA 2028.
- Angela Serra, who was designated by California Attorney General Xavier Becerra. Serra served in a wide range of roles in the California Department of Justice, including overseeing the Consumer Protection Section’s Privacy Unit.
- Lydia de la Torre, who was nominated by Senate President Pro Tem Toni Atkins. De la Torre is a professor of law at Santa Clara University.
- Vinhcent Le, who was designated by Assembly Speaker Anthony Rendon.
The announcement indicates that Urban’s and Thompson’s appointments do not require Senate confirmation.
The CPPA’s Next Milestones
Although the CPPA’s administrative enforcement authority does not become effective until July 1, 2023, the agency is poised in the meantime to become a powerful regulatory and supervisory authority, akin to a European data protection authority. Key dates in the near term are:
- July 1, 2021: CPPA takes over rulemaking authority from the California Attorney General.
- July 1, 2022: Deadline for the CPPA to adopt final regulations required by CPRA.
Which Regulations Does CPRA Require the CPPA to Issue?
Section 21 of CPRA (codified in Civil Code section 1798.185) adds fifteen areas of CCPA implementation to be spelled out in regulations to the seven areas that were defined under the initial CCPA. (CPRA also amends existing areas of rulemaking authority. For example, it grants more specific authority to prescribe standards for opt-out mechanisms.)
Although CPRA requires the CPPA to adopt final regulations in these areas by July 1, 2022, it would not be surprising to see the agency set priorities, as the Attorney General’s Office did initially under the CCPA. These priorities could include fundamental elements of the CCPA:
- Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CPPA the authority to adopt regulations that further define consumers’ opt-out rights. Specifically, the agency is directed to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.”The CPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law or the current text of the Washington Privacy Act. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. The profiling opt-out right under the Virginia Consumer Data Protection Act is narrower. It is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (The profiling opt-out proposed in the Washington Privacy Act is substantively identical to Virginia’s opt-out.)Other aspects of opt-out rights that could be initial rulemaking targets include (a) the definition of “technical specifications” for a global platform- or browser-based opt-out mechanism; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
- Access Requests: CPRA directs the CPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
- Business Purposes: Finally, it is possible that the CPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses.
Defining CPPA’s Supervisory Authority
The CPPA will also have considerable supervisory authority. Section 1798.185(15) authorizes the CPPA to issue regulations defining audit and risk assessments for businesses “whose processing of consumers’ personal information presents significant risk to consumers privacy or security.”
Separately, the CPPA must appoint a Chief Privacy Auditor to audit businesses’ compliance with the CCPA. The Auditor’s role will be defined almost entirely through regulations, and the statutory guidance on these regulations is scant: The CPPA will define the “scope and process of the agency’s audit authority,” establish criteria for selecting audit targets, and establish protections against disclosure for the information the auditor collects.
As with other areas of CPPA rulemaking, it is unclear when the agency will turn to establishing the Chief Privacy Auditor’s authority. However, it is worth noting now that the Auditor’s authority is potentially sweeping, as well as considering how a CCPA compliance program will look when it is under the Auditor’s microscope.
Today’s appointments are an important milestone in the development of a new breed of U.S. privacy regulator. We will keep a close watch on further developments with the Board and the CPPA’s activities.
Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.