California government officials announced late Wednesday its appointments to the newly established California Privacy Protection Agency. Last November, state residents voted to approve Proposition 24, a ballot initiative that put in place the California Privacy Rights Act, which mandated the formation of the CPPA.
The agency is the first privacy-dedicated regulator in the U.S., and it will have jurisdiction to implement and enforce both the California Consumer Privacy Act and CPRA, though the attorney general will retain authority to enforce the CPRA through civil penalties in coordination with the CPPA. Enforcement of the CPRA will go into effect in 2023.
Gov. Gavin Newsom, D-Calif., Attorney General Xavier Becerra, Senate President pro Tempore Toni Atkins and Assembly Speaker Anthony Rendon made the announcement in a news release.
"Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal. These appointees represent a new day in online consumer protection and business accountability," Newsom said.
University of California, Berkeley Clinical Professor of Law Jennifer Urban was appointed chair of the CPPA by Newsom. She will be joined by John Thompson, who has served as senior vice president of government relations for LA 2028; Angela Sierra, who recently served as chief assistant attorney general of the Public Rights Division; Lydia de la Torre, who is currently an IAPP member and served as of-counsel at Squire Patton Boggs; and Vinhcent Le, an attorney at The Greenlining Institute.
De la Torre, along with Squire Patton Boggs' Glenn Brown, wrote about the CPPA in a recent article for The Privacy Advisor, "What is the California Privacy Protection Agency?" They wrote, "In terms of the mandate, the CPPA will significantly go beyond the functions currently performed by California's Office of the Attorney General. In addition to enforcement and rulemaking, the CPPA will have an important educational function."
In the article, they also note "it is expected the new agency will undertake not only the update of the existing CCPA rules, but also the issues of new ones addressing" several areas involving cross-context behavioral advertising, specifics around consumer rights, standards for audits and risk assessments, among others.
In a podcast interview just ahead of last year's Proposition 24 vote, Alastair MacTaggert, a co-architect of the CCPA and driving force behind the CPRA, discussed the new agency. In a press release, Mactaggart said, "I want to congratulate the new board of the California Privacy Protection Agency and look forward to working with them to uphold and strengthen privacy laws for all Californians."
Among its many duties, the CPPA will also appoint the agency's executive director, officers, counsel and employees. It will also name a chief privacy auditor "to conduct audits of businesses to ensure compliance with the CPRA," de la Torre and Brown wrote, adding, "because the CPPA will have the power to cooperate with other privacy enforcement agencies in the state, as well as in 'other states, territories, and countries,' it is expected that it will coordinate its investigatory actions with regulators in other jurisdictions, including European data protection authorities."
In addition to enforcement, the CPPA will help educate citizens and consumers and provide technical assistance to the state's Legislature regarding privacy-related legislation.
Photo by Kyle Smith on Unsplash
