With any newly assigned leadership group, it is fair to wonder if the appointments provide any clues as to how they might approach their duties. It is a question being asked and explored in the days following the appointments to the California Privacy Protection Agency board.
The inaugural board members for the first privacy-focused regulatory body in the U.S. were announced by California government officials March 17. University of California, Berkeley Clinical Professor of Law Jennifer Urban has been tapped to chair the CPPA, which was created with the approval of the California Privacy Rights Act in November 2020. Joining Urban are LA 2028 Senior Vice President of Government Relations John Thompson, California Chief Assistant Attorney General of the Public Rights Angela Sierra, Squire Patton Boggs Of Counsel and IAPP member Lydia de la Torre, and Greenlining Institute Attorney Vinhcent Le.
"In passing (the) CPRA and creating the CPPA, California demonstrates national and international leadership," Urban said in a statement. "California — with explicit privacy protections in our State Constitution, many existing innovative privacy laws, and leadership from an expert Attorney General’s office — has long been a leader in privacy. But as the world grows ever more data-driven, a dedicated body to protect consumer privacy rights, provide guidance to businesses, and enforce the law, is necessary."
What stood out immediately to Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, was the range of backgrounds the board members represent. Those areas include academia, business, law, social justice, consumer protection and more.
"This reflects the necessary diversity needed to tackle the complex issues that we face as a society with our increasing reliance on technology for everything from education, work and health" Leipzig said. "Trust and integrity will be key."
Berkeley Adjunct Professor of Information and Law Chris Jay Hoofnagle believes initial appointments, in general, are crucial, noting how questionable appointments to the U.S. Federal Trade Commission over the years in some instances created "a corrosive effect on agency trust." The appointment of Urban, Hoofnagle's colleague, is a strong one from his point of view.
"Appointing Jennifer Urban is a visionary step," Hoofnagle said. "I would compare her to Janet Steiger, President (George) H.W. Bush's chair of the FTC. Steiger was so incorruptible, fair, and consensus-focused that she repaired the Reagan-era damage to the FTC and was kept on by President (Bill) Clinton. Jennifer is circumspect, fair and takes seriously the arguments and interests of stakeholders. She has a serious amount of practice experience; she is not just an academic. She understands (Silicon) Valley business models."
Specific stances and motivations for Urban's agenda are yet to be determined, but she will be focused on a "level playing field" that supports consumers and compliant businesses. She said that Californians "deserve control over their personal information, protection from privacy-invasive practices, and the ability to trust that their data is secure." While acknowledging the need for "clear rules" for businesses, Urban also made clear she envisions a regulatory landscape that "allows them to build privacy-protective products and services."
High Tech Law Institute Co-Director and Privacy Law Certificate Faculty Supervisor Eric Goldman gave high remarks on Urban but also viewed the appointment of de la Torre as an essential step. De la Torre's wealth of knowledge regarding the CPPA's future responsibilities and privacy law on a global level helped her stand out in the selection process.
"They need the privacy practitioner perspective, and I think Lydia is the best example of that on the board," Goldman said. "The other reason she is so helpful is that she's a bona fide (EU General Data Protection Regulation) expert. Having someone who really understands the GDPR will help the board. A U.S.-trained lawyer, no matter how much they've thought about the GDPR, probably won't be as expert as Lydia will be."
The biggest surprise to Goldman was not any particular inclusion to the board but a striking omission. He expected Californians for Consumer Privacy Founder Alastair Mactaggart, the architect of the CPRA and the California Consumer Privacy Act, to be one of the first five board members.
"I can also see why it makes sense for him not to be on the board," Goldman said. "It might be overly limiting to the work he wants to do. But Alastair's absence frees up the board to be a little more aggressive. If he was there to defend, I felt like it would really distort the dynamic."
An obvious first order of business for the CPPA will be staffing. Covington & Burling Partner Lindsey Tonsager points out the board will need to appoint several employees, including an executive director and chief privacy auditor, sooner rather than later. Tonsager said staff loans from the attorney general's office are a common practice with past agency appointments, but doing so for the CPPA is not a given due to the exit of Attorney General Xavier Becerra — who was confirmed as secretary of the U.S. Department of Health and Human Services last week — and subsequent shakeup his former office will see.
Also firmly in the CPPA's sights is July 1, 2022, the deadline to complete CPRA rulemaking to give companies ample time to comply prior to the law's Jan. 1, 2023, effective date.
"The CPPA's regulations will cover broader ground than the existing CCPA regulations from the attorney general," Tonsager said. "For example, the new regulations will address opt-outs for cross-context behavioral advertising, opt-outs and access rights for automated decision-making technologies, restrictions on the use of so-called 'dark patterns,' and processes for exercising and responding to new consumer rights."
As it embarks on drawing up regulations and other duties, Leipzig would prefer the CPPA conduct its work with an all-inclusive and thoughtful approach.
"In order to tackle these important issues, all stakeholders will need to be part of the solutions," Leipzig said. "That's consumers, business, regulators and legislators. We can't reach solutions without everyone's involvement. I am hopeful that the board will provide a sounding board for consumers, as well as businesses, regarding how to implement the CPRA."
On the other hand, Goldman is less optimistic the new regulator can properly fulfill its mandated work.
"I don't think they'll be able to fix the structural problems with the CPRA, but I'm less nervous than I was before," Goldman said. "The CPRA has baked into its DNA that it has to prioritize consumer interests over all other privacy considerations. Because of that, I feel like the board will inevitably become dysfunctional as it reaches decisions that I don't think are going to truly be in the best interest of Californians in general."
Photo by Tim Foster on Unsplash
California Privacy Law, Fourth Edition
“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
Implementing the CCPA: A Guide for Global Business
This book aims to help the person who is leading a business’s California Consumer Privacy Act efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed.