Passage of the California Privacy Rights Act ballot initiative is a significant development for the U.S. privacy landscape. Its scope is broader than the existing California Consumer Privacy Act, creating additional rights and obligations, as well as the first state agency dedicated to privacy, the California Privacy Protection Agency.
While most of the CPRA’s provisions are not operative until Jan. 1, 2023, the provisions regarding the establishment and funding of the agency are operative immediately upon the CPRA’s effective date (Section 31), which is expected to be as early as December 2020. The creation of the agency over the next several months likely will receive considerable attention from businesses and consumer advocates as they try to understand how this new agency will function and, as directed by the language of the statute, “implement and enforce” the law.
Structure of the agency
The new agency will be governed by a five-member board. Appointments will be made by the governor (who will appoint both the chair and a member), attorney general, U.S. Senate Committee on Rules and Administration, and speaker of the Assembly. Members are required to be “Californians with expertise in the areas of privacy, technology, and consumer rights.” The CPRA does not designate specific terms for board members — they “serve at the pleasure of their appointing authority” — but members may not serve longer than eight consecutive years. After their service, board members are subject to certain restrictions regarding their employment — provisions that appear designed to avoid any suggestion former board members could use their previous position to improperly influence the agency or advance a business’ interest.
The choice of board members will be important. “How the (CPRA) will be interpreted and enforced will depend significantly on who makes up the [Board]” according to Covington Burling’s Lindsey Tonsager. While the CPRA requires board appointments to be made within 90 days of its effective date, it is expected members will be chosen by the end of January 2021.
The agency also will have an executive director, appointed by the board, and a chief privacy auditor. Staff support for the agency is to be provided by the attorney general until it is able to hire its own staff.
Funding for the agency is included in the CPRA, which directs an appropriation from California’s General Fund of $5 million during fiscal year 2020–21 and $10 million each fiscal year thereafter. This funding provision is operative on the effective date of the CPRA.
Agency’s rulemaking authority
Like the establishment of the agency, the “Regulations” provision of the CPRA (1798.185) also will be effective immediately (Section 31), and rulemaking will be an important agency function. The attorney general initially will have rulemaking authority under the CPRA (as he does now under CCPA), but the agency will assume these rulemaking responsibilities by July 1, 2021, or within six months of the agency providing notice to the attorney general that it is ready to do so. Final CPRA regulations are to be adopted by July 1, 2022, a year ahead of its enforcement.
The anticipated rulemaking is significant. The CPRA requires regulations to be adopted in 22 areas, including 15 not originally identified in the CCPA. Lydia de la Torre and Glenn Brown of Squire Patton Boggs include a helpful overview of some of the new regulatory topics here, and the IAPP plans to cover the CPRA’s anticipated rulemaking in detail in the ninth part of this series. It will be interesting to see how this regulatory process unfolds and if the attorney general begins CPRA rulemaking efforts over the next several months.
Generally, rulemaking in California is governed by provisions in its Administrative Procedure Act and is reviewed by the Office of Administrative Law. While preliminary rulemaking activities for the CCPA began in January 2019 with public forums, regulations were not approved by the OAL until August 2020. It was an extensive process that included public comment periods, multiple revisions to the proposed regulations, and the Office of the Attorney General summarizing and responding to comments raised in the almost 400 public comment letters it received. Given the scope of the rulemaking contemplated by the CPRA, it is likely the process will be even more involved. Of note, the attorney general has included “Tips for Making Effective Comments” on its current rulemaking page for the CCPA.
Another key function of the agency will be administrative enforcement. Specifically, the CPRA requires the agency to “administer, implement, and enforce” the law “through administrative actions” (1798.199.40(a)) while the attorney general retains its civil enforcement powers (1798.199.90).
Even though CPRA enforcement does not begin until July 1, 2023, businesses will need to familiarize themselves with this new administrative enforcement process and consider the implications of having dual enforcement entities.
The agency will have the power to investigate possible violations either “on its own initiative” or upon receiving a “sworn complaint.” This investigatory power is discretionary. The agency can choose not to investigate a complaint or to give an entity time to cure the alleged violation. The two factors the agency “may consider” in deciding not to investigate or to give time to cure are whether there was a lack of intent to violate the law and whether there were any voluntary efforts to cure the alleged violation prior to notice of the complaint.
The agency is required to “notify in writing” the person who made the complaint regarding what action, if any, it intends to take, “together with the reasons for such action or non-action.”
The agency also has the power to subpoena witnesses and the production of documents, compel witness attendance and testimony, and take evidence (1798.199.65). Its auditing authority will be the subject of future regulation (1798.185(a)(18)).
Probable cause proceeding
The agency will use a “probable cause” standard in evaluating whether to proceed to an administrative hearing regarding an alleged violation of the law, a phrase more typically thought of in the criminal law context. Before it can make a probable cause finding, the agency must give alleged violators of the law formal notice of the alleged violation by service of process or registered mail at least thirty days prior to its consideration of the issue. The agency also must provide a summary of its evidence and inform the alleged violator of the right to be present and represented by counsel at the probable cause proceeding.
Probable cause proceedings are private unless the alleged violator requests otherwise. Pursuant to 1798.199.70(a), “service of the probable cause hearing notice ... shall constitute the commencement of the administrative action.” CPRA administrative actions generally cannot be brought more than five years after the date the violation occurred, except in circumstances involving fraudulent concealment of information or delay in producing requested documents.
Administrative hearing and potential sanctions
If the agency determines there is probable cause to believe a violation of the law has occurred, it will hold an administrative hearing, conducted in accordance with provisions of California’s APA. If there is a determination a violation occurred, the agency is empowered to order violators to (1) cease and desist; and/or (2) pay an administrative fine of up to $2,500 per violation or up to $7,500 for each intentional violation and each violation involving the personal information of minor consumers. If there is more than one party responsible for a violation, liability is joint and several. The agency is required to “consider the good faith cooperation” of the entity in determining the amount of any administrative fine (1798.199.100).
Judicial review of agency decisions
Agency decisions will be subject to judicial review. Specifically, any decision “with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard.”
Deference to the attorney general
The CPRA requires the agency to defer to the attorney general regarding investigations and administrative actions, staying its proceedings if requested so the attorney general can pursue the matter. However, if the agency already has issued an order or decision, the attorney general cannot pursue a civil action for the same violation. Section 1798.199.100 makes clear “[a] business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.”
Once the agency is in place, further details regarding what this administrative enforcement process will involve may be available.
Other agency functions
In addition to rulemaking and enforcement, the agency has a number of other required functions, including:
- Education and public awareness regarding “the risks, rules, responsibilities, safeguards, and rights” relating to personal information.
- Guidance to consumers and businesses.
- Technical assistance and advice to the legislature on privacy-related legislation.
- Cooperation with other agencies with jurisdiction over privacy laws, including other states, territories and countries.
The guidance component could be significant, particularly with respect to compliance issues. What form the agency’s guidance takes and whether businesses will be able to have a dialogue with the agency to discuss and resolve issues are open questions.
The agency’s anticipated role in CPRA’s rulemaking and enforcement is significant. We can expect to learn more over the following months as board appointments are made and the agency takes shape. We will continue to monitor and report on agency developments and look forward to providing more insight regarding the CPRA in the other parts of this series.
Photo by Joshua Sukoff on Unsplash
This article focused on the agency specifically is the first in a 10-part series intended to help privacy professionals understand the operational impacts of the CPRA, including how it amends the current rights and obligations established by the CCPA. The rest of the series will explore:
- Part 2 — Whether an entity is a “business” within the law’s scope and the CPRA’s exemptions.
- Part 3 — The CPRA’s new provisions regarding the right to correct and the treatment of sensitive personal informal.
- Part 4 — Other new rights and obligations included in the CPRA, like data minimization and data retention.
- Part 5 — Notice obligations and the right to opt-out.
- Part 6 — Service providers, contractors and third parties.
- Part 7 — Response to consumers’ access requests.
- Part 8 — Rights to deletion and non-discrimination, as well as the requirements for minors.
- Part 9 — The scope and potential impact of the regulations to be adopted.
- Part 10 — Penalties and enforcement mechanisms.
The IAPP created an infographic outlining the 10 most-impactful provisions of the California Privacy Rights Act ballot initiative. The infographic gives a snapshot of the potential implications stemming from the CPRA being passed and entering into force January 2023.
The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.
If you want to comment on this post, you need to login.