On Friday, March 3, 2023, the California Privacy Protection Agency (CPPA) held a public board meeting. Though the meeting focused primarily on the Agency’s budget and various administrative issues (e.g., subcommittee structure and rulemaking processes), the Board also discussed several topics with more direct relevance to companies subject to California privacy law. Most notably, the Board emphasized its prioritization of enforcement activities as the Agency continues to grow. This emphasis on enforcement aligns with other developments highlighting the need for companies to bring their privacy programs into compliance with California privacy laws, such as the pending finalization of the California Privacy Rights Act (CPRA) regulations and the California Attorney General’s recent investigative sweep pertaining to mobile applications’ compliance with the California Consumer Privacy Act (CCPA).
The CPPA’s flurry of recent activity (both with regard to rulemaking and public board meetings) indicate that the agency may be looking to make a splash early with regard to flexing its enforcement authority. Companies that had been previously delaying their CPRA compliance programs should note this development. As a reminder, the CPRA went into effect on January 1, 2023 and can be enforced beginning on July 1, 2023 (and only for violations that occur after this date).
We have highlighted select takeaways from this meeting below. We are happy to answer any questions your company may have about California privacy law compliance.
1. Prioritizing Enforcement Moving Forward: On multiple occasions, Board members highlighted enforcement as a priority for the Agency moving forward. CPPA Executive Director Ashkan Soltani, for example, noted that the Board is in the process of hiring additional enforcement personnel and has incorporated enforcement positions into its budget plans. The growth of the Board’s enforcement capacity comes against the backdrop of recent enforcement activity by the California Attorney General, which in late January announced an “investigative sweep” focused on mobile applications’ compliance with the CCPA. Friday’s board meeting suggests that the CPPA appears poised to begin exercising its concurrent enforcement authority in the near future, heightening compliance risks for companies subject to the CCPA and CPRA.
2. Agency Opposition to Federal Privacy Legislation: The Board noted that it had submitted a joint letter (along with the California Governor and Attorney General) to Congress on February 28 opposing passage of the American Data Privacy Protection Act (ADPPA). The ADPPA is a proposed federal privacy law, considered by Congress last year and the subject of interest again this legislative session, that would establish a national data privacy standard and, among other things, preempt state-level comprehensive privacy laws like those in place in California. Congress considered the ADPPA last year and has expressed a renewed interest in pursuing the legislation again this year, with the House Energy and Commerce Committee holding a hearing on the topic on March 1. The Board explained its opposition to the ADPPA as being rooted primarily in preemption concerns. Board Chairperson Jennifer Urban noted that, while the Board supported strong privacy protections for all Americans, it did not want those protections to come at the expense of Californians’ privacy rights. Board member Vinhcent Le echoed those concerns, noting that the Board’s letter was aimed at ensuring that federal legislation did not preempt California law.
3. CPRA Regulations Remain Under Administrative Review: Executive Director Soltani provided an update on the status of the CPRA regulations approved at the Board’s previous meeting. He said that the regulations were submitted to the California Office of Administrative Law (OAL) on February 14, and that OAL had 30 business days from that point to complete its administrative review of the regulations. This means that an OAL response can be expected by late March.
4. Public Comments Regarding Cyber Audits, Risk Assessments, and Automated Decisionmaking Due in March: Executive Director Soltani also provided an update on the status of the Agency’s Invitation for Preliminary Comments on Proposed Rulemaking for Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. The deadline for these public comments is March 27.
