Out with the old, in with the new: Five members join California Privacy Protection Agency Board; California AG Xavier Becerra moves to HHS

The California Privacy Rights Act 2020 Initiative (CPRA) both amends the California Consumer Privacy Act (CCPA) and establishes the first administrative privacy agency in the US, the California Privacy Protection Agency (CPPA). The Agency is charged with protecting the fundamental privacy rights of Californians with respect to their personal information. It is responsible for issuing extensive rules regarding the requirements of the CCPA and CPRA and for bringing enforcement actions related to the CCPA or CPRA before an administrative law judge. California’s Attorney General will retain CCPA and CPRA civil enforcement authority. This week brought significant changes in the lineup of officials responsible for these important functions.

First, on March 17, 2021, California officials announced the appointment of five members to the CPPA board. The board will in turn be appointing the Agency’s executive director, officers, counsel and employees.

The board appointees are: Chair Jennifer M. Urban, Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law; John Christopher Thompson, Senior Vice President of Government Relations at LA 2028; Angela Sierra, former Chief Assistant Attorney General of the Public Rights Division; Lydia de la Torre, professor at Santa Clara University Law School; and Vinhcent Le, Technology Equity attorney at the Greenlining Institute.

The Board will oversee several very important CPRA rulemakings that are supposed to finish by July 1, 2022, six months before the CPRA takes effect and a year before enforcement begins. These rulemakings enable the CPPA to revisit many of the CCPA regulation topics, as well as to issue rules and even technical standards on other key new issues. Among the most significant topics to be addressed by these rules are:

  • requirements for consumer opt-out requests
  • rules and technical specifications for opt-out signals and signals set by a parent or guardian indicating that a user is a child under age 13 or a teen age 13-15
  • defining the scope of the opt-out of secondary uses or disclosures of sensitive personal data
  • rules and guidelines regarding financial incentives to consumers who waive CCPA rights
  • rules regarding the CPRA right to correct personal data
  • revisiting CCPA regulation rules regarding the data subject rights and service provider secondary use exceptions
  • defining the scope of mandatory annual cybersecurity audits
  • defining obligations for businesses to submit regular reports to the Agency on their privacy risk assessments
  • defining data subject access and opt-out rights for AI systems and
  • defining data protection impact assessment obligation reporting for holders of particularly sensitive information.

What is more, the CPPA will have authority to investigate multi-jurisdictional privacy violations in cooperation with other authorities, including the FTC and DPAs in other countries, and is to engage in public education on privacy rights.

Agency Chair Jennifer Urban has a background in technology policy and has not published extensively on privacy. She has notably published articles on mobile phone privacy and privacy issues in smart grid deployment. Interestingly, she has drafted a preprint research paper entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities” which argues for “finding an approach for advertising that is not so dependent upon third-party tracking and aggregation of information, both online and off.” Board member Vinhcent Le has been a strong voice for equity in outcomes of AI decisionmaking.

Second, the day after the CPPA leadership was announced, California Attorney General Xavier Becerra was confirmed as US Secretary of Health and Human Services. As California Attorney General, Secretary Becerra had issued rules that arguably may require honoring “do not sell” signals nearly two years before the CPPA rules defining the technical standard for this requirement issue. In January, he tweeted in support of the proposed Global Privacy Control browser signal to do that.

It will be for Secretary Becerra’s successor to consider whether to pursue this issue before the CPPA rules issue, to enforce the CCPA until the CPPA enforcement ramps up, and then to consider whether to serve as a backup enforcer to CPPA administrative enforcement authority.

Learn more about the implications of these developments by contacting either of the authors or your DLA Piper relationship attorney.

By Jim Halpert & Carol Umhoefer