The California Privacy Rights Act Goes into Effect | Byte Back

The California Privacy Rights Act Goes into Effect
By David Stauss & Shelby Dolen on December 16, 2020
POSTED IN CALIFORNIA PRIVACY RIGHTS ACT
Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative:


Establishment of the California Privacy Protection Agency

December 16, 2020 marks the birth of the California Privacy Protection Agency (CPPA)­­—an agency that has the potential to become one of the most powerful data privacy agencies in the world considering that California is the world’s fifth largest economy. The CPPA will have a $5 million appropriation for the fiscal year 2020-2021 and a $10 million appropriation every year thereafter.

A five-member board will govern the CPPA and the California governor will appoint the board’s chairperson and one member. In addition, the Attorney General, Senate Rules Committee, and Speaker of the Assembly will each appoint one member. The initial appointments must be made within ninety days of the CPRA’s effective date, March 16, 2021. The appointments shall be made from California residents with expertise in the areas of privacy, technology, and consumer rights. Board members will serve at the pleasure of their appointing authority but not for longer than eight consecutive years. The Attorney General will provide staff support to the CPPA until the agency can hire its own staff members and appoint an executive director.

Authority

Pursuant to section 1798.199.40(b), the CPPA will assume rulemaking responsibilities from the California Attorney General’s office “on or after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities.” However, there is contrary language in section 1798.185(d), which states that the CPPA will assume rulemaking “the later of July 1, 2020 or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking.” Whatever the official start date, the CPPA must adopt final regulations by July 1, 2022.

In addition, the CPPA will – eventually – be charged with bringing administrative enforcement actions for violations of the CPPA; however, that authority will not begin until July 1, 2023 and shall only apply to violations occurring after that date.

Regulations

The CPRA’s changes to section 1798.185 will immediately become operative. The changes expand the topics upon which the CPPA will issue regulations, from seven to twenty-two, and will modify many of the existing seven topics.

Piecing this all together, the CPPA will have approximately sixteen months (from March 2021 when its board is formed, until July 1, 2022) to draft and revise regulations on twenty-two topics. It remains to be seen what impact the pandemic will have on those efforts.

In comparison, the legislature passed the CCPA on June 28, 2018 (through Assembly Bill 375) and the California Attorney General’s office submitted final regulations on seven topics to the Office of Administrative Law on June 1, 2020–an approximately twenty-three-month time period. In that time period, the Attorney General’s office held seven public forums from February to March 2019, issued initial regulations in October 2019, held four public hearings in December 2019, and issued two sets of modified regulations. If the CPPA regulations follow a similar model, it will be a very active sixteen months.

Extension of the Business to Business and Employee Exemptions

The other notable provisions of the CPRA that will immediately become operative are sections 1798.145(m) and (n), which will extend the business-to-business and employee exemptions until January 1, 2023, the date the CPRA becomes fully operative. The two-year period is intended to allow lawmakers additional time to pass legislation to extend these exemptions.

Changes to the Consumer Privacy Fund

Finally, section 1798.160 of the CPRA will immediately become operative, changing the manner by which the Consumer Privacy Fund allocates funds.