With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.
CPRA Effective January 1, 2023
The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.
There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.
Creation of the California Privacy Protection Agency
Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.
The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.
The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”