The California Privacy Protection Agency Is Finally Taking Shape: What You Need to Know to Prepare

In another breakthrough for data privacy, on March 17, 2021, Attorney General Xavier Becerra announced the members of the California Privacy Protection Agency (CPPA) Board. The enforcement agency was created as part of the California Privacy Rights Act (CPRA), also known as Proposition 24. The CPPA is the state-level privacy regulator and will start enforcing the law as soon as July 1, 2021.  

Why is the CPPA important? 

The CPPA is a fully functioning, state-funded privacy agency—approved by California voters—and will have more resources to investigate consumer privacy complaints against businesses starting July 1, 2021, as this marks the day the CPPA takes over rulemaking authority from the California Attorney General. The CPPA has plenty of time to meet the July 1, 2022 deadline to adopt the final regulations required by the CPRA. 

Becerra said, “The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights. The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

This historic milestone proves that privacy regulation is moving fast in 2021, and businesses must understand the new enforcement agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act (CPPA) and California Privacy Rights Act (CPRA). 

What you should do to prepare for CPPA enforcement

Since the July 1, 2020 CPPA enforcement date, there hasn’t been much buzz around California businesses being cited for non-compliance, but Attorney General Becerra has been vocal and provided guidance on what businesses should do to meet the minimum requirements to comply with the CPPA. Come July that is all about to change, and if companies have been sitting on the sidelines waiting to see what’s next, the CPPAs primary objective is to focus on enforcing the CPPA and CPRA. 

Failing to protect personal identifiable information (PII) will be widespread and drive high fines and significant regulatory consequences under the CPPA and beyond. Pondurance has spent considerable time analyzing common attack patterns to better reduce PII compromise, shorten dwell time and prevent damaging consequences like fines from privacy acts. 

California Privacy Protection Agency Board Members:

Jennifer M. Urban of Kensington has been appointed Chair of the California Privacy Protection Agency Board by Governor Newsom.

John Christopher Thompson of Pasadena has been appointed to the California Privacy Protection Agency Board by Governor Newsom. 

Angela Sierra is the designee of Attorney General Xavier Becerra. 

Lydia de la Torre is the President Pro Tem’s nominee to the CPPA Board. 

Vinhcent Le is the designee of Speaker Anthony Rendon. 

Any business that collects or provides the personal information of California residents and has more than $25 million in annual sales, buys sells or shares information on 50,000 or more individuals, households, or devices and derives more than half of its annual revenue from the sales of personal information fall in the scope of CPPA and CPRA. These businesses should  already have mechanisms in place to protect consumer data and provide an easy method for consumers to submit requests to access their information. 

As part of a holistic approach to data privacy, we recommend organizations monitor their networks 24/7. This is not always viable for every organization to accomplish, many struggle to keep security talent or find it too costly to maintain internally. That’s where Managed Detection and Response can be beneficial providing full 360° visibility and 24/7 support in protecting any digital assets such as  consumer data. Learn more about how to choose an MDR provider in our webinar. Register here!