The California Privacy Protection Agency (CPPA) is making strides to uphold consumer privacy rights since its establishment following the California Consumer Privacy Act (CCPA). Recently, Board Chair Jennifer M. Urban highlighted the agency's progress, addressing various initiatives aimed at enhancing privacy regulations and security across California.
Founded with the aim of protecting Californian privacy, the CPPA has taken significant actions, including drafting and implementing regulations around privacy, enforcing violations, and initiating statewide public education campaigns about privacy rights. According to Urban, the agency’s mission is clear: “Protect Californians’ privacy, ensuring consumers are aware of their rights, businesses are informed of their obligations, and vigorously enforcing the law against businesses violating consumers' privacy rights.”
Initially, the CPPA launched with only $5 million, but the agency’s budget ballooned to $12.8 million for the 2024-25 fiscal year, which has allowed them to grow their workforce to over 40 employees across seven divisions within just four years.
The agency’s IT Division has played a pivotal role by establishing the organization’s operational infrastructure, setting the standard for proactive privacy protection. “Using privacy-by-design principles, the IT Division integrates privacy protection at every stage, fostering trust and accountability,” the report notes.
Among its aims, the CPPA has set forth its enforcement priorities, which include reviewing privacy notices and policies, implementing consumer requests, and addressing significant issues such as the right to delete personally identifiable information and violations concerning vulnerable communities. Disturbingly, the agency found most digital privacy-related complaints from consumers came from various categories: 84% from consumers themselves, over half involving the right to delete personal information, and nearly half concerning the collection or sharing of personal information.
The draft regulations recently formulated by the CPPA emerged from public stakeholder sessions, including opportunities for public comment during eight meetings. This participatory approach seems to reflect the agency's commitment to transparency and responsiveness to California residents’ concerns.
Last year marked the launch of the Honors Privacy Fellowship, aimed at recent law graduates passionate about privacy law. Not just limited to California, the agency has provided testimony beyond state lines, sharing its insights and experiences with other states like Vermont, Oregon, and Colorado concerning their own implementations of privacy laws.
At the federal level, the CPPA also made waves by submitting comments to key agencies, including the Consumer Financial Protection Bureau and the Federal Trade Commission (FTC), on data protection proposals, underlining California's influential role as a trendsetter for national privacy standards.
Starting September 2024, the CPPA launched its blog at privacy.ca.gov, intended to educate consumers about privacy rights and provide updates on various topics. This aligns with new regulations established after voter approval of the CCPA and subsequent CPRA, which took effect on January 1, 2025. This major legislation endowed Californians with rights like knowing how their information is collected, maintaining the ability to delete their information, and opting out of having their information sold.
California’s CCPA stood as the very first comprehensive consumer privacy law across the United States, coming to fruition when it took effect on January 1, 2020. Adding to its importance, California became the first state to create an agency dedicated exclusively to protecting privacy, following the California Privacy Rights Act approval by voters.
The CPPA, with its extensive regulations, grants Californians several key rights—a right to understand how their data is managed, to have personal information deleted, and to opt out of its sale whilst ensuring protections against discrimination when exercising these rights. To comply with these laws, businesses must adhere to strict conditions, ensuring transparency and security.
Businesses must take specific actions to fulfill their obligations under the CCPA, including maintaining reasonable security practices, providing public notices, and ensuring consumer rights are honored. Entities need to implement procedures to handle consumer requests properly and comply with comprehensive employee training and record-keeping requirements.
The compliance is enforced by both the CPPA and California Attorney General, which can pursue civil penalties up to $2,500 or $7,500 for intentional violations. This enforcement regime extends consumer rights, allowing for private actions against businesses unable to uphold data security, marking a significant step toward consumer empowerment.
Looking forward, the CPPA is focusing on ambitious goals delineated in its 2024-2027 Strategic Plan, continuing its pivotal role not only within California but as a model for other states and jurisdictions grappling with similar privacy concerns. With the implementation of three new measures on January 1, 2025, the agency anticipates broadening the definitions of personal information, particularly concerning sensitive data like geolocation and AI system outputs.
California continues to be at the forefront of privacy rights and consumer protection, setting standards not just for its residents but also influencing nationwide practices and legislation. The CPPA’s advancements signal growing recognition of the importance of personal data rights and protection, and the roadmap laid out for the coming years is positioned to respond effectively to the dynamic digital environment.