On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA.

While the meeting focused on administrative procedures for setting up the Agency, there are a couple of key takeaways for companies to consider:

  • A primary goal of the Agency in the upcoming months is to hire an Executive Director, who will then be responsible for hiring other key roles. With the focus on staffing up, it is unlikely that we will see substantive action coming from the Agency in the near future.
  • The Agency made clear that rulemaking is the Agency’s top priority, even though it decided to not notify the Attorney General at the time of this meeting that it was ready to undertake rulemaking responsibilities. It will have full rulemaking authority six months after making such notification to the Attorney General.
  • While the Agency will not have full rulemaking authority for some time at this point, it is still able to publish proposed regulations for public comment. The public will have 45 days to comment on any proposed regulations, which will be published on the State Registrar’s website and the Agency’s website.
  • Enforcement is not yet a priority. The Board did not discuss enforcement at the meeting likely because the Agency will not take over enforcement authority from the Attorney General’s office until the CPRA fully goes into effect in 2023. Until then, the Attorney General’s office retains enforcement authority.

Going forward, the Board will hold monthly public meetings. We will continue to provide key takeaways from these meetings on a regular basis.  To subscribe to the Data Blog, please click here.

 

The authors would like to thank Debevoise Summer Associate Meron Wendwesen for her contribution to this blog post.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.