On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA.
While the meeting focused on administrative procedures for setting up the Agency, there are a couple of key takeaways for companies to consider:
- A primary goal of the Agency in the upcoming months is to hire an Executive Director, who will then be responsible for hiring other key roles. With the focus on staffing up, it is unlikely that we will see substantive action coming from the Agency in the near future.
- The Agency made clear that rulemaking is the Agency’s top priority, even though it decided to not notify the Attorney General at the time of this meeting that it was ready to undertake rulemaking responsibilities. It will have full rulemaking authority six months after making such notification to the Attorney General.
- While the Agency will not have full rulemaking authority for some time at this point, it is still able to publish proposed regulations for public comment. The public will have 45 days to comment on any proposed regulations, which will be published on the State Registrar’s website and the Agency’s website.
- Enforcement is not yet a priority. The Board did not discuss enforcement at the meeting likely because the Agency will not take over enforcement authority from the Attorney General’s office until the CPRA fully goes into effect in 2023. Until then, the Attorney General’s office retains enforcement authority.
Going forward, the Board will hold monthly public meetings. We will continue to provide key takeaways from these meetings on a regular basis. To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise Summer Associate Meron Wendwesen for her contribution to this blog post.