On Friday, July 14, the California Privacy Protection Agency (“CPPA”) Board held a public meeting to address a broad, fourteen-point agenda that ranged from updates on the Agency’s budget to the status of ongoing rulemaking to enforcement.
On the issue of enforcement, the Agency’s new Deputy Director of Enforcement, Mr. Michael Macko, first addressed the recent decision in California Chamber Of Commerce vs. California Privacy Protection Agency enjoining enforcement of the California Privacy Rights Act’s (“CPRA”) final regulations until March 2024 (see here). Mr. Macko stressed the decision does not give businesses a free pass from all enforcement, as the CPPA intends to immediately start enforcing the statute that the voters approved in 2020. Mr. Macko added that covered entities should expect vigorous enforcement and that the CPPA expects robust compliance with CPRA’s requirements.
Mr. Macko also noted the importance of building public trust and confidence, and stressed the CPPA’s recognition that matters involving children, the elderly, and marginalized groups may warrant more attention from the Agency, as these groups may be more susceptible to privacy violations.
Mr. Macko then outlined three priorities for enforcement: (1) privacy notices and policies; (2) the right to delete; and (3) companies’ implementation of consumer requests. He explained that these rights and obligations are now firmly established, and covered businesses should be well aware of what the law requires.
He concluded by stating that the CPPA intends to hire three enforcement attorneys, as well as an Assistant Chief Counsel of Enforcement, to build out the CPPA’s enforcement capabilities, including specific to handling what is expected to be an increased volume of consumer complaints.
The key takeaway is that covered entities should not expect a honeymoon period based on the decision in California Chamber Of Commerce vs. California Privacy Protection Agency, and should expect the CPPA to immediately begin enforcement of the statute’s most firmly-established requirements, including providing compliant privacy notices and honoring consumer requests.
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Aya Elalami is an associate in Thompson Coburn’s Business Litigation group.