Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.
What is the CPPA’s Role?
The CPPA is tasked with enforcing the California Consumer Privacy Act (CCPA), as amended through administrative enforcement actions – i.e., through the Regulations. The CPPA has the ability to investigate possible CCPA violations, provide businesses with an opportunity to cure, and take enforcement actions.
By way of contrast, it is important to note the right to cure for purposes of Attorney General enforcement have been removed from the CCPA effective January 1, as reinforced in their comments at the Global Privacy Summit in D.C.)
When do the CPPA Regulations Take Effect?
The final Regulations were published on March 29, 2023, and they are effective immediately.
To Whom do these CPPA Regulations Apply?
Businesses, service providers, contractors, and third parties covered under the CCPA.
What is the CPPA Complaint Process?
Under the Regulations, any individual can make a complaint against a business, service provider, contractor, or other person, with the CPPAs starting July 1, 2023. Under the Regulations, a complaint will:
- Identify the business, service provider, contractor, or person who allegedly violated the CCPA;
- State the facts that support each alleged violation and include any documents or other evidence supporting this conclusion;
- Authorize the alleged violator and the Agency to communicate regarding the complaint, including disclosing the complaint and any information relating to the complaint;
- Include the name and current contact information of the complainant; and
- Be signed and submitted under penalty of perjury.
While it is unclear how these complaints will be submitted (e.g., electronically on the CPPA’s website, or by mail), more details about the complaint procedures are expected to be released by the Agency as the July 1 date approaches.
What Happens Once a Complaint Is Made?
Once a complaint is made, the CPPA has several ways in which it can proceed. The Agency may take any of the following enforcement actions:
- Investigation. The Agency may open investigations upon the sworn complaint of any person or on its own initiative. For example, the Agency may initiate investigations based upon referrals from government agencies or private organizations, and nonsworn or anonymous complaints.
- Probable Cause Proceedings. The CPPA’s Enforcement Division will first provide businesses that violate the CCPA with notice of the probable cause proceeding. Once notice is provided, a proceeding, closed to the public (unless otherwise requested), will occur. Following the proceedings, the Agency shall issue a written decision with its probable cause determination and serve it on the alleged violator electronically or by mail. Notably, the Agency’s probable cause determination is final and not subject to appeal.
- Audit. The Agency may audit a business, service provider, contractor, or person to ensure compliance with any provision of the CCPA. This audit power can be exercised regardless of whether a complaint is filed. However, businesses should note there is a greater risk for CPPA audits if the company’s “collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law.”
How to Prepare for CPPA Regulation Compliance?
Waiting to get up to speed on the Regulations is not an option. The CPPA Regulations are currently in effect. Companies doing business in California should assess whether they:
- process personal information and its processing role (e.g., as a business, service provider, contractor, or third party as defined under the CCPA);
- honor all rights of California residents under the CCPA, as amended;
- provide a way for California residents to exercise their rights under the CCPA
- meet the notice/privacy policy requirements under the regulations; and
- have processing agreements in place to satisfy the contractual requirements outlined in the Regulations.
Taft’s privacy and data security attorneys will continue to monitor updates related to the CPPA Regulations and any other guidance the Agency publishes. In the meantime, we can assist with questions related to the Regulations or any other data transfer mechanism. Stay tuned to Taft Privacy and Data Security Insights or download our app for more news and information.