Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
California set to join FTC as key protector of US privacy
05 November 2020 03:02 by Amy Miller, Mike Swift
The risk of committing a privacy violation in California just went up substantially for companies. Starting in 2023, California — home to some of the biggest, most data-hungry tech companies in the world — will join the Federal Trade Commission as a key US privacy enforcer.
Voters have approved the California Privacy Rights Act, expanding the state’s already sweeping privacy law, the California Consumer Privacy Act, and creating the first stand-alone privacy agency in the US.
The measure, also known as Proposition 24, passed with more than 56 percent support after more than 11 million votes were counted, the California Secretary of State announced today. The unofficial results are set to be certified Dec. 11.
The California Privacy Protection Agency created by Proposition 24 will have enforcement powers superior to the FTC’s in many respects, on a par with data protection authorities in the European Union. But much regulatory uncertainty lies ahead for companies before the agency officially begins enforcing the CPRA on July 1, 2023. Rulemaking and some enforcement authority will shift from the state’s attorney general to the new agency, and what those changes will mean in practice for companies is unclear.
San Francisco real estate developer Alaistair Mactaggart, the primary backer of the CPRA, predicted that the state’s new enforcement agency will help start a cultural shift over privacy.
“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” Mactaggart said in a written statement.
The agency will be made up of five board members appointed by California’s governor along with the California attorney general and the leaders of the two chambers of the California legislature. Board members must be appointed within 90 days after the law takes effect.
Once assembled, the new board is expected to move quickly. The agency will have the power to cooperate with other privacy enforcers in the state, as well as in “other states, territories, and countries.” That means the agency could even coordinate with European data protection authorities on privacy investigations.
The California attorney general's office, which crafted the rules for the CCPA, can hand over rulemaking authority to the new agency as soon as July 1, 2021, and the agency must finalize its enforcement guidelines one year later. Enforcement will begin on Jan. 1, 2023. But in a confusing twist, the CCPA’s enforcement provisions and the AG’s enforcement authority will remain in effect until July 1, 2023.
What that transition will mean for companies in practical terms is unclear. Some privacy experts predict that the California attorney general could become something of a privacy lame duck, lacking a strong incentive to pursue violations of the CCPA while changes are underway. Others predict that the AG and the new oversight agency will find ways to complement their enforcement authority.
A spokesperson for California Attorney General Xavier Becerra said the office is assessing the election results.
What is clear is that the new agency will have the power to pursue, on its own initiative, whatever privacy violations its members discover. The board can conduct hearings and impose fines of up to $2,500 per violation. For violations involving children, that fining authority triples to $7,500 per violation. The agency can also force companies to undergo privacy audits. The FTC, in contrast under the enforcement powers it uses today, generally lacks the power to fine first-time offenders.
The agency will have an educational function as well, and is charged under the new law with promoting “public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” The agency has the power to award grants from its budget for educational purposes.
The attorney general and the agency will share enforcement authority, but the AG can require the agency to stay any administrative investigation or action. The AG will not be allowed to bring a civil suit alleging a violation that is the subject of any agency decision or order.
One thing doesn’t change under the new law. Private citizens will not be allowed to sue for privacy violations under the CPRA. Like the CCPA, private lawsuits claiming violations of the CPRA can only be brought for data security violations, not violations of privacy rights.