On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting. The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of subcommittees of the Board, notice to the Attorney General regarding the assumption of rulemaking under the California Privacy Rights Act (the “CPRA”), and setting future agenda items and a meeting schedule for the Board. (As a refresher, when the CPRA passed as a ballot measure last Fall, it established the CPPA as a first-of-its-kind agency solely devoted to the regulation and enforcement of consumer privacy. The CPPA is tasked with enforcing the CPRA and developing a set of regulations providing guidance for businesses on how to comply with that new law. For more on the CPRA, please see our post here.)
While the CPPA Board’s June 14 full-day meeting covered a lot of ground, it is clear there is much work to be done for the CPPA to emerge as an independent, fully-functional agency, let alone promulgating regulations in time to meet the CPRA’s July 1, 2022 deadline for final regulations. Overall, the Board members appeared to be committed to working through these challenges, but acknowledged that they are under a lot of time pressure.
Here are some of the highlights from the meeting:
- The Board declined to immediately assume rulemaking authority – The Board decided it needed more information before it was prepared to give notice to the California Attorney General that the CPPA is “prepared to assume rulemaking responsibilities” under the CPRA. The CPRA vests initial rulemaking authority with the California Attorney General, but provides that the CPPA will take over rulemaking “on and after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice” that it is prepared to do so. Without any staff, and with no leadership positions filled (or even posted), the Board tabled the question of the CPPA’s readiness to assume rulemaking until its next meeting.
- The Board seeks to immediately hire at least two career leadership positions for the CPPA – The CPPA seeks to hire an Executive Director and Chief Deputy Director of Administration as soon as possible. The Executive Director will be generally responsible for the substantive aspects of the CPPA’s work, while the Chief Deputy Director of Administration will oversee the administrative tasks associated with setting up the Agency. There was much discussion among the Board members about when and how to hire a General Counsel for the CPPA, which is likely to be the next role filled. The Board also will be looking to collaborate with the Attorney General’s office regarding the possibility for temporary staff to assist the CPPA (which is provided for under the CPRA).
- Physical location of CPPA to be determined – A key issue impacting the hiring of leadership and staff for the CPPA is that it is not yet clear where the Agency will have its offices. The Board discussed whether it should have one or more than one office, where those offices should be located, and whether leadership should be required to be in the office on a daily basis. Consensus seemed to emerge around an office in Sacramento at a minimum, with perhaps satellites in Los Angeles or San Francisco. But, again, this decision was postponed until the next meeting.
- Subcommittees will be established to assist with operations and further the objectives of the CPPA – The Board plans to form several subcommittees, including one dedicated to developing regulations under the CPRA. The Board members were clearly aware that until the regulations are published, there will be significant ambiguity in the CPRA, posing a challenge for compliance by businesses. The regulation subcommittee will begin by analyzing the breadth of the regulations and preparing a plan for drafting them. This plan is likely to be interdependent with several of the other decisions to be made in setting up the Agency.
- Board to adopt a conflicts-of-interest policy and a member handbook – The Board discussed the adoption of at least two policies and practices for the CPPA, including a conflicts-of-interest policy and member handbook. There was acknowledgment that the policies may be amended over time as the CPPA grows to reflect the responsibilities of the Agency.
- Board to meet on a monthly basis until further notice – Finally, given the significant work needed to be done, the Board agreed to meet on a monthly basis for the foreseeable future unless a new approach is established.
As the summary above shows, there is still a long way to go before the public will see a set of proposed regulations from the CPPA and before the new Agency is ready to begin enforcing those rules. But everything has to start somewhere, and the CPPA Board’s first meeting felt like the start of yet another new chapter in California’s regulation of consumer privacy.