A Closer Look at the CPRA’s Privacy Protection Agency

In this blog post I am going to look at proposed California Privacy Protection Agency — which is one of the many significant ways that privacy rights are greatly enhanced by the California Privacy Rights Act of 2020 (CPRA).  As you may recall the CPRA is on the ballot in California as Proposition 24 and is the “Version 2” upgrade to the current consumer privacy law in California — the California Consumer Privacy Act (CCPA). 

Much like the GDPR requires that each European Union Member State have a dedicated and independent “Supervisory Authority” (aka Data Protection Authority or DPA), the Privacy Protection Agency (PPA) would not only be the enforcement arm but would also be responsible for evangelizing and providing guidance to businesses and consumers regarding data protection and privacy in California. 

If the CPRA passes, the end result is that California would likely have as many staff members working on privacy as the Federal Trade Commission (aka the FTC — the government organization responsible for federal consumer privacy protection) has for the entire United States.  So, this is a big deal, and would also reestablish an independent agency focused on consumer privacy protection that California had from 2001 to 2012, but with 20x the funding.

In this blog I am going to first look at current enforcement for privacy in California and then discuss what the CPRA calls for with respect to the PPA.  The last section is a fact check of the criticism that opponents of Proposition 24 have put forth regarding the PPA, so if you want just that, just skip to the bottom section.

Pre-CCPA Enforcement for Privacy in California

Out a growing concern about “individual privacy and identity theft,” in 2000 California passed a law that created the “California Office of Privacy Protection” (COPP), thus making California the first and only state at the time to have a dedicated office focused on privacy.  This small agency was in the State and Consumer Services Agency.

The goal of COPP was to help “identity theft victims and others with privacy issues and making recommendations of practices that protect individual privacy.”  COPP was funded through the legislature, and, according to the consumer group Consumer Federation of California (CFC), had a budget in 2001 of $1,100,000 and a staff of nine FTE employees, but dropped to $500,000 and seven positions by 2011.

COPP lasted until 2012, where it was cut out of the budget as part of Jerry Brown’s resolve to balance the budget.  Consumer groups such as the CFC had lobbied vigorously for it to be saved, claiming even with its $500k budget that the value COPP “provides to California’s economy militates against the elimination this agency as a cost cutting move” and “California’s modest investment in privacy protection produces a much bigger positive contribution to our state’s bottom line.”

In 2012 then California Attorney General Kamala Harris announced “the creation of the Privacy Enforcement and Protection Unit in the Department of Justice which will focus on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws.”  This Privacy Unit was not an independent agency like the COPP but resided in the DOJ’s “eCrime Unit” and was staffed by DOJ employees “including six prosecutors who will concentrate on privacy enforcement.”  In looking at past budgets dating back to 2013, I extrapolate that the budget for the Privacy Unit in the DOJ was in the $1-$1.5 million range, so that would likely be the range of what California has been spending per year on privacy enforcement from 2012-2019. 

Enforcement under the CCPA

With the passing in 2018 of the CCPA, the California Attorney General was tasked with both enforcement of the law as well as tasked with the adoption of the CCPA regulations based on public participation (and the corresponding enforcement of those regulations).  So the Cal AG was interestingly tasked by the CCPA to be a regulatory body (which it was not previously) while also an acting as an enforcement arm (with the capabilities to issue civil fines). 

With enforcement not starting until mid-2020, the California Attorney General began ramping up hiring in 2019 and embarked on a “four-fold expansion of the department’s privacy enforcement team.”  Specifically, the Cal AG asked and received from the state legislature funds totaling “$4.5 million for ongoing enforcement and defense of the CCPA, funding that will support 23 additional positions, including eight deputy attorneys general, eight legal analysts, six clerical staffers and $250,000 a year for expert consultants.”

In drilling into the proposed budget for CCPA enforcement, a few things stand out to me:

• the budget showed a flat $4.5 million-ish each year for the 5+ years of budgeting proposed;

• headcount was budgeted for 23 personnel — with staffing of 6 legal secretaries, 8 Program Analysts, 1 Supervisory Deputy Attorney General and 8 Deputy Attorney Generals;

• only 2 Program Analysts would be focused on responding to consumer complaints about businesses violating the CCPA;

• $1.8 million of the budget was to come from the General Fund and the remaining $2.7 to come from the Unfair Competition Law Fund (i.e. coming from multiple pots of money)

• The Cal AG expects at least one lawsuit per year challenging the constitutionality of the law, with at least 1 Deputy Attorney General needing to defend the CCPA at what I guestimate to be a cost of $250-$500k per year.  So, what this means is that closer to $4 million per year is actually being spent on enforcement and regulation.

Another notable item was that the budget described its litigation strategy.  It stated the following:

“Since the law is the first of its kind in the United States, enforcement will leverage significant resources for complex investigations and prosecutions against opponents typically represented by some of the largest and most sophisticated law firms. Resources will be needed to identify issues and alleged violations of the law; conduct factual and legal research to assess each violation and viability of potential claims; and make recommendations to the Attorney General regarding the strategy and success for each action. In cases where the Attorney General will be forced to sue, DOJ will require additional resources dedicated to active litigation. We estimate that we will have at least 3 cases litigated a year.”

Budget often drives strategy, so it is clear the strategy was to in part go after larger tech firms (who else would require complex investigations and be represented my large and costly law firms?) in likely expensive court cases, at a rate of 3 per year.

Considering the Covid pandemic and California projecting a $50+ billion budget deficit for the upcoming fiscal year, it is possible that the $4m that is spent on enforcement and regulation of consumer privacy protection could be cut, with potential corresponding drop in high profile enforcement/litigation cases.

Enter the Privacy Protection Agency under the CPRA

Overview

If passed, the CPRA would establish the California Privacy Protection Agency (PPA) that has the “full administrative power, authority, and jurisdiction to implement and enforce” the CPRA law. 

Responsibilities

The PPA is responsible for enforcement of the CPRA and starting on July 1, 2021 will assume rulemaking responsibilities including the adopting, amending and rescinding of regulations.  With this authority, the PPA is responsible for protecting the privacy rights of California residents and promoting public awareness around the protection and privacy of personal data.  It is also tasked with providing guidance to consumers regarding their privacy rights under the CPRA and to businesses regarding their obligations. 

In addition, the PPA would appoint a Chief Privacy Auditor to conduct audits of specific businesses to ensure compliance.  The PPA would also act as a liaison on privacy matters with the legislature and cooperate with other regulatory agencies in California, the US and abroad.  The PPA would also provide a mechanism for businesses to voluntary certify that they are in compliance with this title.

One should not lose sight that the PPA would issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to:  (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.”  So, the PPA is really engaged with businesses through the Chief Privacy Officer and the Data Impact Analysis Assessments to get businesses to be more careful and accountable with our personal data.

Funding

The PPS is an independent agency, funded with $10 million from the General Fund, meaning that it won’t be able to be “starved” by the legislature (e.g. via eliminating the budget ala what happened to the California Office of Privacy Protection). 

Specifically, assuming the ballot measures passes in November and goes into effect say by January of 2021, the CPRA in Section 1798.199.95 calls for the PPA to get $5 million in funding for the remainder of the Fiscal Year that ends on June 30, 2021, then for each full fiscal year, $10 million is allocated for each subsequent Fiscal Year (i.e. the $5 million in funding is for half a Fiscal Year when the PPA becomes operational so it still equates to $10 million annualized).  But the Legislature can appropriate additional money for the PPA, so the $10 million represents the floor, not the ceiling.  Note the $10 million can also adjust for cost-of-living changes, so will likely go up each year.

To put things into context the $10 million is 2.5 times the amount of money the Cal AG office is currently spending on CCPA enforcement and enforcement, and is 20 times the amount of money that California Office of Privacy Protection was spending when it closed down (and which consumer groups such as CFC thought the $500k had significant value).  Furthermore, this funding is equivalent to what the Federal Government through the FTC has in terms of privacy enforcement personnel for the entire country.

Note that Section 1798.199.95 (c) states that the Cal AG “shall provide staff support to the Agency until such time as the Agency has hired its own staff” and “shall be reimbursed by the Agency for these services.”  Which means the PPA can hit the ground running utilizing the same resources as the Privacy Unit and no doubt will absorb some of those resources, but if they don’t, the work will continue by the Cal AG’s office until the PPA’s staff is fully operational.

Governance

The PPA would be governed by a five‐member board, with the Chair and one member of the board to be appointed by the Governor, and one each appointed the Cal AG, the Senate Rules Committee, and the Speaker of the Assembly. Board members must be appointed within 90 days of the CPRA becoming effective, and must have requisite qualifications and be “free from external influence.”  The board in turn appoints an Executive Director to run the PPA.

Penalties (Civil Fines)

The CPRA enables the PPA to "investigate possible violations of this title relating to any business, service provider, contractor, or person." Violators of the CPRA will be given 30 day notice by the PPA, and when the PPA "determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred." If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to "pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state."  So, note that the CPRA really puts more teeth into fines for violations involving minors’ personal data as compared to the CCPA.

The PPA has subpoena power which is a powerful tool in its arsenal.  Also, one may recall that the CCPA has a “two-strikes you’re out” framework while the CPRA changes this to penalties on the first violation. 

As it relates to litigation and enforcement, given the fact that the CPRA gives the PPA over 2x the budget as the CCPA, and the CCPA was estimating 3 high profile litigations per year, this would mean the PPA could potentially go after 6-8 per year (i.e. more).

Fact Checking the Criticism of the PPA

As readers of my blog know, I have been writing about privacy laws — including the GDPR, CCPA and CPRA — since late last year, and have done extensive comparison of the two, from summary to nitty-gritty detail analysis.  Based on months of privacy law analysis combined with taking 8 or so online privacy courses (had to do something during the shelter in place!) and my years of experience in cybersecurity and privacy, that when the CPRA just recently became an actual thing I could vote on in November here in California, I did come to the conclusion that I will Vote Yes on Proposition 24. 

In that “Yes on 24” blog post I tried to be clear that yes I am a supporter, and I came to that conclusion independently and I am not affiliated, as I write this, with any consumer or industry group, company, lobby firm, etc., and, as my wife can attest, I am certainly not getting paid by anyone right now. 

Anyway, now that the CPRA is now on the ballot, and the proponents and opponents are starting to show their hands this week, I thought it would be interesting to see what opponents are saying in case I missed something and tie it back in with this blog post on the Privacy Protection Agency.

Here’s what I could find.  A group called Media Alliance (MA) posted an article stating they are not supporting Prop 24, and it was based on three items in the CPRA which they call “horrible,” one of which is the Privacy Protection Agency.  Here is what they wrote

I also noticed a coalition of groups including the previously mentioned Consumer Federation of California (CFC) wrote this about Privacy Protection Agency in a press release:

That’s about all I could find specific to the PPA, so let’s get through each of these line by line. 

Let’s start with the MA one:

“CPRA removes enforcement of data privacy laws from the CA DOJ and moves it to a new state privacy commission that will be newly created.”

Yes, that is correct, although the CPRA calls it the Privacy Protection “Agency” vs. “Commission” but that’s fine. 

“Then CPRA gives this brand new agency that will have to get started from zero, …”

This bit about “start[ed] from zero” is not correct. As mentioned above, Section 1798.199.95 of the CPRA clearly states “The Attorney General shall provide staff support to the Agency until such time as the Agency has hired its own staff” and “the Attorney General shall be reimbursed by the Agency for these services.”So clearly work “shall” be done while the Agency staffs up, it will just be done by DOJ people, but no one externally will see the difference.  So, it is not starting from zero, the law clearly says that the DOJ must ensure that is not the case.  But also, given that per the DOJ CCPA budget that I discussed above, the Cal AG just got done hiring all these net new people to do CCPA regulation and enforcement, and why would most of them not simply transfer over to do the same job with the Agency?

“… a paltry budget of $5 million dollars a year …”

Let’s parse this into two.  Regarding the $5 million number:  this is not correct.  As I discussed above, it is an annual budget of $10 million.  If you read Section 1798.199.95, the $5 million reference in the CPRA is for the first Fiscal Year of its existence, and because the Agency is formed halfway through the State Fiscal Year (which ends June 30) it only gets half its annual amount in that shortened time frame.  i.e. if I get paid $100k a year, and I start my new job on July 1, that does not mean my annual salary is $50k.  In fact, given the Agency will be formed in January 2021, even from a calendar 2021 perspective (vs Fiscal Year), the first full year of existence the Agency will have $10 million to spend.  Note in the CPRA the $10 million number was mentioned in the same sentence as the $5 million, so not sure why the author stopped reading after seeing the $5 million number, but whatever ...

Now let’s talk “paltry.”  If one were to think $5 million is paltry, and you were now told the actual number is $10 million, you still may not be jumping up and down because you wanted more, but you would probably not use the word “paltry” as you now have 2X what one considered paltry. 

But let’s compare the actual $10 million number to what California has done in the past.  Currently the spend by the Cal AG for privacy enforcement is $4.5 million, so CPRA is over 2x that.  But MA wants to maintain the current CCPA law which spends less (i.e. even less than what they consider paltry).  And with the California Office of Privacy Protection (COPP), which had a budget of $500k in 2011 before it was closed by Jerry Brown to cut the budget, the group Consumer Federation of California (CFC) — that MA is aligned with on this matter — praised the impact of that $500k, saying “California’s modest investment in privacy protection produces a much bigger positive contribution to our state’s bottom line” and “the services of the Office of Privacy Protection more than pay for themselves in the form of greater state tax revenues and reduced state and local government agency costs.”  So, if a consumer group like CFC thought the COPP got great bang for the buck, then why not think that for a comparable agency that spends 20x more?  And the press release (more on that later) references the PPA funding as “$100 million of taxpayers money” over a decade, clearly putting the thumb on the scale (vs. just saying $10 million per year) and clearly implying that $10 million is one high number.  But here’s the thing, if $5 million (actually $10 million) is paltry, but $10 million is clearly implied to be way too high and afront to taxpayers, at this point the opposition appears to me to randomly throwing mud.

“ … with no additional funding guaranteed beyond what the agency can raise by penalizing companies for breaking the law.”

This too is technically not correct, in that the CPRA has guaranteed cost of living increases.  While not guaranteed, the legislature can vote to give more money to the PPA.  As discussed above, the $10 million is a floor.

“This incentivizes tackling easy cases and smaller companies that can’t afford top-flight legal defenses and pretty much assures the enforcement agency will be outgunned by big tech and multinational corporations.”

Well, actually this does not match what the California AG states as its priorities in its budget (see above), which is to go after firms that have top-flight legal defenses which implies large tech companies, and assumes it will have 2-3 big whale court cases per year.  And given the CPRA with the PPA has over 2x the funding of current AG Privacy Unit, unless the PPA board (which has not been chosen) decides to do a U-turn on the current strategy, the PPA could pursue 5-8 high profile cases.  So, I am going to call this statement pure speculation, as no one knows what the litigation strategy will be in terms of targeting small vs. larger firms.

Now on to the press release:

“Prop 24 creates a new state privacy agency that will cost taxpayers $100+ million over the next decade and duplicate enforcement authority currently held by the state Attorney General.”

Again, per above, the opponents in my opinion are trying to have it both ways on the budget for the PPA.  $500k is great and impactful, $5m is paltry, $10m is implied too high etc. — they are contradicting themselves.

On the “duplicate enforcement authority” bit, that is not correct.  The correct word should be “transfer” vs. “duplicate.”  The CPRA in Section 1798.199.40clearly states that the PPA has enforcement.  The existing law of the Cal AG doing the enforcement is clearly crossed out in Section 1798.155.   The Cal AG appoints a representative to the PPA board, so the Cal AG will know if there is anything duplicative going on.  The Cal AG is mandated per Section 1798.199.95 to provide staff to help transition stuff over to the AG.  I could go on, but the CPRA oozes collaboration between the Cal AG and the PPA, not duplication. 

In summary, in doing a simple fact check of what the opposition to Proposition 24 has said specific to a major element of the CPRA — the proposal for an independent Privacy Protection Agency — it is quite evident that their claims about the PPA do not jibe with a cursory reading of the proposed law, and their specific complaints about the size of PPA budget are contradictory.  It would be sad to see if these arguments are continued to be promulgated to voters as reasons to not vote on the measure.