5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: January 22, 2024
Published: July 27, 2022
Laws are only as good as the agencies in place to enforce them. That’s why the creation of the California Privacy Protection Agency (CPPA) is such a big deal. Before the agency’s creation, California’s Attorney General handled all privacy violations in their state. Now, an entire task force is devoted to enforcing the regulations laid out in the California Privacy Rights Act (CPRA). The state isn’t just delivering lip service. It’s putting its money where its mouth is.
So what is the CPPA? When they voted to pass the CPRA, Californians agreed, “An independent watchdog whose mission is to protect consumer privacy should ensure that businesses and consumers are well-informed about their rights and obligations.” The agency will “vigorously enforce the law against businesses that violate consumers’ privacy rights.”
Enforcement isn’t the CPPA’s only role. It will also prepare new rules and regulations. Although the rulemaking authority was only formally transferred on April 21, 2022, the agency wasted no time getting started. They’re already creating new draft regulations.
As a result, businesses need to know what the CPPA is, its primary function, and how they play a role in CPRA enforcement. In this blog post, we’ll tell you everything you need to know to stay on the good side of the CPPA.
In Europe, individual data protection authorities from the 27 EU member states enforce the GDPR. In California, until the creation of the CPPA, all enforcement fell within the California Attorney General’s purview. And that’s on top of their other responsibilities as the top legal officer in the state.
When Californians voted “yes” on the CPRA in 2020, they created the CPPA and “vested it with the full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018.”
With 34 data privacy experts on staff and an annual budget of $10,000,000, the CPPA is well-funded and well-equipped to carry out its task. Compare that to the national FTC division on privacy protection, which budgeted $1,000,000,000 for the entire country for ten years. The budget and resources allocated to the CPPA are a substantial investment in Californians’ privacy.
The CPRA goes into effect on January 1, 2023, and enforcement begins on July 1, 2023. At that time, businesses that do not comply with the CPRA may face fines, and “I didn’t know” won’t keep you from facing consequences. Each violation carries a fine of $2,500. On the other hand, businesses that intentionally violate the CPRA or have violations involving minors will be fined $7,500 for each violation.
For the most part, the California Privacy Protection Agency will focus on how businesses collect and protect personal information. However, the CPRA expands upon the CCPA’s limited private right of action in the case of a data security breach by adding email and password or security questions and answers into a group of items that, if unlawfully accessed, permit a consumer to bring a claim directly against the company. In this case, a person may be entitled to a settlement between $100 and $750 per incident, or the actual damages.
The agency has been performing information-gathering activities and working with the public and stakeholders to advance the rulemaking process. In late May, they released CPRA draft regulations, which detailed:
On July 8, 2022, the 5-member board filed a Notice of Proposed Rulemaking Action for these draft regulations. The day it was filed marked the first official day of rulemaking and opened the floor for 45 days of public comments. The board will also schedule a public hearing for feedback and guidance on the proposed draft of regulations.
After the public hearing and comment period, the board will reconvene for a final hearing. At the meeting, the board will vote on rule approval and file the final package with the California Office of Administrative Law.
Although the initial deadline for adopting statutory regulations was July 1, the executive director says the agency will complete it in Q3 or Q4. With the release of the draft, we can see that the CPPA is intent on focusing on consumer privacy.
What seems like a win for consumers is receiving significant pushback from trade groups that argue against the mandated global opt-outs and technical requirements. Advocacy groups are on the other side, urging the CPPA not to back down.
Ultimately, the goal of the CPPA is to protect consumer data. Consumers will easily understand the collected information and how companies use it once the regulations are finalized. Then, consumers can make informed choices about whether or not to allow a business to use their data.
You can expect more rules and regulations now that the California Privacy Protection Agency is funded and active. If your business is based in or has visitors from California, not knowing the latest news could result in a hefty fine.
Osano publishes a weekly newsletter to help you stay up-to-date on the latest privacy trends, news, and legislation so you’re never left in the dark. Sign up now — being familiar with the latest developments in privacy is an easy step toward ensuring compliance and avoiding a penalty from the CPPA.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.