Data Privacy and Security: What’s the Difference?
Information has always been a form of currency in society—from buying...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: March 21, 2023
Published: December 21, 2020
In November, California voters passed the Consumer Privacy Rights Act, which will replace the California Consumer Privacy Act. The CPRA provides for a new enforcement agency, and not everyone think's it's the right move.
In November, California voters approved Proposition 24, the Consumer Privacy Rights Act (CPRA). The law will replace the California Consumer Privacy Act (CCPA) when it comes into force in January 2023. Its passage was seen by some as a major compliance headache. Organizations that had just steeled themselves to comply with the CCPA, no easy task on its own, now have to work toward a new goalpost.
The CPRA aims to add clarity to some of the CCPA’s provisions, but it also moves the California law closer to resembling the EU’s General Data Protection Regulation. It introduces the “right to rectification,” the right to “restriction” and a new tier of data classification: “sensitive personally identifiable information.”
Importantly, it also establishes a new enforcement agency. In the EU, data protection authorities handle complaints from data subjects, investigate potential GDPR violations and help advise companies in areas of uncertainty. Similarly, the California Privacy Protection Agency will act as an advisory body to companies aiming to do the right thing according to the law, but will also enforce the law, taking enforcement out of the California attorney general’s hands.
The agency was created so that a dedicated body could handle privacy regulation, given the California Attorney General has many other mandates and restraints. According to predictions by the attorney general’s office soon after the CCPA passed, it would have only been able to fund enforcement of about three CCPA cases per year.
It’s hard to say how “enforcement” will compare after this change of regulatory hands. That’s because the California attorney general has still been in the process of finalizing its regulations. While the CCPA passed in 2018 and came into effect in January 2020, just two weeks ago the attorney general released its fourth set of proposed modifications to the law’s regulations. The collaborative process was slow and painful; thousands of groups and individuals submitted comments for the attorney general's consideration as each iteration was drafted.
As such, there have not yet been any enforcement actions under the CCPA. To be clear, there have been countless CCPA-based lawsuits filed in the state. But the courts haven't yet issued rulings, and plaintiffs are struggling to even get to courtroom because companies have thus far been successful in getting class-actions dismissed early.
Under the CPRA, the new agency can begin its rulemaking in July 2021. The law allows for the agency to issue fines three times as high as the attorney general could under the CCPA if the violation involves users under the age of 16. Enforcement of the CPRA itself can begin no sooner than July 1, 2023. Until then, the CCPA applies.
But it’s unclear how the CPRA will approach enforcement. That’s, in part, because it’s not yet clear who will staff the agency. What we do know is the agency will be governed by a five-member board. The chair and one member of the board will be appointed by California’s governor. Under the law, any appointment members should be California residents “with expertise in the areas of privacy, technology and consumer rights.”
Tanya Forsheit, chair of Frankfurt Kurnit Klein + Selz’s privacy and data security group, has long been an opponent of the CPRA in general. She advises companies aiming to comply with the CCPA, and she didn’t think the CPRA was “needed at all.” She also doesn’t think establishing the new agency was the right move.
“I thought, and l still think, that the attorney general is best positioned to be the state’s privacy cop,” Forsheit said. “I don’t buy that the attorney general doesn’t have the resources (to enforce), since, even under the CCPA, the attorney general gets to keep the money from enforcement actions, which could be a lot.”
She explained that fines for data breaches are set at $2500 to $7500 per person affected. So if millions of records are breached, that’s a lot of money coming at the attorney general's office.
Joe Jerome, director for multistate policy at Common Sense Media, is more optimistic. He thinks creating a dedicated privacy enforcer could be a “game changer,” and that the resources being dedicated to the new agency, $10 million per year, are “no joke.”
He said he’d like to see some longstanding privacy advocates in leadership roles there.
“There’s no shortage of privacy experts that were involved in the creation of the CCPA and its subsequent regulations that could be good picks,” he said.
Forsheit, though she’s a lawyer herself, said the agency shouldn’t be staffed by lawyers wholesale. She’d like to see individuals who understand privacy law and its history in the state of California.
“I would love to see someone like Joanne McNabb, who ran the California Office of Privacy Protection back in the day and is not a lawyer,” she said. “But I don’t get a say in this.”
No matter what happens, Jerome said, the agency creates another important voice in privacy debates.
“We follow the FTC’s work, we follow attorney general enforcement,” he said. “No matter what the CPPA does, it’s going to be setting precedent that’s relevant to companies conducting business in California. There’s a huge opportunity for this agency to shake up the world.”
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.