California OAG Announces CCPA Regulations and CPPA Board Member

On March 17, the OAG announced the board appoints for the California Privacy Protection Agency (CPPA).  The CPPA is a “new administrative agency charged with protecting the fundamental privacy rights of consumers over their personal information.  This agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA.

The CPPA’s board is comprised of experts in privacy, technology, and consumer rights.  The appointees are as follows:

• Jennifer M. Urban (Chair):  Ms. Urban has been appointed by Governor Newsom. Ms. Urban has been a Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law since 2009. This position does not require Senate confirmation and the compensation is $100 per diem. Urban is registered without party preference.

• John Christopher Thompson:  Mr. Thompson has been Appointed by Governor Newsom.  Mr. Thompson has been Senior Vice President of Government Relations at LA 2028 since 2020. This position does not require Senate confirmation and the compensation is $100 per diem. Thompson is a Democrat.

• Angela Sierra: Designated by Attorney General Xavier Becerra.  Ms. Sierra recently served as Chief Assistant Attorney General of the Public Rights Division.

• Lydia de la Torre:  Ms. de la Torre is the President Pro Tem’s nominee.  Since 2017, de la Torre has been a professor at Santa Clara University Law School, teaching privacy law and co-directing the Santa Clara Law Privacy Certificate Program.  Additionally, she also has been serving as of-counsel to Squire Patton Boggs, specializing in privacy, data protection, and cybersecurity.
  
  
• Vinhcent Le:  Mr. Le is the designee of Speaker Anthony Rendon. Mr. Le currently serves as a Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias.

Moving forward, expect the board to hire an executive director and to appoint a chief privacy auditor to conduct audits of businesses to ensure compliance with the CPRA.  Within the next two years, the agency is expected to undertake the update of the existing CCPA rules and issue new ones/

CPPA enforcement will not start until July 1, 2023, which is six months after the CPRA goes into effect. The AG will continue to have power to enforce the CPRA through civil penalties while also be required to coordinate its efforts with the CPPA.

CCPA’s New Regulations

On March 15, the California Attorney General’s office (AG) announced that the Office of Administrative Law (OAL) has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests.  Below,

• Offline Opt-Out Methods. § 999.306(b)(3).  There is a requirement for businesses that sell personal information that is collected offline to inform consumers not only of their right to opt out but also of the instructions for exercising that right through an offline method. In providing an illustration of an offline opt-out method, the regulations propose that a brick-and-mortar store, for example, may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected.  There is another example offered.

• Opt-Out Icon. § 999.306(f)(1).  The new regulations include an opt-out icon (not button). It “may be used in addition to, but not in lieu of, posting a notice of the right to opt-out of sales and a ‘Do Not Sell My Personal Information’ link.” The requirement for the icon is that it “shall be approximately the same size as any other icons used by the business on its webpage.”  Businesses may download the icon here.

• Ban on Dark Patterns. (§999.315 (h). Dark patterns are, essentially, interfaces or system designs that intentionally exploit cognitive and behavioral biases for the purpose of getting people to behave a certain way even if that behavior does not align with their preferences. The new regulations provide five examples of dark patterns that business must avoid, including (1) the use of confusing language, (2) the require that consumers click through or listen to reasons why they should not opt-out, and (3) the requirement that consumers scroll through privacy policies or similar documents after clicking the “Do Not Sell My Personal Information” link.

• Authorized Agent Verification.  (§999.326). A business may now require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.

Of note, the Attorney General’s press release made two comments with respect to enforcement.  First, the press release stated the following: “Since CCPA enforcement began on July 1, 2020, the Department has seen widespread compliance by companies doing business in California, especially in response to notices to cure.”

Second, the AG’s press release stated “[s]ome of the Attorney General’s responsibilities under the CCPA will transition over to the California Privacy Protection Agency created under the CPRA” the Attorney General will still “retain the authority to go to court to enforce CPRA.”