California set in motion a major milestone by creating a data protection authority, the California Privacy Protection Agency (“CPPA”) with the passage of the California Privacy Rights Act (CPRA). California has the 5th largest economy in the world – for reference, behind only Germany among European economies. California will be the first, but likely not the last, state data protection agency in the United States. How this agency conducts rulemaking, builds capabilities and ultimately begins enforcement of the CPRA beginning in January 2023, will have a significant impact on how the digital future evolves. The CPPA, like other California public entities, is bound by strict administrative and transparency regulations, which are intended to reduce the leverage large organizations and lobbyists have over how the CPPA will conduct its business. The CPPA has a tiny staff, especially when compared to the UK ICO with over 900 employees (with both privacy and transparency responsibilities) or the Irish DPC with over 200 employees. Yet, the CPPA has to write and finalize the regulations by mid-fall to put into effect many of the details of the CPRA. However, the conduct of the CPPA isn’t just about finalizing and communicating to stakeholders about the rules. It is about how the CPPA will render the mixture between oversight of organizations and enforcement on behalf of consumers, the encouragement of good behavior and the punishment of prohibited behavior. The CPPA takes on the mantle of weighing the balance between the human cost of over-processing data and the human cost of data processing that is over-restrained. The current controversy at the Federal Trade Commission demonstrates how important it is to get this right.
Last week, the CPPA held three days of public Pre-Rulemaking Stakeholder Sessions, where they took testimony from stakeholders as input to their rulemaking process. The IAF has invested time in working with many privacy agencies. Some of that work has been formal, such as the guidance documents created for agencies in Hong Kong and Bermuda. Some of it has been less formal, such as digital universities in Colombia, Albania, Brussels, and the United Kingdom. And still other work has been through submissions, such as the legitimate interest assessment developed for Europe. The IAF’s Barb Lawler testified last Friday about the importance of risk assessments for data processing as an important governance tool for organizations. The testimony focused on assessments and assessment processes as critical and necessary tools for organizations and which support the CPPA oversight and enforcement mandates. That testimony may be found here.