The newly appointed California Privacy Protection Agency board is likely to tackle issues such as tech equity and children’s privacy as it staffs the regulatory body and gears up for rulemaking, attorneys say.
The board members, whose positions were announced Wednesday, come from industries spanning academia, nonprofits, and private practice. The chair, Jennifer M. Urban, is a law professor at the University of California, Berkeley and will lead the board alongside four other members.
“Californians deserve control over their personal information, protection from privacy-invasive practices, and the ability to trust that their data is secure,” Urban said in an email. “Businesses need clear rules and a level playing field that allows them to build privacy-protective products and services.”
Other members include Lydia de la Torre, a law professor at Santa Clara University who’s leaving private practice at Squire Patton Boggs to join the board; Vinhcent Le, a tech policy lawyer; Angela Sierra, a longtime Department of Justice employee; and John Christopher Thompson, who has extensive experience in the federal government.
The agency, established after the California Privacy Rights Act was approved by voters in November, will enforce the new law. The CPRA, which updates the California Consumer Privacy Act, gives consumers the ability to opt out of the sale of their personal information and request it be deleted.
The appointees’ strong resumes in privacy and the law will help them staff the new agency and oversee regulation drafting in areas including privacy audits, consumer opt-out rights, and compliance, attorneys say.
“With the backgrounds that these members bring, they’ll be well-qualified to dig into some of the gray areas of the CPRA where further elaboration is needed,” said Reece Hirsch, co-head of the privacy and cybersecurity practice at Morgan, Lewis & Bockius LLP in San Francisco.
Overall, the agency board seems to have a consumer bent, said Cynthia Cole, a data privacy and technology partner at Baker Botts LLP in Palo Alto, Calif.
“The board will set the tone on high-level policy, which will affect enforcement,” Cole said. “Their backgrounds suggest they could focus on non-discrimination and preventing bias, whether it’s algorithmic or related to the misuse of data.”
Le, legal counsel and policy manager at the nonprofit Greenlining Institute and one of the newly appointed board members, told Bloomberg Law he intends to use his background working at the intersection of privacy and algorithmic bias to help build out the regulatory agency.
“I’m happy to see there are consumer-oriented folks on the board,” Le said. “I’m excited to bring a race equity lens to this position, and I hope to make sure this agency’s leadership reflects that focus.”
Sierra, whose career at the Department of Justice spans 33 years, also has experience with civil rights. She led the California attorney general office’s civil rights enforcement section, developing complex regulations involving vast amounts of data, she said in an email.
As a senior assistant attorney general in that section, Sierra oversaw the creation of the bureau of children’s justice and said protecting children’s privacy will be a priority.
“For me, the importance of data privacy cannot be overstated, including how online data is used to manipulate people, especially children, and ensuring that all Californians have equal access to protections that are put in place,” Sierra said.
De la Torre declined to comment, and Johnson didn’t respond to requests for comment.
Rulemaking and Enforcement
The board, while not directly writing CPRA regulations, will have a hand in overseeing their development, said Greg Szewczyk, a partner at Ballard Spahr LLP in Denver.
CCPA regulations developed by the California attorney general’s office drove a lot of the “nuts and bolts” compliance strategies for businesses, Szewczyk said. Regulations related to the CPRA that are written by the new agency are likely to have a similar effect, he said.
Businesses are closely watching regulations related to procedures for the opting out of sharing information, as well as treatment of sensitive personal information, Szewczyk said.
The agency is tasked with appointing a chief privacy auditor, and regulations will likely determine the scope of that role and which businesses it would impact and how, said Brandon Reilly, a privacy and data security partner at Manatt, Phelps & Phillips LLP in Costa Mesa, Calif.
The board members will also play a role in prioritizing areas for further regulations, Reilly said, and will appoint staff, counsel, employees, and the executive director.
Plus, the board will help guide the breakdown of enforcement between the agency and the California attorney general, Szewczyk said.
“Once the agency starts enforcing, I would expect it to take the lead over the attorney general since its dedicated purpose is privacy enforcement whereas the attorney general has other areas of enforcement focus as well,” he said.
Xavier Becerra (D), as California attorney general from 2017 to 2021, ushered in rulemaking for the CCPA and made health privacy enforcement a priority. He was confirmed as secretary of the U.S. Department of Health and Human Services on Thursday, and Gov. Gavin Newsom (D) hasn’t yet named his replacement.
Overall, the board is a well-rounded mix of people who are likely to issue smart regulations, Reilly said. It’s not just large tech companies that will be affected by these laws and regulations; medium-sized businesses and e-commerce firms, for example, will also need to comply if they fall under the regulatory scope.
“From the industry perspective, they’re looking for regulators who already understand the digital economy and where California businesses and consumers fit into that puzzle,” Reilly said. “I think California leadership has taken that first step with these appointments.”