An early sign of how aggressive California’s new privacy regulator will be is who gets tapped to help lead the first-of-its-kind agency in the U.S. as part of its board.
The board will have to make several initial decisions that will set the tone for the state’s sweeping privacy law, including picking an executive director and setting enforcement priorities. State officials are expected to start naming board members next month, ahead of a March deadline.
The California Consumer Privacy Act, which took effect Jan. 1, gives residents the right to know what personal information businesses are collecting and request it be deleted. The California Privacy Rights Act, passed by ballot measure last month, enhances penalties for violations involving children’s data and expands the law’s opt-out rights.
Although the idea of a regulator focused solely on privacy may “cause some fear” among companies, an agency with a board well-steeped in the technicalities of privacy and data security could actually benefit businesses, said Brandon Reilly, a partner at Manatt, Phelps & Phillips LLP in Costa Mesa, Calif.
“A well-resourced and well-equipped team can be a win-win for all stakeholders,” Reilly said. “There’s reason for optimism that we’ll have smart regulations.”
The board will have to choose what types of privacy and cybersecurity issues the California Privacy Protection Agency will prioritize, especially at the outset, said Lydia de la Torre, a privacy attorney at Squire Patton Boggs (US) LLP in Palo Alto, Calif. Those could range from children’s privacy to digital discrimination to algorithmic bias, de la Torre said.
The board itself likely won’t be writing regulations for the state’s privacy laws, but it will oversee the rulemaking process for topics including privacy audits, consumer opt-out rights, and compliance.
“It’s going to be a busy and labor-intensive process,” Reilly said.
The board may include academics and former corporate privacy officers, but attorneys in private practice could be dissuaded from joining because of restrictions on representing clients once a member leaves the organization.
Chris Hoofnagle, a law professor who teaches privacy and consumer protection at the University of California, Berkeley, is seen as a likely pick for the board, attorneys say. Hoofnagle declined to comment.
De la Torre, also seen as a potential pick, declined to comment on the subject.
Orders of Business
The new regulator will enforce the California Consumer Privacy Act and fine companies that don’t comply.
Under the California Privacy Rights Act, board members must be “Californians with expertise in the areas of privacy, technology, and consumer rights.”
Democratic California Gov.
Employees of government agencies such as the Federal Trade Commission are likely picks because of their public sector experience and the fact that they likely won’t seek to represent companies targeted by the agency once they leave the board, said Cynthia Cole, an attorney at Baker Botts LLP in Palo Alto.
Finding a Balance
The attorney general’s pick will likely be someone with a legal background or from the privacy division who’s already worked on the CCPA, said Greg Szewczyk, an attorney at Ballard Spahr LLP in Denver.
California Attorney General
The law prevents board members from joining companies that were subject to a civil or enforcement action for a year after leaving. It also prohibits them for two years after leaving from representing someone in a matter before the agency “if the purpose is to influence an action of the agency.”
“Serving on the board could preclude your options down the road,” Szewczyk said, adding that attorneys may be hesitant to join if it means they can’t represent clients before the agency for a couple of years.
The law doesn’t delineate penalties for board members who break the rule once they leave, but they could find themselves subject to a declaratory action, said Jeff Dennis, head of privacy and data security at Newmeyer & Dillion LLP in Newport Beach, Calif.
The board should have a consumer bent but shouldn’t be too extreme, said Alastair Mactaggart, the Bay Area real estate developer behind the CCPA and CPRA.
“It needs to be a fair-minded commission and write rules that are effective, that businesses can follow,” Mactaggart said.
The November ballot measure drew criticism from some privacy groups, such as the American Civil Liberties Union, for potentially weakening some protections. The group had argued the measure would enshrine the concept of “paying for privacy.”
“It’s important to appoint some of the strongest privacy advocates even though they weren’t sold on Proposition 24,” said Consumer Reports policy analyst Maureen Mahoney, whose group supported the measure despite misgivings.
Hertzberg said he is looking for sophisticated appointees who understand the complexities of technology and privacy and have a consumer focus.
Companies and privacy professionals should update their compliance programs and gird for potential action once the agency begins enforcing the law in July 2023, said Heather Federman, vice president of privacy and policy at BigID, a data software company.
“There’s some teeth to this California privacy law,” Federman said. “Whatever happens off the bat, it should serve as a wake-up call for any business that’s within scope of this regulation.”
To contact the reporter on this story:
To contact the editors responsible for this story: