Home > Insights > Blogs > Cybersecurity Bits and Bytes > CPPA’s Deputy Director of Enforcement Promises Vigorous Action by Expanded Enforcement Staff
A statue of Justice in front of the California flag

CPPA’s Deputy Director of Enforcement Promises Vigorous Action by Expanded Enforcement Staff

Luke Sosnicki Aya Elalami July 18, 2023

Links

Contributors

Contributors

David Duffy

David Duffy

Milada Goturi

Milada Goturi

Matt Hafter

Matt Hafter

Mark Mattingly

Mark Mattingly

Jennifer Post

Jennifer Post

James Shreve

James Shreve

Luke Sosnicki

Luke Sosnicki

RELATED EVENTS

RELATED EVENTS

May 17
2023

The Value of Cyber and Privacy Diligence
March 28
2023

Safeguarding the Data and Your Compliance Program – USED and GLBA
December 14
2022

Countdown to CPRA
November 15
2022

DOJ Cyber Fraud Initiative - Cyber Faces the FCA Hammer

On Friday, July 14, the California Privacy Protection Agency (“CPPA”) Board held a public meeting to address a broad, fourteen-point agenda that ranged from updates on the Agency’s budget to the status of ongoing rulemaking to enforcement.  

On the issue of enforcement, the Agency’s new Deputy Director of Enforcement, Mr. Michael Macko, first addressed the recent decision in California Chamber Of Commerce vs. California Privacy Protection Agency enjoining enforcement of the California Privacy Rights Act’s (“CPRA”) final regulations until March 2024 (see here).  Mr. Macko stressed the decision does not give businesses a free pass from all enforcement, as the CPPA intends to immediately start enforcing the statute that the voters approved in 2020.  Mr. Macko added that covered entities should expect vigorous enforcement and that the CPPA expects robust compliance with CPRA’s requirements.

Mr. Macko also noted the importance of building public trust and confidence, and stressed the CPPA’s recognition that matters involving children, the elderly, and marginalized groups may warrant more attention from the Agency, as these groups may be more susceptible to privacy violations.

Mr. Macko then outlined three priorities for enforcement: (1) privacy notices and policies; (2) the right to delete; and (3) companies’ implementation of consumer requests.  He explained that these rights and obligations are now firmly established, and covered businesses should be well aware of what the law requires.

He concluded by stating that the CPPA intends to hire three enforcement attorneys, as well as an Assistant Chief Counsel of Enforcement, to build out the CPPA’s enforcement capabilities, including specific to handling what is expected to be an increased volume of consumer complaints.

The key takeaway is that covered entities should not expect a honeymoon period based on the decision in California Chamber Of Commerce vs. California Privacy Protection Agency, and should expect the CPPA to immediately begin enforcement of the statute’s most firmly-established requirements, including providing compliant privacy notices and honoring consumer requests.

Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Aya Elalami is an associate in Thompson Coburn’s Business Litigation group.