An opening message from the agency’s board chair, Jennifer M. Urban, notes the “diverse array of initiatives” that the agency has undertaken in that time: drafting and implementing regulations around privacy, initiating and securing enforcement of violations, and kicking off a statewide public education campaign on privacy rights and regulations.
The report notes CPPA’s mission: “Protect Californians’ privacy, ensure that consumers are aware of their rights, businesses are well informed of their obligations, and vigorously enforce the law against businesses that violate consumers’ privacy rights.”
CPPA, the nation’s only state-level agency dedicated to privacy, has more than 40 employees across seven divisions, and the report notes that “streamlined hiring processes and strategic recruitment initiatives have been successful in hiring and retaining top talent.” Since it was created in 2020 with an initial budget of $5 million, CPPA’s financial resources have grown to $12.8 million for the 2024-25 fiscal year.
“The IT Division has been integral to establishing the agency’s operational infrastructure, ensuring secure and efficient systems,” the report says. “Using privacy-by-design principles, the IT Division integrates privacy protection into everything it does. By embedding privacy safeguards at every stage of development, the IT Division sets a standard for proactive privacy protection that extends beyond compliance, fostering trust and accountability.”
The report also lists its enforcement priorities:
- Review of privacy notices and privacy policies
- Implementation of consumer requests
- The right to delete one’s personally identifiable information from databases
- Selling or sharing personal information without proper notice or an opt-out mechanism
- “Dark patterns/deceptive design”
- Violations that affect vulnerable communities and groups
Among the inputs that CPPA responds to are digital privacy-related complaints from consumers, which break down like so:
- 84 percent involve complaints from consumers
- 57 percent involve the right to delete
- 48 percent involve the collection, use, storing or sharing of personal information
- 42 percent involve the right to opt out of sale or sharing of personal information
These draft regulations were created after public stakeholder sessions and invitations for public comment. The CPPA board also publicly discussed these topics at eight meetings, each of which included an opportunity for public comment.
Also last year, CPPA’s Legal Division launched the agency’s Honors Privacy Fellowship, a program intended for “recent law school graduates or newly admitted lawyers with a demonstrated passion for privacy law.”
The agency’s reach extends beyond California, though: CPPA representatives offered testimony in Vermont, Oregon and Colorado, among other states, to share insights from California’s implementation of the CPPA.
And on the federal level, the agency has formally submitted comments to key U.S. agencies, including the Consumer Financial Protection Bureau and the Federal Trade Commission, on those agencies’ data protection proposals. These submissions reflect “California’s role in shaping national privacy standards,” the report notes.
In September, the agency started a blog on privacy.ca.gov that educates consumers and stakeholders and offers regular updates on a variety of topics. Posts cover CPPA news, updates on regulatory developments, privacy tips for consumers, and insights into the evolving landscape of privacy protection.
The agency has also published a strategic plan for 2024-27.
