Law Aims to Protect Californians’ Digital Privacy

Published On: August 26, 2021

In Nov. 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) of 2020, expanding some of the protections afforded by the California Consumer Privacy Act (CCPA) of 2018.

In addition to new protections and restrictions on how businesses collect data, the CPRA also established the California Privacy Protection Agency (CPPA), a regulatory and enforcement body governed by a five-person board given the jurisdiction to uphold privacy laws. 

UC Berkeley law professor and privacy expert Jennifer Urban serves as Chair of the CPPA, and she recently spoke with KQED, a California-based NPR affiliate, to explain how the Agency will hold non-compliant businesses accountable and uphold the CPRA. 

Urban explained why the CPRA was necessary just two years after the passing of the CCPA in 2018, noting that the CCPA relied on notice and consent from consumers as opposed to putting the onus on businesses to restrict the way they collect and process data.

“If you give people in a free market notice of what’s going to happen, then they can make a choice. But we all know that didn’t work,” Urban told KQED’s The California Report. “One of the most important things of the new laws is that it actually gives consumers the choice. It actually requires that businesses be clear about what they’re doing and gives consumers a choice to opt out.”

In addition to increased transparency, the CPRA requires that businesses keep data collection to a minimum and keep that data secure, mandating them to perform cybersecurity audits and report those audits to regulators. 

What happens when a consumer wants to opt-out of data collection? Urban says that the first step is to go to the business, which should have a reporting mechanism. But if a consumer fails to receive a good response—or no response at all—then they should take it up with the Attorney General. 

“The Attorney General, on their website, has a tool that will walk you through how to send a complaint to the company and you can also complain to the Attorney General,” Urban said. “And they can take it from there as part of their enforcement work.”

In the short term, the Attorney General can send letters informing businesses that they are not in compliance, and over time, can take those businesses to court. 

In the long term, the responsibility will shift to the Agency, which will be able to levy fines up to $7,500 per violation. Additionally, the CPRA allocates an annual $10 million fund to put together an investigative and enforcement team that can take on deep-pocketed, non-compliant businesses. 

“We’re the first agency dedicated to privacy and we do have the resources to get started and protect people’s privacy.” 

About the Author: Will Keys

Will Keys writes about technology issues for the GovReport. He is a graduate of the Reynolds School of Journalism at the University of Nevada, Reno. He can be reached at will at