U.S. Privacy and Data Protection | Insights | Apr. 2024 (State Law)

On March 15, 2024, the California Privacy Protection Agency released its 2024-2027 Strategic Plan, which outline the privacy agency’s values and objectives in California.

Background

The passing of the California Privacy Rights Act of 2020 (CPRA) amended and expanded the California Consumer Privacy Act of 2018 (CCPA). Included in the expansion was the establishment of the California Privacy Protection Agency (CPPA), which has been vested with the authority to implement, enforce, and raise awareness of California’s privacy protections.

As stated by the CPPA’s Executive Direct, Ashkan Soltani, the CPPA’s 2024-2027 Strategic Plan, “...is our road map for the future, with measurable goals and objectives that will further our mission to protect consumer privacy, ensure that consumers and businesses are well informed about their rights and obligations, and vigorously enforce the law.”¹

Overview of The Plan

The Plan outlines four major goals, which include:

• Strengthening public education, outreach and engagement by providing resources, tools, and support for delivering relevant, timely, and accurate information to consumers and businesses
• Enforcing privacy laws “vigorously” by seeking protection of consumers from violations of their privacy rights through engagement with the regulated community, timely investigations, and enforcement actions (which will include for example, identifying trends through complaint data and attempts to mitigate consumer harm)
• Strengthen Californians’ privacy rights by ensuring that statutes, regulations, policies, and procedures support and further the mandates and mission of the CPRA
• Operational excellence to ensure an efficient and effective approach to organizational development, including through the implementation of policies, programs, and regulations

You can review the Plan here.

Advisory Notice

Alongside the release of the Plan, in early April the CPPA issued a pivotal enforcement advisory, zeroing in on the data minimization obligations delineated in the CCPA concerning consumer requests. This advisory marks the inaugural release in a series designed to foster voluntary compliance in anticipation of the agency’s forthcoming enforcement actions. The CPPA is expected to continue to focus on issues such as data minimization and consumer rights, including as related to the “sharing” and “selling” of personal information. Businesses should also take note of any comments about cybersecurity audits and programs, risk assessments, and automated decision-making technology, including for use in connection with AI and marketing.

State privacy laws continue to expand, as outlined in our periodic privacy insights. Most recently, new privacy legislation has passed in Kentucky (Consumer Data Protection Act) and Maryland (Maryland Online Data Privacy Act). Businesses should contact experienced counsel to ensure ongoing compliance with data privacy and security laws.

Kronenberger Rosenfeld, LLP regularly advises clients regarding privacy compliance and defends clients facing state or federal investigations or enforcement actions relating to privacy and advertising issues. Contact our firm using our online case submission form here.