[NATE] 0:14

You’re listening to the Berkeley Technology Law Journal Podcast. I’m Nathaniel Kellerer.

 

[ANDY] 0:19

And I’m Andy Zachrich.

In today’s episode of our podcast we will be speaking about California Privacy Laws and the California Privacy Protection Agency.

 

[NATE] 0:29

In 2018, the California Consumer Privacy Act (“CCPA”) was passed. This made California one of the first states to enact legislation for consumer privacy and data protection, in response to more than 600,000 petitions signed by Californians.¹ The CCPA gave California consumers several privacy rights. This includes the right to learn what information a business collects about them, delete their personal information, stop businesses from selling their personal information, and hold businesses accountable if they did not take reasonable steps to safeguard their personal information.²

 

[ANDY] 1:02

A year ago, in November 2020, Californians voted on Proposition 24 (or Prop 24), a ballot initiative called the Consumer Privacy Rights Act of 2020 (or the “CPRA”).³ Prop 24 was aimed at expanding the CCPA, including preventing businesses from sharing consumers’ information, correcting inaccurate personal information, and limiting the use of their sensitive personal information such as geolocation, race, ethnicity, religion, etc.⁴  Most importantly, Prop 24 proposed the creation of the California Privacy Protection Agency (or the “CPPA”) to enforce and implement consumer privacy laws, protecting the privacy rights of consumers over their personal information, and impose fines for violations.⁵

 

[NATE] 1:48

Last May, California Governor Gavin Newsom announced the establishment of the five-member inaugural board for the CPPA composed of experts in privacy, technology, and consumer rights.⁶  The CPPA will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act.⁷ The Chair of the CPPA was announced to be Professor Jennifer M. Urban, Clinical Professor and the Director of Policy Initiatives at the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley, School of Law. We had the opportunity to sit down with Professor Urban and discuss her new role.

 

[ANDY] 2:24

She will be helping us understand how the CPPA came into existence and what to expect from the CPPA in the upcoming years.

 

[NATE] 2:33

Let’s get started.

 

Interview

 

[MARTIN] 2:51

Welcome everyone to the BTLJ podcast. This is Martin Fisher speaking, and I’m joined by Anuja Shah. And our guest today is Professor Jennifer Urban, who is of course a clinical professor of law at UC Berkeley School of Law. She is also the director of policy initiatives at the Samuelson Law, Technology and Public Policy Clinic. And, of course, she has been appointed as chair of the California Privacy Protection Agency, or the CPPA. So we’re very excited to have Professor Urban here to talk about privacy issues, of course, and her upcoming work with the CPPA. Welcome, Professor Urban.

 

[JENNIFER URBAN] 3:32

Thank you. It’s wonderful to be here. Thank you for having me.

 

[MARTIN] 3:36

So as an introductory question, we would like to set the stage for what has been happening in recent years in California, and especially in the past three to five years. We would say it’s fair to characterize California as being at the forefront of privacy policy within the U.S. One example is California’s amendment in 1972, to include the right to privacy in its constitution. And of course, in more recent years, we have enacted state legislation and the CCPA—in 2018, the California Consumer Privacy Act—and now in 2020, the amendments through the Consumer Privacy Rights Act, or the CPRA, in 2020. So, of course, a lot is happening, could you help us provide for our listeners a broad overview of these developments?

 

[JENNIFER URBAN] 4:26

Thank you, of course. I do need to start with a disclaimer, which will be familiar to many of your listeners, I think. I’m here in my personal capacity. I’m not speaking on behalf of the California Privacy Protection Agency, or the California Privacy Protection Agency’s Board, of which I’m Chair. I’m only speaking for myself, and I’m also not speaking for the University of California or Berkeley Law School. So, you know, you’re right, that California has long been a leader in privacy in the United States, and I think it is correct to date that at least one watershed moment to the addition, specifically to privacy and to the California State Constitution. We’ve had a number of laws over the years in the lead up to the California Privacy Rights Act of 2018 actually, so we have the California Online Privacy Protection Act, which—among other things—requires companies to have privacy policies that was unusual in the United States. We have our own. We were the first state—one of the first states if not the first state—to have a data breach law, which are now ubiquitous across the states. And we also have long had security laws. So we have our own version of the Computer Fraud and Abuse Act, here in the United States. It’s really been a tradition. It is also right to ask about the last three to five years because that’s been another watershed with the California Consumer Privacy Act of 2018, followed by the initiatives that amended it, the CPRA. California has really once again moved to the forefront of privacy in the United States, and actually the world in a lot of ways.

So how did we get here? California has long had a very motivated and involved citizenry that cares about privacy. There was a period of time in the ‘80s and ‘90s, and well into the 2000s, in which the vision of privacy that most scholars and businesses and sort of government officials followed was an idea of choice for consumers so that they could make a choice about what was happening with their personal information. But it became more and more apparent that, in practice, this choice was breaking down, that consumers weren’t really informed of how their data were being used, and they weren’t really able to exercise choices. And the framework of the California Consumer Privacy Act attempts to make that choice real. We also noticed that over the last 10 years or so, there’s been a real increase in public attention to privacy, reflected in press reports, reflected in how people talk about privacy when they’re surveyed, for example, and also in what kinds of laws people would like to support. So there’s been what I would consider to be a clamor for privacy from the public, and what happened in California is we had clamor for privacy from the public and one citizen Alastair Mactaggart, who found that he was really concerned about how personal information was being used. And he had the resources to press for law to change that. So the California Consumer Privacy Act of 2018 actually started as a ballot initiative as well, and Alastair Mactaggart and a team of lawyers and other interested parties worked to create this ballot initiative. Before it was put on the ballot, the legislature said, you know what if we go ahead and pass this, you won’t have to put it on the ballot. And so there was a negotiation of the particulars of the law…the legislature…it was satisfactory to the proponents of the initiative, and the legislature passed the California Consumer Privacy Act of 2018.

Thereafter, Mr. Mactaggart and others thought that the law could use some strengthening and clarification. And this time, they did propose and advocate for a ballot initiative, the California Privacy Rights Act of 2020, which passed with a large majority in November of 2020. One of the main differences between the CCPA, as amended by the CPRA, and the original is that the CPRA created the California Privacy Protection Agency, which is brand new. The ballot initiative passed in November of almost exactly a year ago. And the board of the agency was appointed in March of this year and will be responsible for enforcing the law over time.

 

[MARTIN] 9:30

Thank you for such a complete overview. I think that’s very clear how we got here. And also, maybe this is more of a mundane question, but some of our viewers might be confused by all these acronyms. Of course, the CPPA is the agency that you will be chairing the board of. But some commentators have discussed whether the CPRA is an amendment or will replace the CCPA. So, how do you think about this, and what will you be calling California privacy law going forward?

 

[JENNIFER URBAN] 10:05

I really liked this question. And no one should ever be embarrassed to ask it. I realized that this is a student run journal. But you should understand that the Bar in California, the Privacy Bar, has had a lot of debate about this question, or a lot of curiosity, I suppose about this question. So, I’ve answered it for the California Lawyers Association, Privacy Section, and other long-time professionals as well. There is actually a straightforward answer. But if you read the proposition…you sort of start to read the proposition, it’s a little confusing because it says this title shall be called the California Privacy Rights Act of 2020. But that phrase is referring to the proposition itself. It’s like any amendment to a large omnibus law. The overall law is the California Privacy Rights Act of 2018, and it’s been amended by the CPRA. And the way that you can be certain of this, other than going to the California Code and seeing that it’s still called the California Consumer Privacy Act, is that the section that talks about the agency’s powers—the new agency—says that the new agency will have full administrative power to implement and enforce the California Consumer Privacy Act of 2018. So that’s the name of the law going forward, but it has been amended by the initiative.

 

[MARTIN] 11:29

I think that will help clear up a lot for our listeners going forward. Thank you. And also maybe at a very basic level, why do you think Californians need a specialized state-level privacy agency? Or at least why did the proponents behind Proposition 24 [think] that was the case?

 

[JENNIFER URBAN] 11:52

It’s unusual for there not to be a dedicated privacy or Data Protection Agency among the highly developed countries at this point. The drafters of the California Privacy Rights Act, as I understand it, were looking in part at two examples from especially Europe, where there are long standing models of dedicated data protection agencies. We do have of course the California Department of Justice, which is already enforcing the CCPA and has enforcement powers over other related laws, like competition laws and some of our other privacy laws. But there has previously not been a dedicated expert agency in the United States. And it has become more and more apparent that as data flows and privacy issues touch so many aspects of life, that having privacy be one part, or data protection be one part of its sort of omnibus enforcement authority, has not necessarily given those authorities sufficient resources or the ability to protect people’s privacy. So, this is an experiment, but it’s based on really long-standing successful models in other parts of the world.

 

[MARTIN] 13:21

So, of course, it’s an experiment we’re all certainly here at the BTLJ rooting for. So, I think it’s clear that one of the main amendments behind Proposition 24 was the creation of the agency, of course, but those are not the only amendments made to California’s Privacy law through the CPRA. Could you tell us which others might be some of the shortcomings or the sections that were amended in the privacy law by this Proposition 24?

 

[JENNIFER URBAN] 13:56

Sure, I can’t be comprehensive, and I won’t state an opinion as to what is more or less important. But some of the things that were changed include adding to the consumer’s existing right to know what information businesses have about them, to delete that information, and to opt out of selling that information. To clarify that…for consumers to be able to opt out of sharing. Selling was already defined quite expansively in the CCPA, but the CPRA clarifies that sharing for some consideration is also covered.

The CPRA also amended the CCPA to add a right to correction, which is something that exists in the Fair Credit Reporting Act, for example, and is also in the General Data Protection Regulation in Europe. It’s called the Right to Rectification there, but it’s not something that was already in the California Consumer Privacy Act. So it adds that. It also, in creating the agency, gave the agency some important tools and authority to audit companies and the requirement that some companies who handle…process data in a way that created significant risks to consumer privacy or security, do their own risk assessments that they file with the agency. And also, they do cybersecurity audits.

It also imported the reasonable cybersecurity measures that exist in California law already directly into the CCPA. And by creating the agency and giving it administrative enforcement powers, it added an administrative enforcement component to privacy law in California. They are just a few of the changes, but those are some of the changes that I think are particularly sort of noticeable to  people.

 

[ANUJA] 16:04

Thank you so much, Professor. I think that would be really helpful for our listeners just to, you know, kind of understand how the CPPA just came into being. But I think for someone who has never heard of the CPPA before, how would you describe the agency’s role and the mandate? And just how would you describe its basic structure and organization to someone who’s not heard of it before?

 

[JENNIFER URBAN] 16:26

One of the things that is interesting about the California Privacy Rights Act is that it is really quite specific about the California Privacy Protection Agency and what its role is. So, we know a lot just by reading the text of the statute.

So the statute says that the agency is charged with protecting the fundamental rights of natural persons with respect to the use of their personal information by implementing the California Consumer Privacy Act of 2018. And in undertaking its activities, the agency is to implement the law with the goal of strengthening consumer privacy while giving attention to the impact on business and innovation.

So, here we are in California. We have a populace that cares a lot about privacy. We have policymakers who care a lot about privacy. We have businesses, even, that care a lot about privacy. And, we have a lot of innovation, particularly tech innovation, biotech innovation. So those things are both mentioned in the law.

The law gives the agency quite wide-ranging authority and responsibilities. So, the CPRA directs the agency to engage in rulemaking. So, administrative rulemaking that further defines, expands on, and describes how businesses and residents of California are to comply with the law. Enforcement, which I think we’ll talk about a little bit more in a bit. Public awareness, which I think is very important. Public awareness includes guidance for consumers and guidance for businesses and helping the populace of California to understand its rights, along with some other activities. So, if the legislature needs privacy advice, the agency…the law says the agency may provide privacy advice to the legislature.

The agency is meant to monitor developments, business models, and telecommunications technology in order to update its regulations or sort of generally figure out how it needs to keep up with ever changing needs of residents with regard to their personal information. And it’s also authorized, and requested to coordinate with other authorities, both in the United States and outside the United States so that there is coherent privacy protection. But the bottom line is that the law is really clear on the agency’s basic mandate, which is protecting the fundamental privacy rights of natural persons with respect to their…personal information. And then the agency is given quite a few responsibilities and powers to give that form.

You also asked a little bit about the structure. The agency is governed by a five-person board. Two members, including the Chairperson, are appointed by the governor. So as the chairperson, I was appointed by the governor. One board member is appointed by the Rules Committee of the Senate, which in practice means that President Pro Tem[pore] of the Senate, one member is appointed by the head of the assembly, and one by the Attorney General.

So, I’m the Chairperson, the other gubernatorial appointee is Chris Thompson. The Attorney General’s appointee is Angela Sierra, and she used to run the consumer group in the Civil Division at the Attorney General’s Office. The Senate President Pro Tem[pore]’s appointee is Lydia de la Torre. She is a very experienced and knowledgeable privacy and data protection attorney in Silicon Valley, who is from Spain and is an expert in European law as well as U.S. law. And the assembly’s appointee is Vincent Lei, who works with the Greenlining Institute, which is a nonprofit that seeks to create equity in tech issues across the state of California. So, I’ve been really honored and pleased to work with these members of the board. They really have a lot of expertise, and they’re very dedicated to the mission of the agency.

The law also directs the board to hire an executive director. We recently hired our Executive Director, Ashkan Soltani. I’m very excited about this hire. Mr. Soltani actually is a Berkeley alum. He has a degree from the Information School here at Berkeley. He is a very highly regarded technologist and privacy expert who was previously the Chief Technologist at the Federal Trade Commission (FTC) and helped set up their office of technology. I’m blanking on the exact name but O-Tech—it’s basically their tech experts at the FTC. And he really understands the privacy issues and the technology and how they interact, as well as…the sort of the broad policy questions around the law.

The CPRA also directs us to hire a chief privacy auditor. And this, I think, is quite important and pretty interesting. What is a chief privacy auditor? The law doesn’t describe it, but my understanding is that the drafters were thinking of similar positions that exist in Europe; they have previously not so much existed here. But, somebody with the expertise to be able to audit not only, but particularly, tech business models that use data privacy. That person may end up being the head of enforcement, or they may play a complementary role, working with the enforcement authorities and advising the rulemaking authorities on how to inform their work.

That’s what the law sets out. And Mr. Soltani, who’s now on board is actively working to develop the rest of the structure of the agency, but at the moment, it’s five board members, who are volunteers. They get a per diem honorarium of $100 a day for days that they do substantial work on behalf of the agency and Mr. Sultani. And we’ve also been able to hire some part-time, retired annuitants, they’re called, who sort of come back from retirement. So we have an interim General Counsel, which has been wonderful, and an interim Deputy Director of Administration; they are half time. So, we’re very actively working to develop positions and hire them.

There’s a large number of steps that have to be traversed in order to develop and hire a position in state government. For very important reasons, we have a number of control agencies—the Department of Finance, the State Comptroller’s Office—because, of course, we’re spending public money so it’s very important to have those processes in place and to have transparency. That also means it does take a little bit of time. So for the moment, the board has divided itself into subcommittees to work on the upcoming administrative rules that we are due to put together…on a pretty rapid timeline.

The other thing that’s important about the structure of the agency right now to understand is that, because the board has to be so active in the work, is that the board is governed by what’s called the Bagley-Keene Open Meeting Act. California has very expansive public transparency requirements, again, for very important reasons. What that means in practice is that we really can only talk in public…in public meetings that are noticed 10 days in advance. And that has, again, for very important public transparency reasons—the public gets a place at the table. But it, of course, also is a little complicated if you’re trying to sort of do the actual work of figuring out, you know, how to draft the rules.

So, Bagley-Keene does allow us to work in subcommittees of two people, who can act in an advisory capacity. So, we have one subcommittee, that’s Ms. Sierra and myself, who are working on the rules to update the existing rules that the Attorney General created for the CCPA. Ms. de la Torre and Mr. Lei are working on what we are calling new CPRA rules—things that are brand new: automated decision-making, that audit authority that I mentioned, and that kind of thing. And Mr. Thompson and Ms. de la Torre are working on the process for the rulemaking itself. So, that way, we can kind of go off and do a little bit of substantive work, and then come back into a public meeting and discuss it. So, the public is kept aware of what we’re doing, but they don’t have to listen to us, you know, talk about the, you know, the detail that I think would be pretty mind numbing if we tried to do all of that on a 10 day notice and in a public meeting.

But we are working quickly and as quickly as we can to ramp up the agency. And over time, the budget for the agency is approximately 50 people. So it would take a while to get there. But, that’s sort of if you’re imagining the general size, that’s around the general size.

 

[ANUJA] 26:37

Thank you, Professor, for that very detailed information regarding the structure and the role of the CPPA. I’m sure it’s gonna help clear a lot of questions that our listeners might have. However, you did mention something about enforcement powers of the CPPA. Could you please elaborate on that a little bit about the enforcement powers that the CPPA has? And what are the tools that are at the CPPA’s disposal?

 

[JENNIFER URBAN] 27:00

The CPRA gives the agency administrative enforcement authority and audit authority, and so I’ll talk about that a little bit so that it’s a little bit more clear for listeners.

So, the agency is able to bring administrative actions in front of an administrative law judge and issue administrative fines. The agency has the right to investigate based either on a complaint from a third party—that would be a resident of California, maybe another business, or on its own initiative. So, the agency can investigate, then has to establish probable cause and give the defendant an opportunity to respond. After that, if there’s probable cause, the agency will hold an administrative hearing, and then it has the ability to require injunctive relief—cease and desist basically (stop doing what you’re doing)—and/or a fine. And the fines are up to $2,500 per violation or $7,500 per violation if it’s intentional or the business knows that the information was somebody under 16 years old’s information. So…that’s sort of the basic enforcement.

The agency also has audit authority that I mentioned earlier. The law simply asks the agency to issue regulations defining its audit authority, so that will likely be part of the regulations package the agency is working on now. And…the law also has some other information tools that are more on the business side. So businesses that handle information, where their processing of that information poses a significant risk to consumer privacy or security, need to do cybersecurity audits, and they also need to do risk assessments that they submit to the agency. So that’s information coming into the agency to help it understand sort of the status.

Okay, so I mentioned administrative enforcement. There’s also civil enforcement: suing in court. And the law envisions this collaborative enforcement between the new agency and the Attorney General’s Office, the California Department of Justice, which is currently enforcing the CCPA. The California Department of Justice continues to have civil enforcement authority. So the agency can do administrative enforcement, and the Attorney General can sue in court if it chooses.

The law develops out sort of how the collaboration generally will work. The Attorney General can request that the agency stay an investigation or an administrative proceeding so that it can decide whether to sue in court. And then once the agency has issued an administrative ruling, then there can’t be a civil case, right? So, it’s sort of…we collaborate—or we will in the future collaborate—in order to decide what’s the best course of action, and then either the Attorney General will sue, or the agency will follow the administrative procedures.

 

[ANUJA] 30:32

Thank you so much professor for that very holistic insight into all of the powers of the CCPA. I think we should discuss a little bit about timelines now. I mean, we understand that the CPPA is still being set up and that the CPRA will come into effect only in 2023. What will be a rough timeline for the CPPA to be completely up and running as an enforcement agency? And why is it necessary to have this two-year gap?

 

[JENNIFER URBAN] 30:59

Well, I talked a little bit about staffing. So that will happen sort of as quickly as it can happen with the important and necessary constraints on all state agencies. The CPRA sets out timelines, as you mentioned, so the initial rulemaking package, which updates the existing rules as needed and includes rules for some new things, at least that’s what the law envisions, is to be completed on July 1st of next year, so that’s 2022. And then the law takes effect on January 1, 2023, with a couple of limited exceptions. And enforcement, the agency’s enforcement powers attach in July of 2023.

So, you asked about why there’s this sort of staggered timeline or why there’s a gap between the initiative passing and when it takes effect. Basically, it’s in order to provide continuity and notice. So, there are a lot of businesses and consumers relying on the existing regulations, and they need some time in order to digest and understand the new amendments, the law, and they will need a little bit of time to understand the regulations that will help implement the law. So this sort of staggering gives them some time in order to implement. So if you might recall, if you took a class on it or studied the GDPR, the GDPR also had a space of time before it began to be enforced in order to give interested parties the time to retool things and be able to comply.

 

[ANUJA] 32:50

Thank you so much for clarifying that. Once the CPPA is completely set up, what in your opinion would be the immediate effect of the agency’s work for California residents and the consumers? And how exactly do you think the consumers and residents can make use of the CPPA and interact with the CPPA?

 

[JENNIFER URBAN] 33:09

It’s a little bit hard to predict the specificity because things are still being built. But, as I mentioned earlier, the CPPA has a public awareness function, and…I do know from board meetings that the board really is very invested in that. So there will certainly be opportunities for the public to interact with the agency in the future. Right now, there are a few things that consumers can do. Most importantly, they can enforce their rights under the CCPA by sending notices to businesses. And if they don’t get a response, or a business doesn’t have the appropriate mechanism, they can use a tool on the Attorney General’s website that the Attorney General introduced in July. You can go to the website for the Attorney General of the state of California privacy, you will find a tool where you can let the AG know about this so that they can, as they’re working on enforcement, they can address it. There’s also the possibility of a private right of action, meaning that consumers can directly sue in court for certain kinds of data breaches. So that already exists, and it’s a little bit expanded when the CPRA takes effect. So that is something consumers can directly do right now.

Right now, engaging with the agency, there are a few things. One, is to come to our board meetings and engage as a public citizen. I ask for public comments after every item on the agenda and at the end, and we really welcome public comments. And, engage with our rulemaking. So, we actually just ended a public comment period for part of our preliminary information gathering, but keep an eye out for informational hearings, forums, possibly other Requests for Comment. And when we issue our draft rules, there is the opportunity for public comments. So, people absolutely can tell us what they’re thinking in a number of different ways, and we really value that and would hope to hear from folks.

 

[ANUJA] 35:31

Thank you for telling our listeners how they could potentially interact with the CPPA. But another interesting thing is, while this is about California residents and consumers, I think what our listeners would like to understand is, how will businesses try to navigate this new regulatory landscape? How could they potentially interact with the CPPA?

 

[JENNIFER URBAN] 35:52

Well, they also, we hope, will interact via comments either through the formal rulemaking process or some of the preliminary activities that we’re engaging in, and they’re also welcome to join meetings and give public comments. What they can do right now, sort of in terms of preparing and complying with the existing CCPA is, you know, make it easy for consumers to communicate their rights, respond effectively when you get notices from consumers. You can look at past AG enforcement actions. They, in July, released a set of examples to understand the kinds of mistakes that businesses might be making. And work to make sure that consumers can exercise their rights and work to be sure that you have reasonable cybersecurity, which is a requirement in the law. So again, you know, let us know, through comments or other venues, what is working, anything that was sort of unforeseen that you’re running into, and just work to let consumers exercise their rights.

 

[MARTIN] 37:15

Thank you very much, Professor Urban. We would like now to shift gears a bit, and maybe talk about how you see the development of privacy law going forward. Not only in California, which we have been, of course, focusing on, but also maybe at a federal level in the U.S. There have certainly been pushes at some stages and attempts to bring federal privacy or encompassing federal privacy legislation for the U.S., but that had been so far unsuccessful. Do you think California’s recent push for legislative action could maybe help the U.S. as a whole at the federal level to enforce privacy legislation? Or would you think that maybe a different scenario is possible, where just states will follow California’s lead individually?

 

[JENNIFER URBAN] 38:06

California, as you alluded to, is a leader in this area, as it has been a leader in other areas, for example, environmental protection law and consumer law generally. So I think that—maybe I’m a little biased as a Californian—but, you know, I think it’s unsurprising that California is leading. There have been efforts at the federal level, as you said. There’s been a lot of debate and discussion, but that’s sort of been where it has stayed at the moment. I do think it’s really interesting the recent discussion at the federal level talks about giving the Federal Trade Commission resources and maybe creating a dedicated bureau within the Federal Trade Commission, or maybe even…something sort of more separate, that is, again, a specialized authority. And I think that grows from California’s example, and also the European example, and a recognition, again, of how data processing and practices touch so many parts of the economy and people’s lives at this point.

There have been some exciting developments in other states. So, Virginia has a comprehensive privacy law now. Colorado has a comprehensive privacy law now that took effect just in May, I think. And each of those laws share some characteristics with the California law and have some divergence with the California law. So that gets to the second part of your question. The U.S. has a long tradition of states being able to be responsive to local conditions and to the needs of their residents. And privacy so far has been no different. So, I’m really excited to see other states take the initiative. It’s certainly possible that, you know, the U.S. could provide more resources to the FTC. And that would be a really positive development. But as with the GDPR, which is a general framework that member states implement in the way that is appropriate for their countries, privacy, as many other areas of law, is very responsive to local conditions and local needs. And while data travels across borders, so if states and other jurisdictions around the world are responsive to the data flow across borders issues by thinking through what are common building blocks, common things that we all share, and then being responsive to local conditions. That is, again, this is my own opinion only, I think that is an appropriate way for privacy policy to develop.

 

[MARTIN] 40:59

I was just wondering on some of the topics that you touched just there because, of course, California is a leader in this area, for all the reasons that we have been discussing, but also many of the biggest companies or let me rephrase it, many, many California companies have global businesses of course, and their data travels around the world. And they of course have to interact with the CPPA going forward, also with the FTC to the extent applicable, and the European Commission and many other national authorities that we might see popping up very soon. How do you see the CPPA’s role in such a packed and diverse landscape in a way?

 

[JENNIFER URBAN] 41:50

I think it’s very complimentary, and the CPRA actually also anticipates this. So, section 1798.199.40(i) directs the agency to cooperate with other agencies with jurisdiction over privacy laws and data processing authorities in California, other states, territories, and countries to ensure the consistent application of privacy protections. As you can tell, I really familiarized myself with that particular provision because I think that it’s so important to this balance that I was talking about, in response to your last question, that there are the conditions, those conditions are important. Californians really demanded a high level of privacy, and at the same time, we understand that data flows…you know, across all kinds of jurisdictions, so being able to cooperate and collaborate, and to sort of develop some norms, I think is really important. The other thing that’s really important about that provision is that it gives us the authority to cooperate and collaborate with other jurisdictions over problems that cross jurisdictional borders. I think it’s something like the state attorneys general often will get together, when there’s a problem that isn’t just a problem in one state, it’s a problem that is affecting citizens in multiple states, and they might bring a lawsuit on behalf of all of their states, or they might engage in some other enforcement action on behalf of all those attorneys general. And so, the agency having that authority and that responsibility, I think is an important part of the law that reflects the truth of your question—that we need to be attentive to the fact that there are many jurisdictions across the world and thinking through, you know, what are the commonalities of privacy is going to be a really important part of privacy going forward.

 

[ANUJA] 44:05

Thank you so much, Professor, for giving us an insight of how the CPPA functions in this global tech industry. What is interesting to me, and I think a lot of listeners will agree, is one of the major changes in the CPRA over the CPPA was that it kind of increased the threshold number of consumers for a company to be subject to privacy regulations, from 50,000 to 100,000, and one of the primary reasons for this was to exclude small and medium businesses from its operation. However, do you think that this is a very good amendment? And do you think that in order to get comprehensive privacy protection, it is important to eventually include small and medium businesses under the law’s operation? Or do you think consumers can attain the privacy goals by focusing only on the big companies?

 

[JENNIFER URBAN] 44:48

Thank you. That’s a great question. I think that the drafters were going for a balance in trying to sort of create time and space for businesses that maybe didn’t have as many resources as some of the larger businesses, while also creating the possibility for businesses to decide to live up to the strong standard that is in the CCPA. And I say that because section 1798.199.40, somewhere down there, maybe (j) or (k), asked the agency to establish a mechanism whereby people doing business in California who don’t meet the threshold can still voluntarily certify that they’re in compliance. And the reason why this is important is because it allows businesses of any size to mark themselves as attentive to privacy, attentive to consumer rights, and allow consumers to understand if they’re making choices in the marketplace, which businesses are paying attention to this and are following the protections of the CPRA. So this provision, I think, creates the possibility, again, of creating a marketplace that actually gives consumers choice with regard to privacy. And it gives businesses the opportunity to differentiate themselves in that marketplace on the basis of privacy and allow consumers to choose them based, at least in part, on their privacy practices. So, the law sort of strikes a balance between size and who will be immediately required to comply, while still creating the possibility for smaller businesses to differentiate themselves if they would like to. And then I think over time, you know, we’ll learn what is working and…go from there.

 

[ANUJA] 47:03

Alright, thank you so much, Professor, that was really helpful. I think all of us and I’m pretty sure our listeners know CPPA a lot better now. And we can have a discussion with anybody anywhere. So thank you so much for that very informative session and getting all of us super involved and interested in privacy law. And we can’t wait for 2023 and just to see how all of it plays out.

 

[JENNIFER URBAN] 47:27

Thank you all very much for having me. I really enjoyed this, and I really appreciate the invitation.

 

[NATE] 47:40

Thank you for listening! The BTLJ Podcast is brought to you by Podcast Editors Seth Bertolucci and Isabel Jones.

 

[ANDY] 47:47

Our Executive Producers are BTLJ Senior Online Content Editors Karnik Hajjar and Thomas Horn. BTLJ’s Editors-in-Chief are Loc Ho and Natalie Crawford.

 

[NATE] 47:59

If you enjoyed our podcast, please support us by subscribing and rating us on Apple Podcasts, Spotify, or wherever you listen to your podcasts. If you have any questions, comments, or suggestions, write us at btljpodcast@gmail.com.

 

[ANDY] 48:14

The information presented here does not constitute legal advice. This podcast is intended for academic and entertainment purposes only.