The nation’s first state data privacy agency, tasked with enforcing California’s groundbreaking data privacy laws, now has a board of directors.

The California Privacy Protection Agency (CPPA) will begin enforcing the California Consumer Privacy Act (CCPA) later this year. Created by voters in 2020, the agency will have “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA, according to a press statement issued Wednesday by Gov. Gavin Newsom. The CCPA took effect in January 2020.

The agency will eventually enforce the California Privacy Rights Act (CPRA), which adds several rights for consumers to protect their personal data from being sold or shared by businesses. The CPRA takes effect Jan. 1, 2023.

The CCPA requires businesses to notify California consumers about the personal information they collect. The law gives consumers the right to delete their data from a company’s database and the right to opt out from having a business collect their personal information.

The CPRA ladles additional responsibilities onto businesses for how they should handle private data, such as prohibiting companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; tripling fines for violations related to children’s data; and putting new limits on how companies can collect, share, and sell customers’ personal data.

The agency will be tasked with issuing guidance and rules for the CCPA, as well as pursuing enforcement actions. California’s fiscal year 2021 state budget contains about $10 million per year to fund the new agency, which will allow it to hire between 46-50 employees. Its only mission will be rulemaking and enforcement of the CCPA and, eventually, the CPRA.

The agency’s board will appoint an executive director, officers, counsel, and employees, the governor said. The earliest the agency could tap the state funds is July 1.

The state’s attorney general will retain civil enforcement authority over both laws, and both laws allow California residents to sue entities that lose their data through hacks or other breaches.

Newsom appointed Jennifer Urban, clinical professor of law at the University of California, Berkeley School of Law, to chair the new agency.

Other members include:

  • John Christopher Thompson, currently the senior vice president of government relations for LA 2028, which is fashioning a bid for the 2028 Summer Olympic Games to be held in Los Angeles.
  • Angela Sierra, a former deputy attorney general in the California Attorney General’s office where she served as chief assistant attorney general of the Public Rights Division.
  • Lydia de la Torre, a professor at Santa Clara University Law School and privacy law attorney with the firm Squire Patton Boggs, although she will be leaving the firm to become a member of the CPPA board.
  • Vinhcent Le, a technology equity attorney at the Greenlining Institute, an organization working for racial and economic justice.