Skip to main content

Law & Order PEPU: California's new Privacy Enforcement and Protection Unit

Written by Jake Romero

In a move signaling increased enforcement of the state’s data privacy and security regulations, California’s Attorney General Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit.   The Privacy Unit will be staffed by California Department of Justice Employees, including six dedicated prosecutors, and will have broad authority to enforce federal and state laws relating to the collection, retention, disclosure and destruction of private and sensitive information, including medical, financial and government records, by individuals and public and private organizations.  Effective immediately, a number of California Justice Department programs related to identity theft enforcement and education will be absorbed by the Privacy Unit, in an effort to centralize and streamline California’s data privacy protection efforts.    For California consumers, the creation of the Privacy Unit will likely result in easier access to education materials for protecting personal data.  For businesses and organizations collecting, storing, transmitting or processing personally identifiable information, the Privacy Unit is one of many warning signs that California intends to take the enforcement of data privacy regulations seriously.

The creation of the Privacy Unit is the latest in a series of initiatives by the California Attorney General’s office intended to address growing concerns about data privacy.  In August 2011, Attorney General Harris announced the creation of the eCrime Unit, a division responsible for “investigating and prosecuting large scale identity theft and technology crimes with actual losses in excess of $50,000.  Earlier this year, the six largest companies offering platforms for mobile applications agreed to a set of principles, authored and developed by the Attorney General’s office, designed to ensure that mobile applications sold on such platforms comply with California’s Online Privacy Protection Act.  Last month, that set of mobile application privacy principles was expanded significantly when Facebook elected to sign on as well.

With the Privacy Unit in place, actions enforcing California’s data privacy regulations, which are among the strictest in the nation, are certain to increase.  “The Privacy Unit,” according to Attorney General Harris, “will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”  Based on prior comments from Harris, such enforcement may include prosecutions under California’s Unfair Competition Law  and/or False Advertising Law, which imposes penalties of up to $500,000.   As a result, if you operate a business or organization using or accessing the personally identifiable information of others, time may be running out to ensure that you comply with California’s quickly evolving requirements.



Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.