The California Privacy Protection Agency (CPPA) is the first state privacy agency in the nation and was created as part of the California Privacy Rights Act (CPRA). While this agency has already been formed, it will not begin enforcement activities until July 1, 2023 (six months after the CPRA takes effect).

The agency’s mandate includes enforcing California privacy law, a duty currently carried out by California’s attorney general. In addition to enforcement, the CPPA will engage in other functions, including privacy rulemaking and promoting public awareness of privacy issues. In recent weeks, the CPPA’s executive director was announced, and the agency has issued a call for public comments on initial rulemaking. These developments shed some light on the future of this privacy-focused regulatory agency.

Appointment of Ashkan Soltani

On October 4, the CPPA announced that Ashkan Soltani would serve as its inaugural executive director. As executive director, Soltani will oversee the day-to-day operations of the agency, as well as direct enforcement, rulemaking, and public awareness activities.

Soltani is a self-described “independent researcher and technologist specializing in privacy, security, and technology policy.” He currently holds a dual appointment at Georgetown University Law School as a distinguished fellow at both the Institute for Technology Law & Policy and the Center on Privacy & Technology. In these academic roles, Soltani’s research has focused on areas, such as consumer protection, online tracking, surveillance, and mobile privacy. Soltani formerly served as chief technologist for the U.S. Federal Trade Commission (FTC) and as senior advisor to the White House under President Obama. In California, Soltani helped author both the CCPA and CPRA. He also has been a vocal advocate of “global privacy control” (GPC),[1] which was subsequently included in the CCPA’s regulations.[2]

Earlier this month, Soltani provided testimony during the Senate Commerce Committee’s “Protecting Consumer Privacy” hearing. During his testimony, Soltani called out multiple large tech companies by name, highlighting his role in bringing successful enforcement actions against these entities during his tenure at the FTC. Soltani also highlighted the fact that the FTC “doesn’t have the adequate resources to properly investigate [large tech companies].” Soltani further expressed his support for additional FTC funding and the establishment of an FTC privacy bureau. Soltani also emphasized hiring technologists and highlighted the important support role they played at the FTC. For more information, see Troutman Pepper article here.

Under his leadership, the CPPA is expected to focus on consequential cases as opposed to just issuing fines. Professor Chris Hoofnagle predicts that this will “require companies to advocate differently [and] lawyers will have to have a forensic-level understanding of client practices.”[3] Justin Brookman, director of Consumer Privacy and Technology Policy at Consumer Reports, expects Soltani to aggressively focus on advertising technology issues and GPC noncompliance.[4] Digital publishers, advertisers, and advertisement technology firms are among those that will likely be most impacted by a stronger focus on email-based identity technology, which the ad tech industry appears to be embracing as an alternative to cookies.

With his background and expertise, Soltani is expected to be cognizant of the variety of stakeholders and views involved, while seeking to protect consumer privacy in a way that meets the expectations of regulators and other privacy officials around the world.

CPRA Rulemaking

The CPPA has already issued a call for comments related to any area on which the CPPA has authority to adopt rules. These topics include:

  1. Cybersecurity audits and risk assessments,
  2. Activities that involve automated decision making and profiling,
  3. The CPPA’s authority to audit businesses’ compliance with the law,
  4. Procedures and rules to facilitate consumer rights, such as the right to delete, right to correct, and right to know,
  5. Consumers’ right to opt out of selling or sharing personal information,
  6. Consumers’ rights to limit the use and disclosure of “sensitive personal information” (a new concept introduced under the CPRA),
  7. Information to be provided in response to a consumer’s request to know, and definitions and categories of information.

In addition to these topics, the public may submit comments on any other area of interest related to the CPPA. Preliminary comments are due by November 8, 2021.

The CPPA’s final deadline to promulgate regulations is July 1, 2022, which will allow companies time to comply before the CPRA goes into effect on January 1, 2023. In order to meet this July deadline, the agency will need to publish an initial draft of the regulations no later than December 2021 to account for the time necessary for approval by the California Office of Administrative Law and the required public comment periods. Enforcement of the CPRA will begin July 1, 2023.

Conclusion

Soltani is a well-respected privacy and technology expert with experience in the academic and regulatory spaces. His appointment signals that the CPPA will likely take an aggressive stance when enforcing privacy regulations and policy. Companies that are not currently CPRA compliant should take the time to review their current privacy policies in preparation of the January 1, 2023 enforcement date, and also keep watch on any new rulemaking initiated by the CPPA. Troutman Pepper will continue to monitor and provide updates on the CPPA.

Additional Resources

At Troutman Pepper, we understand the complexities of information technology and how it intersects with the changing regulatory landscape. Our team is dedicated to breaking down complex legal issues and providing guidance that the business and information technology/security can understand. As it relates to the CPRA, Troutman Pepper issued a compendium on the CPRA, which provides an overview of the operational impact of the CPRA on existing CCPA compliance frameworks. It focuses on issues, including notable updates to existing definitions, the addition of new consumer rights, modifications to existing CCPA rights, and newly introduced concepts (at least for the CCPA), such as data minimization and limitations on the use of “sensitive personal information.” Readers can access Troutman Pepper CCPA-related articles and resources by clicking here.

[1] This browser extension then informs every website that the user visits, which allows a user to broadly signal their request instead of submitting individual requests to each website. Current California Attorney General Rob Bonta has already listed this as an acceptable method for businesses to accept requests from consumers. As discussed below, the CPPA is expected to promulgate further rules regarding opt out rights and has already issued a public call for comments on the topic.

[2] There has been growing interest in designs and technology that allows a consumer to (1) easily understand data processing activities and (2) understand privacy controls quickly and to set them conveniently. For example, Apple launched “nutrition labels,” which are modeled after nutrition labels on packaged food and are intended to provide consumers with a user-friendly overview of how each application processes their data. For further analysis please see https://www.law360.com/technology/articles/1432138/-app-store-nutrition-labels-raise-new-privacy-risks-for-cos-.

[3] See https://www.ischool.berkeley.edu/news/2021/alum-ashkan-soltani-named-executive-director-california-privacy-protection-agency.

[4] See https://iapp.org/news/a/ftc-alum-soltani-selected-to-lead-cppa/.