The California Privacy Protection Agency (CPPA), the first state agency dedicated to protecting residents’ privacy
The California Privacy Protection Agency, or the CPPA, will be the first state agency dedicated to protecting the privacy of its residents. It will be established because of the California Privacy Rights Act (CPRA), and it is finally beginning to take shape.
Although they will not start enforcing the new regulations until July 2023 – 6 months after the privacy law become goes into effect – their reach will be significant. While the mandate is currently enforced by California’s attorney general, the CPPA will take over that responsibility and perform additional functions.
Keep reading to learn more about the California Privacy Protection Agency and what it means for cookies and other online tracking tools.
The California Privacy Protection Agency, or the CPPA, will be the first state agency dedicated to protecting the privacy of its residents.
The CPPA’s New Executive Director
The most recent development involving the California Privacy Protection Agency is the appointment of its new executive director. As of October 4th, Ashkan Soltani was appointed as the inaugural executive director.
In his role as the new executive director, he will be responsible for managing the day-to-day operations of the CPPA. Similarly, he will directly oversee the rulemaking, enforcement, and public awareness activities led by the agency.
So, why was Ashkan Soltani chosen for this crucial role in the CPPA? He is currently appointed as a distinguished fellow at Georgetown University Law School, at both the Center on Privacy & technology and the Institute for Technology Law & Policy.
As you can imagine, this specific expertise makes him an ideal candidate to lead the California Privacy Protection Agency. He is self-described as a specialist in technology policy, privacy, and security, and his research dives into online tracking, mobile privacy, surveillance, consumer protection, and other similar topics.
Before this appointment, Soltani served as the chief technologist at the Federal Trade Commission (FTC). Likewise, he worked as a senior advisor in the White House under President Obama and was a strong advocate for GPC or global privacy control.
His support of GPC led him to help write the standards for the CPRA and CCPA – so it only makes sense that he was its appointed executive director. In other words, his background in privacy regulation and technology will allow him to understand the viewpoints of all the stakeholders involved. He will work to protect consumer privacy and meet the expectations of regulators around the world.
The Protecting Consumer Privacy Hearing
Although he was recently appointed, Soltani has already begun to support the CCPA and privacy regulations in the state. He testified during the Senate Commerce Committee’s hearing on protecting consumer privacy, and his speech named several large tech companies that he intends to focus his enforcement efforts on.
He called out the fact that the Federal Trade Commission doesn’t have the resources needed to investigate these tech giants, and that additional funding is needed to ensure that privacy policies are successfully enforced. Soltani also expressed the need to establish a privacy bureau within the FTC – and highlighted how hiring the right technologists could support these efforts further.
It is expected that the California Privacy Protection Agency will focus on landmark cases under his leadership rather than just issuing large amounts of fines. Companies will likely need to advocate in different ways, and legal counsels must have a deeper understanding of the practices their clients are using.
There is no doubt that the CPPA will focus on GPC compliance violations and advertising technology issues under the leadership of Soltani. This will significantly impact marketers, advertisement technology firms, and digital publishers since they heavily rely on cookies and similar tracking tools. The agency will also pay close attention to email-based identity technology, as many organizations are shifting to this instead of cookies.
Rulemaking Under the California Privacy Rights Act
The California Privacy Protection Agency has issued a call for comments from the public about any of the areas that they have authority over.
The topics include many subjects, such as cybersecurity audits, risk assessments, procedures that facilitate consumer rights, activities involving automated profiling and decision making, and more. Here are some additional topics that the CPPA has requested public comments about:
- Consumer rights to opt-out of sharing or selling personal data
- The CPPA’s right to audit businesses and the legality of their activities
- The information that is provided to consumers in response to a request
- Their right to limit the use and disclosure of sensitive personal information
- The procedures for consumers to correct, delete, and know about data collected from them
As you can see, the CPPA’s request for public comments is quite broad – and it is not limited to just these topics. The public can respond to any other area related to the agency’s mission, and the comments are due by November 8, 2021.
The California Privacy Protection Agency has until July 1, 2022, to promulgate regulations, which is why they are eager to receive feedback as soon as possible. This deadline also gives companies enough time to adjust their processes to ensure they can comply with CPRA regulations.
The appointment of Ashkan Soltani as the executive director of the California Privacy Protection Agency shows that the organization is finally beginning to take shape. His expertise in technology and privacy-related matters has made him well-respected in both the academic and regulatory scope. That also makes him the perfect candidate to lead the agency.
However, this appointment also signals that the CPPA will take an aggressive stance while enforcing the privacy laws in the state. That means that firms not yet compliant with the CPRA should take steps to review their privacy policies – they need to be prepared for the enforcement date of January 1, 2023. Similarly, they should keep an eye out for any new rules that the CPPA will introduce.