The California Privacy Protection Agency (“CPPA”), established to enforce both the California Consumer Privacy Act (“CCPA”) as well as California Privacy Rights Act (“CPRA”) once it takes effect, recently announced the appointment of Ashkan Soltani to the position of Executive Director.1 As Executive Director, Mr. Soltani will be tasked to carry out the day-to-day operations of the CPPA, as well as oversee enforcement activities and rulemaking related to these California privacy regulations. These are the main functions of the CPPA, in addition to education, and he will work with the CPPA’s current five-member board in implementing these functions.
Mr. Soltani was involved in the development of both the CCPA and CPRA. He also is a Distinguished Fellow at the Georgetown University Law School at both the Institute for Technology Law and Policy and the Center on Privacy and Technology, and previously served as a Senior Advisor to the U.S. Chief Technology Officer in the White House Office of Science and Technology Policy under the Obama Administration, and as the Chief Technologist for the Federal Trade Commission, where he helped create the Office of Technology Research and Investigation.2
With respect to its rulemaking activity, the CPPA is also currently seeking comments on the CPRA and particularly with respect to any new and undecided issues not already covered by the existing CCPA regulations.3 The deadline for submittal of comments is Monday November 8, 2021.
Comments are being sought as to a variety of topics, including the following items:
- Audit Requirements – Comments are sought as to how a business’s processing of personal information will present a “significant risk to consumers’ privacy or security” subjecting the business to the CPRA’s audit requirements set forth in California Civil Code section 1798.185(a)(15).
- Consumers’ Right to Delete – The CPRA provides that consumers may request the correction of inaccurate personal information.4 Comments are requested as to the frequency of these consumer requests as well as how businesses are to respond to these requests for correction.
- Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information – The CPRA grants consumers additional rights with respect to “sensitive personal information.” Comments are sought as to the types of information that constitute "sensitive personal information" that should be deemed "collected or processed without the purpose of inferring characteristics about a consumer" and therefore not subject to the right to limit use and disclosure as provided in California Civil Code section 1798.121(d).
- Definition of Personal Information – In considering whether the definition of “personal information” is sufficient as set forth in California Civil Code section Civil Code, § 1798.185(a)(1), comments are sought as to any updates or additions that should be made to this definition.
Why Does This Matter For Businesses?
- Now is the time to address privacy regulation for your California business. The CPRA will become operative on January 1, 2023 and applies to personal information collected after January 1, 2022, less than 90 days from now.
- The CCPA remains in effect until the CPRA is enforceable. If you are not already in compliance for any reason, now is the time to quickly implement a CCPA compliance strategy. The CPPA can and will impose monetary penalties for non-compliance.
- Depending on your business’ needs, you may want to simply tackle the CPRA requirements with your CCPA compliance strategy, especially with respect to the collection of personal information.
- The CPRA no longer contains a period to remedy violations, as previously included in the CCPA, so it is imperative to implement comprehensive compliance efforts.
1 See https://cppa.ca.gov/announcements/
2 See https://cppa.ca.gov/announcements/
4See California Civil Code, §§ 1798.106 and 1798.130