On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”).  Below we provide a few key takeaways:

  • Rulemaking Priorities.  When asked about the rulemaking priorities of the agency, Executive Director Soltani noted that the CPPA is in the process of promulgating rules on automated decision-making technology (“ADMT”), privacy risk assessments, and cyber audits, as well as certain revisions to existing regulations.  He shared that the draft rules will “presumably” be presented at the July board meeting, at which point the agency will “hopefully” move to a formal rulemaking process.  In terms of new regulations, he observed that the additional topics for rulemaking provided by the CCPA in § 1798.185 are discretionary and that the CPPA is not considering them “at this time.”  He noted that the board may direct the agency to consider such topics in future rulemakings.
  • Enforcement Priorities.  With respect to enforcement priorities, Executive Director Soltani raised the “Privacy Practices of Connected Vehicles and Related Technologies” announcement released last July.  He also flagged the April 2nd “Applying Data Minimization to Consumer Requests” enforcement advisory, which he observed was “based on what we are seeing in the marketplace.”  He explained that enforcement advisories “shine light on regulations that we are attentive to and that industry should be attentive to” and that “while they are nonbinding,” the underlying regulations are.   
  • Enforcement Process. Executive Director Soltani explained that based on its review of trends and consumer complaints, the CPPA may initiate investigations under its administrative enforcement authority.  The CPPA may send courtesy letters in a similar manner as the Federal Trade Commission, or rely on its subpoena authority to compel testimony and require the production of materials.  Companies may negotiate a settlement, which could include fines or injunctive relief.  If a settlement is not reached, the CPPA is empowered to file an administrative action with the Office of Administrative Hearings (“OAH”).  After reviewing the docket and conducting a hearing, OAH prepares a decision that is submitted to the CPPA’s board.  The board considers the facts presented by OAH, and may not receive supplemental briefing.  The board may rewrite the decision (including damages), at which point the determination is final.  Executive Director Soltani also explained that the CPPA is still developing policies and procedures for how enforcement works within the agency.
  • Enforcement Coordination with the California AG.  In response to a question about the overlapping enforcement authority of the California Attorney General (“AG”) and the CPPA, Executive Director Soltani pointed out that while the law empowers the California AG to assume cases being considered by the CPPA, there is “no shortage of issues in our space.”  He explained that the two regulators work together to ensure their resources are deployed appropriately and that there is a need for consistency of approach and enforcement.
  • Artificial Intelligence.  Finally, Executive Director Soltani observed that the CCPA directs the CPPA to issue regulations with respect to consumer rights around access and opt out of ADMT, which address AI issues.  He noted as a privacy regulator, the CPPA is focused on harmful uses of personal information (“PI”) in the AI context, and therefore it does not “touch on all of AI.”  That being said, he observed that “there is no AI without PI.”
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state…

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state, federal, and international data protection laws. He proactively counsels clients on the substantive requirements introduced by new laws and shifting enforcement priorities. In particular, Andrew routinely supports clients in their efforts to launch new products and services that implicate the laws governing the use of data, connected devices, biometrics, and telephone and email marketing.

Andrew assesses privacy and cybersecurity risk as a part of diligence in complex corporate transactions where personal data is a key asset or data processing issues are otherwise material. He also provides guidance on generative AI issues, including privacy, Section 230, age-gating, product liability, and litigation risk, and has drafted standards and guidelines for large-language machine-learning models to follow. Andrew focuses on providing risk-based guidance that can keep pace with evolving legal frameworks.