On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”). Below we provide a few key takeaways:
- Rulemaking Priorities. When asked about the rulemaking priorities of the agency, Executive Director Soltani noted that the CPPA is in the process of promulgating rules on automated decision-making technology (“ADMT”), privacy risk assessments, and cyber audits, as well as certain revisions to existing regulations. He shared that the draft rules will “presumably” be presented at the July board meeting, at which point the agency will “hopefully” move to a formal rulemaking process. In terms of new regulations, he observed that the additional topics for rulemaking provided by the CCPA in § 1798.185 are discretionary and that the CPPA is not considering them “at this time.” He noted that the board may direct the agency to consider such topics in future rulemakings.
- Enforcement Priorities. With respect to enforcement priorities, Executive Director Soltani raised the “Privacy Practices of Connected Vehicles and Related Technologies” announcement released last July. He also flagged the April 2nd “Applying Data Minimization to Consumer Requests” enforcement advisory, which he observed was “based on what we are seeing in the marketplace.” He explained that enforcement advisories “shine light on regulations that we are attentive to and that industry should be attentive to” and that “while they are nonbinding,” the underlying regulations are.
- Enforcement Process. Executive Director Soltani explained that based on its review of trends and consumer complaints, the CPPA may initiate investigations under its administrative enforcement authority. The CPPA may send courtesy letters in a similar manner as the Federal Trade Commission, or rely on its subpoena authority to compel testimony and require the production of materials. Companies may negotiate a settlement, which could include fines or injunctive relief. If a settlement is not reached, the CPPA is empowered to file an administrative action with the Office of Administrative Hearings (“OAH”). After reviewing the docket and conducting a hearing, OAH prepares a decision that is submitted to the CPPA’s board. The board considers the facts presented by OAH, and may not receive supplemental briefing. The board may rewrite the decision (including damages), at which point the determination is final. Executive Director Soltani also explained that the CPPA is still developing policies and procedures for how enforcement works within the agency.
- Enforcement Coordination with the California AG. In response to a question about the overlapping enforcement authority of the California Attorney General (“AG”) and the CPPA, Executive Director Soltani pointed out that while the law empowers the California AG to assume cases being considered by the CPPA, there is “no shortage of issues in our space.” He explained that the two regulators work together to ensure their resources are deployed appropriately and that there is a need for consistency of approach and enforcement.
- Artificial Intelligence. Finally, Executive Director Soltani observed that the CCPA directs the CPPA to issue regulations with respect to consumer rights around access and opt out of ADMT, which address AI issues. He noted as a privacy regulator, the CPPA is focused on harmful uses of personal information (“PI”) in the AI context, and therefore it does not “touch on all of AI.” That being said, he observed that “there is no AI without PI.”