On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”).  Below we provide a few key takeaways:

  • Rulemaking Priorities.  When asked about the rulemaking priorities of the agency, Executive Director Soltani noted that the CPPA is in the process of promulgating rules on automated decision-making technology (“ADMT”), privacy risk assessments, and cyber audits, as well as certain revisions to existing regulations.  He shared that the draft rules will “presumably” be presented at the July board meeting, at which point the agency will “hopefully” move to a formal rulemaking process.  In terms of new regulations, he observed that the additional topics for rulemaking provided by the CCPA in § 1798.185 are discretionary and that the CPPA is not considering them “at this time.”  He noted that the board may direct the agency to consider such topics in future rulemakings.
  • Enforcement Priorities.  With respect to enforcement priorities, Executive Director Soltani raised the “Privacy Practices of Connected Vehicles and Related Technologies” announcement released last July.  He also flagged the April 2nd “Applying Data Minimization to Consumer Requests” enforcement advisory, which he observed was “based on what we are seeing in the marketplace.”  He explained that enforcement advisories “shine light on regulations that we are attentive to and that industry should be attentive to” and that “while they are nonbinding,” the underlying regulations are.   
  • Enforcement Process. Executive Director Soltani explained that based on its review of trends and consumer complaints, the CPPA may initiate investigations under its administrative enforcement authority.  The CPPA may send courtesy letters in a similar manner as the Federal Trade Commission, or rely on its subpoena authority to compel testimony and require the production of materials.  Companies may negotiate a settlement, which could include fines or injunctive relief.  If a settlement is not reached, the CPPA is empowered to file an administrative action with the Office of Administrative Hearings (“OAH”).  After reviewing the docket and conducting a hearing, OAH prepares a decision that is submitted to the CPPA’s board.  The board considers the facts presented by OAH, and may not receive supplemental briefing.  The board may rewrite the decision (including damages), at which point the determination is final.  Executive Director Soltani also explained that the CPPA is still developing policies and procedures for how enforcement works within the agency.
  • Enforcement Coordination with the California AG.  In response to a question about the overlapping enforcement authority of the California Attorney General (“AG”) and the CPPA, Executive Director Soltani pointed out that while the law empowers the California AG to assume cases being considered by the CPPA, there is “no shortage of issues in our space.”  He explained that the two regulators work together to ensure their resources are deployed appropriately and that there is a need for consistency of approach and enforcement.
  • Artificial Intelligence.  Finally, Executive Director Soltani observed that the CCPA directs the CPPA to issue regulations with respect to consumer rights around access and opt out of ADMT, which address AI issues.  He noted as a privacy regulator, the CPPA is focused on harmful uses of personal information (“PI”) in the AI context, and therefore it does not “touch on all of AI.”  That being said, he observed that “there is no AI without PI.”
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries.

Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.