InfoBytes Blog

Soltani to head the California Privacy Protection Agency

According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.

Privacy/Cyber Risk & Data Security State Issues CCPA CPPA CPRA California Consumer Protection State Regulators

California Privacy Protection Agency seeks preliminary comments on CPRA proposed rulemaking

On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by ballot measure in November 2020 (covered by InfoBytes here) and updated the existing California Consumer Privacy Act. The invitation for comments highlights several areas of interest for the CPPA as it begins the rulemaking process, including topics related to: (i) cybersecurity audits and risk assessments to be performed by businesses processing personal information that presents a significant risk to consumers’ privacy or security; (ii) matters concerning automated decision-making; (iii) audits performed by the CPPA; (iv) issues related to consumer rights, including consumers’ right to delete, right to correct, and right to know what personal data has been collected or shared, as well as consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information; (v) information to be provided when responding to a consumer’s request to know; and (vi) definitions and categories of information and activities, including what updates or additions should be added to “personal information,” “sensitive personal information,” “precise geolocation,” and “dark patterns,” among other terms. Comments must be submitted by November 8.

The CPRA will become effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA will apply to personal information collected by a business on or after January 1, 2022. The CPPA notes that this invitation for comments is not a proposed rulemaking action and states that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.

Privacy/Cyber Risk & Data Security State Issues California CPPA CPRA Agency Rule-Making & Guidance

California again modifies CCPA regs; appoints privacy agency’s board

On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:

• Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
• Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
• Require companies to use opt-out methods that are “easy” for consumers to execute and that require “minimal” steps to opt-out. Specifically, a “business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” Additionally, except as otherwise permitted by the regulations, companies are prohibited from requiring consumers to provide unnecessary personal information to implement an opt-out request, and may not require consumers to click through or listen to reasons as to why they should not submit an opt-out request. The amendments also state that businesses cannot require consumers “to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.”

The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.

Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.

State Issues State Regulators CCPA State Attorney General Privacy/Cyber Risk & Data Security CPRA CPPA Consumer Protection