New Data Regulation Agency Starts to Take Shape in California
California state officials are in the process of hiring executives and staff members to work at the California Privacy Protection Agency (CPPA), the new state agency that is tasked with regulating data privacy starting in January 2023.
The CPPA is the enforcement mechanism for the California Privacy Rights Act (CPRA), the new data privacy law California voters approved via the passage of Proposition 24 in the November 2020 election.
The CPRA will largely replace the existing California Consumer Privacy Act (CCPA), which was passed by the California State Legislature and signed into law by Governor Jerry Brown in 2018. The same privacy rights advocates who initially wrote CCPA subsequently wrote the CPRA out of concern that politicians were watering down the CCPA. Since CPRA was passed by the state’s initiative process, it can’t be tinkered with by state senators or assembly members.
The CPRA tightens up data privacy laws relative to CCPA. For starters, it creates a new category of “sensitive personal information,” including race, sexual orientation, union membership, and location, and require companies to become good custodians of that sensitive data.
CPRA also triple CCPA’s fines for collecting and selling private information about children, and requires opt-in consent to sell data from consumers under the age of 16. Residents also gain more power to force companies to correct erroneous information about them, among other changes.
Enforcement is also stronger with CPRA. Under the CCPA, enforcement is handled by the state Attorney General. However, the CPRA mandates the creation of a separate state agency tasked with enforcing the CPRA. That agency, the CPPA, has a $10 million budget.
The five-member state board created to oversee the CPPA recently hired Ashkan Soltani, a privacy expert who previously was the Federal Trade Commission’s top technologist, to be its executive director. The agency is expected to have 30 staff members.
Soltani, who won a Pulitzer Prize in 2014 for his work with a Washington Post team covering national security issues, previously worked for Alastair Mactaggart, the Silicon Valley privacy rights activist who was instrumental in getting both the CCPA and the CPRA passed. Soltani is also one of the principal architects of both CPRA and CCPA, according to the bio on Soltani’s website.
One of Soltani’s biggest challenges will be keeping an eye on how technology giants like Google, Facebook, and Amazon collect and use data from millions of citizens. In lieu of a federal data privacy law, consumers will look to state laws for protection from data abuses. However, only a handful of states have passed data privacy laws at this point. California, which is about to enact its second data privacy law in five years, is expected to be the leader in this emerging legal field.