During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed Ashkan Soltani to the Executive Director position. Soltani brings to the table a variety of privacy experiences as a former FTC Chief Technologist, a Senior Advisor to the U.S. Chief of Technology Officer in the White House Office of Science and Technology Policy for the Obama Administration, and one of the architects behind the CCPA and CPRA.
The CPRA does not provide much detail on the responsibilities for the Executive Director position, and in fact only mentions the role twice. Particularly, the CPRA states that the Executive Director does not have exclusive oversight of the rulemaking process and must share that responsibility with the Board. Nevertheless, the CPPA board announcement hints that Soltani will have an influential role in enforcement activities, rulemaking, building public awareness, and building and leading the Agency staff.
Soltani’s first year as Executive Director will be a busy one. As we recently reported, the CPRA began its rulemaking process asking for comments on topics such as opt-out rights, automated decisionmaking, right to correct, and any needed changes to CPRA definitions. Significantly, the topics also include the issue of global privacy controls, on which Soltani has been a leading voice and advocate. Though the deadline for comments is not until November 8, we expect to see a substantial number of comments ranging on a number of issues.
Soltani’s public statements give some indication of the policy positions he may take in his role as Executive Director. In a Senate hearing last week, Soltani supported more FTC enforcement resources, including a preemption provision in a privacy bill that would still allow states to craft more restrictive legislation, and more technical expertise consumer protection enforcement. Soltani also stated that he considered core behavior changes to come not from regulatory fines, but injunctions and restrictions imposed on businesses. Though the CCPA/CPRA schemes are different from the FTC Act, Soltani’s comments suggest he might seek to use injunctive relief as a complement to civil penalties under the CCPA/CPRA.
We expect the CPPA Board to announce its appointment of a Chief Privacy Auditor in the near future. These additions and the preliminary rulemaking will allow the agency prepare for the CPRA’s January 1, 2023 effective date. We will continue to monitor this space and post relevant updates.