While the program at the IAPP Global Privacy Summit 2023 contained plenty of federal privacy law undertones, the U.S. regulatory talk fell squarely back to California's privacy regime. The focus was inevitable, after the first set of California Privacy Rights Act regulations were finalized in the days leading up to the conference.
Members of California's privacy enforcement bodies — the California Privacy Protection Agency and the Office of the Attorney General of California — acknowledged the regulations were a monumental step forward for U.S. privacy, but much work is still to come. CPPA Executive Director Ashkan Soltani explained the first CPRA regulations merely updated the prior regulations set out under the California Consumer Privacy Act, leaving considerable work left to address any lingering ambiguity and fresh enforcement topics.
"Our focus now with those regulations in place is to really embark on additional public awareness and guidance around the regulations and really drive voluntary compliance," Soltani said. "As part of our (first) rulemaking, we had to establish a set of bases for the regulations as well as an analysis of the space. Our economists found that there's actually not a lot of compliance in California as it relates to the existing (CCPA) regulations."
Soltani made the compliance remarks while reminding attendees the CCPA's full 30-day right to cure was removed as of 1 Jan. and replaced by cure notices at the CPPA's discretion. California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, also clarified the discretionary cure is limited to the CPPA, while the attorney general can act immediately and swiftly on any violations it finds moving forward.
Where's the guidance?
The lack of a cure provision makes industry's interpretation and understanding of the CCPA, as amended by the CPRA, vital.
Lingering questions still remain, including whether recognition of the Global Privacy Control as a user opt out is mandatory for all companies. Soltani and CPPA board member Alastair Mactaggart, the architect of the CCPA and CPRA ballot initiative who spoke on a separate GPS 2023 panel, both explicitly stated GPC recognition is mandatory moving forward under CPRA rules.
But the GPC discussion raised the issue of a clear yearning for further guidance on a range of topics concerning implementation.
Soltani explained there can't be an expectation for guidelines like those published so regularly by European data protection authorities because California law simply doesn't allow the CPPA to "pontificate" or work in that fashion.
"We are required to go through the Administrative Procedures Act in order to provide guidance," Soltani said. "But if you look at our (CPRA) regulations, we have a ton of examples and those weren't strictly necessary … and are there to provide industry with insights, scenarios and hypotheticals on how to apply the law."
The task post-rulemaking, according to Soltani, is to "echo, emphasize or amplify" the examples provided within the first rules. The public utilization of open CPPA board meetings was also mentioned as a key tool for the agency to hear, understand and properly address stakeholder grievances.
There is further clarity yet to come on topics not previously covered by the initial CCPA regulations or updated by CPRA rules. During a GPS 2023 panel with Mactaggart, CPPA board member Lydia de la Torre, CIPP/US, said the second CPRA rulemaking package concerning cybersecurity audits, risk assessments and automated decision-making is still at the board's subcommittee level and isn't expected to be immediately raised, allowing some time for the first set of rules to settle in with covered entities.
Shared enforcement
The CPPA won't be alone in its enforcement endeavor as the attorney general's office will share enforcement duties on some matters moving forward. Schesser recalled the attorney general being deemed the CPPA's twin at a prior IAPP event and made sure to clarify distinctions between their enforcement endeavors.
"The agency is going to be doing administrative enforcement, which will look a little different than what most lawyers in the room are used to with civil enforcement," Schesser said. "In addition to that, (the attorney general) may be bringing cases that are more complex in nature because perhaps they combined multiple theories of liability outside just the CCPA. A privacy policy that makes a false statement could potentially be actionable as a violation of false advertising law."
As far as CPPA enforcement initiatives go, Soltani made it clear the agency will abide by its new rule for discretionary enforcement with the consideration that the extended CPRA rulemaking process may have hindered company's good faith compliance efforts in certain areas. The enforcement priorities for the agency remain a work in progress and driven at the board level.
"What's interesting is that will all happen in public … under (California's) open meeting requirement. So when you all hear about enforcement priorities is when I'll first hear about them," Soltani said. Mactaggart provided a window into some potential board thinking, noting he envisions new or updated rulemaking from the board "once a year, twice a year or something like that" as a way to be a leader in addressing "these areas of technological change."
No appetite for federal preemption
Members of both enforcers used time to defend California's ongoing fight against federal preemption of the CCPA. They were among the many entities, state officials and Californian members of U.S. Congress to come out against the proposed American Data Privacy and Protection Act last summer and then again in March.
"I'm a huge supporter of a federal privacy law, but there needs to be a floor not a ceiling," Mactaggart said. "Just like (Health Insurance Portability and Accountability Act), Gramm–Leach–Bliley Act and (Fair Credit Reporting Act) are all floors. States should be allowed to go further, but I do want to see America lead the way."
State flexibility and undoing of previously established rights are top of mind for Soltani. He explained how the proposed ADPPA — last amended in November — is already behind on addressing areas of concern like women's reproductive health data rights and artificial intelligence, while California has passed laws and is considering proposals for both.
"It amazes me that so many groups have been supportive under the notions that 'it's been so long' and 'this is the most movement on privacy in 20 years,' to the point where we'll take anything," Soltani said. "I think that's a huge problem, this ceiling to preemption and essentially putting into amber these protections without thought to rapid technological change."
Top image: Dominique Shelton Leipzig moderates a CCPA enforcers panel at the IAPP Global Privacy Summit 2023 featuring Ashkan Soltani and Stacey Schesser.