It was always going to be interesting to see who would be appointed the inaugural leader of the California Privacy Protection Agency. With the hiring process mostly closed-door and unpublicized, the selection was bound to catch people by surprise and did just that on Monday.

The CPPA announced Ashkan Soltani, former chief technologist for the U.S. Federal Trade Commission and senior advisor to the White House, will be its first executive director. Soltani was a key player in the drafting of the California Consumer Privacy Act and the California Privacy Rights Act while also a leading voice and advocate for the Global Privacy Control initiative.

"California is leading the way when it comes to privacy rights and I'm honored to be able to serve its residents," Soltani said in the CPPA's public release. "I am eager to get to work to help build the agency's team and begin doing the work required by the CCPA and the CPRA."

According to the CPPA, Soltani will "carry out day-to-day operations" for the agency and "oversee enforcement activities, rulemaking and public awareness, and will build and lead the agency staff." Staffing the CPPA accordingly will undoubtedly be a first step for Soltani, but chief among his priorities thereafter will be finalizing CPRA regulations prior to the July 1, 2022 deadline. He'll work on all these establishing tasks in coordination with the five-member CPPA Board of Directors, which was charged with Soltani's appointment.

In a statement, CPPA Board Chair Jennifer Urban said the board is "thrilled" to bring Soltani aboard, noting his background in and imprints on California privacy law "will stand him in good stead as he leads the agency staff and helps the agency fulfill its privacy protection mandate."

Soltani's appointment was well received across the greater privacy community. High Tech Law Institute Co-Director and Privacy Law Certificate Faculty Supervisor Eric Goldman expects Soltani's background to "help him get a fast start in a demanding job" while hoping the CPPA will "recognize that privacy involves the balancing of many interests" and realizing that "always prioritizing pro-privacy outcomes regardless of other considerations would gravely disserve California."

Hintze Law Managing Partner Susan Hintze, CIPP/US, CIPT, FIP, sees Soltani as a great fit from the standpoint of best serving individuals and their rights under California law.

"Ashkan is highly respected on all sides of the privacy community for his dedication to advancing consumer rights and protections," Hintze said. "He also brings a collaborative approach to privacy solutions and a deep understanding of technology underlying and supporting those solutions."

With Soltani in place, questions regarding the CPPA will now turn to its new executive director's past agenda and how it might shape enforcement goals and priorities. Consumer Reports Director of Consumer Privacy and Technology Policy Justin Brookman, a friend and colleague of Soltani over the years, expects an "aggressive stance" on the CPRA and a particular focus on advertising technology issues and GPC noncompliance.

"His background with the GPC is relevant too, as a number of law firms are pointing to the confusing structure of the CPRA to claim that compliance with GPC signals won't be mandatory once the CPRA goes into effect," said Brookman, who worked with Soltani on the GPC project. "I think that's a bad faith interpretation of the law, and I would be extremely surprised if the CPPA under Soltani's direction were to adopt that narrow and counterintuitive interpretation."

Brookman's sentiments on aggressive enforcement are shared by Loeb & Loeb Privacy, Security & Data Innovations Practice Co-Chair Tanya Forsheit, CIPP/US, CIPT, PLS, and Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US. Forsheit expects "consideration for the perspectives of the many stakeholders" involved with the CPRA while looking forward to working with Soltani and the CPPA on "clear guidelines" for companies as they "seek to protect their customers’ privacy and trust in ways that also meet the expectations of regulators across the country and around the globe."

For Leipzig, the selection of Soltani represents somewhat of a final call to companies that have yet to fall in line with the CPRA.

"Businesses should use the next the next 15 months to focus on compliance with the CPRA, as well as making sure industry’s perspectives are taken into consideration for CPRA regulations," said Leipzig, who will moderate a keynote panel on California privacy law enforcement and policymaking at IAPP's Privacy. Security. Risk. 2021 in San Diego Oct. 21-22. "There has been a call for industry comment by Nov. 8 and this is an important opportunity that industry should seize to ensure that the CPRA is workable for everyone: privacy advocates, regulators, legislators, judges and businesses."

Photo by Joseph Barrientos on Unsplash