Privacy matters involving California have had the attention of privacy professionals since 2018 when the California Consumer Privacy Act was signed into law. Focus on California's privacy regime has only grown since, not only due to an approved 2020 ballot measure but because of the standalone regulator that was created with it.

The California Privacy Protection Agency is nearing full strength after a year of establishment while simultaneously promulgating California Privacy Rights Act regulations. And with full staffing, the agency is ready to lean further into its current endeavors and lofty goals, including more privacy rulemaking and its enforcement regime.

CPPA Executive Director Ashkan Soltani indicated as much during a fireside chat for attendees at the IAPP Global Privacy Summit 2024. A day after the agency released its first enforcement advisory covering data minimization related to consumers' CCPA requests, Soltani covered a range of items the agency is in the midst of addressing.

ADMT, risk assessment, cybersecurity audit rulemaking

Top of mind for privacy and artificial intelligence governance professionals is where the CPPA stands with its proposed rulemaking on automated decision-making technologies, risk assessments and cybersecurity audits. The CPPA Board recently moved the draft rules on a split vote to the final stage before a formal rulemaking.

Soltani reiterated to GPS 2024 attendees the board's prior callout that formal rulemaking is likely to begin sometime in July, opening up a one-year window under the Administrative Procedure Act to complete the rulemaking endeavor. He also called attention to the "road show" the agency plans to do in the months leading into formal rulemaking to get feedback on its draft rules.

"I would like to have multiple meetings across California where we engage the public on these regulations," Soltani said. "We want to make sure we are engaging in public conversations, and probably not just with lobbyists in Sacramento."

He added the establishment of a public forum is underway and stakeholders will be able to comment on the draft rules through web form that will have identifiable and anonymous submission options.

On the broader question of the CPPA's role in AI regulation, Soltani pointed to the agency's mandate in the CPRA statute regarding "regulations with respect to consumer rights around access and opt-outs related to the automated decision-making technology, including profiling." Agency staff and the board have worked to identify technologies that will require notice to consumers or human review.

"We touch the AI that I think concerns harmful uses of personal information," Soltani said, adding the current ADMT draft rules include provisions for opt-out rights around training data for AI models. "I joke there's no AI without (personally information) or (intellectual property). We don't touch the IP, but we will address the PI."

Enforcement work

Soltani deferred a majority of enforcement discussions to CPPA Deputy Director of Enforcement Mike Macko, who was set to outline the agency's enforcement work during a separate GPS 2024 session updating folks more broadly U.S. comprehensive state privacy law enforcement. However, Soltani did address a few notable enforcement items, including a primer on the agency's current enforcement priorities.

Notably, the CPPA's probe into the connected vehicle industry remains ongoing after investigations opened in August 2023. Soltani indicated that the examination of CV manufacturer's compliance "is not a surprise to anyone" given the vehicles and their installed technologies are "just computers on wheels."

The agency is also focused on noncompliance with the most straightforward requirements of the CCPA, including rights to delete and access data.

To further address compliance shortcomings, Soltani touched on how enforcement advisories will be a key tool for the agency and CCPA covered entities alike. There was no indication on the frequency at which advisories would be published, but Soltani indicated the data minimization advisory was a good starting point.

"We're trying to provide observations to help inform compliance based on what we're actually seeing," Soltani said. "Hopefully they provide useful examples and guidance with respect to implementation of rights and responsibilities. ... With the application of things like (EU General Data Protection Regulation-style data subject access request flows) with respect to operationalizing CCPA rights, they may not exactly be the right fit."

The advisories serve as blanket notices ahead of potential enforcement, with Soltani explicitly highlighting that the prior 30-day right to cure under the CCPA expired when the CPRA took effect in 2023. Soltani likened the sunset on cure periods to "taking the kids gloves off."

The CPPA also has auditing authority that is beginning to take shape. The agency is in the process of hiring for investigators that will work under a chief auditor, a position that Soltani said will soon be posted.

While audit authority on U.S. privacy matters is unique, Soltani clarified that it is a staple in the EU and other jurisdictions and ultimately "an important component of compliance."

"It allows us to essentially either support enforcement or provide insights to the agency," he said. "Particularly as you're thinking about some of these rights and obligations, they're very hard to read from the outside. More and more we're seeing data flows that occur on the backend (business-to-business side) that we can't measure other than going through and providing subpoenas or requests."