There will soon be 15 – count ‘em 15 – state privacy laws on the books in the US. (Kentucky’s privacy bill is sitting on the governor’s desk waiting for a signature as we speak.)
But in the absence of comprehensive federal privacy legislation, many companies treat California’s privacy law – the nation’s strictest – as a de facto standard.
California is also home to the California Privacy Protection Agency (CPPA), the first and only independent data protection authority in the US.
After a brief legal wrangle, the CPPA now has full enforcement authority over the California Privacy Rights Act (CPRA) and related regs – and you can expect the agency to start using that authority.
With enforcement set to ramp up this year, here are seven facts about the CPPA that you can trot out at cocktail parties (depending on whether you hang out with privacy nerds).
1. Ashkan Soltani is the CPPA’s executive director
Before signing on as the agency’s first employee in 2021, Soltani helped architect the California Consumer Privacy Act and the CPRA.
He was previously chief technologist at the Federal Trade Commission and a senior advisor to the White House during the Biden administration on technology issues, including privacy, AI and big data.
Soltani also spent years as an independent technologist and privacy researcher. He helped investigative journalist Julia Angwin with her research for the infamous “What They Know” series, which ran in The Wall Street Journal between 2010 and 2013 and shined a light on the pervasiveness of online tracking.
All of that is to say, Soltani knows how ad tech works and where the bodies are buried.
2. Inspired by Europe
Although the CPPA is unique in the US as a state-level regulator solely focused on data privacy, the concept isn’t new.
CPPA was patterned on the data protection authority model in the EU, said Soltani, speaking during a packed session at the IAPP’s Global Privacy Summit in Washington, DC, on Wednesday.
Every European country has its own independent public authority that’s responsible for enforcing EU data protection law and monitoring compliance.
Although some DPAs, including the one in Ireland, have been criticized for less zealous GDPR (or more business friendly) enforcement standards, other DPAs (particularly the ICO in the UK and the CNIL in France) haven’t let grass grow.
The CPPA is clearly taking a page from the books of those more active enforcers.
3. Three main priorities
The agency has a three-pronged mission: enforcing California’s privacy standards, educating the public about their legal rights and mandatory rulemaking under CPRA.
The purpose of the rulemaking process is to allow a government agency to refine and clarify a statute with more detail, which helps businesses manage compliance.
The CPPA is in the midst of working on a rulemaking package right now that includes proposed rules for cybersecurity audits, risk assessments and automated decision-making. The plan is to release the rules for a 45-day public comment period starting in July. It’ll take around a year from that point to finalize the regs.
4. Automated decision-making
The agency’s proposal for automated decision-making could have a big impact on ad tech.
Under the CPRA, consumers have the right to opt out of businesses using automated decision-making technology to profile them, including based on their personal preferences, interests, behavior and location.
The proposed rules would expand the definition of profiling to include online behavioral advertising – and require businesses to provide explicit disclosures and an opt-out.
It’s hard to imagine an ad tech company, publisher or advertiser that this wouldn’t apply to in some way.
5. State regulators talk to each other
And it’s more than possible – likely, even – that other states could replicate California’s approach in their own enforcement.
States are independent but don’t operate in a vacuum. Regulators communicate and can – and do – coordinate and share information. If a business or certain practice is on the CPPA’s radar, other states probably know about it, too, and vice versa.
“We’re mindful of what the other states are doing,” Soltani said. “And we talk.”
6. Reminder: The cure period is over
And talk will translate into action – as in, enforcement action.
Some state laws give businesses an opportunity to cure, which means they have a certain amount of time – usually 30 days, but in some cases up to 90 days – to correct a violation.
In most cases, the right to cure is codified in the state’s privacy law, including in Indiana, Iowa, Oregon, Tennessee, Texas, Utah and Virginia.
In other states, however, including California, the right to cure expires. Although there was a 30-day cure period under the CCPA, the CPRA eliminated it.
The right to cure in California disappeared on Jan. 1, 2023, the day the CPRA went into effect – and that was “by design,” Soltani said.
Businesses have had a long time to get comfortable with the CCPA, he said, and it “doesn’t make sense” to offer a curing option for violations of a law that’s been on the books since 2020.
“Now, the kid gloves are off,” Soltani said.
7. DELETE Act update
Meanwhile, the CPPA is also starting to operationalize other privacy legislation, including the DELETE Act, a law that passed last year to amend California’s existing Data Broker Registration stature.
Data brokers – defined as companies that collect and sell personal information about people they don’t have a direct relationship with – were required to register with the CPPA by the end of January. (They’ll have to repeat that process every year.)
Around 500 companies are now registered as data brokers with the CPPA, Soltani said. (Here’s the full list, if you’re curious.)
The next step is for the CPPA to create a one-click mechanism by August 2026, which California residents can use to submit requests for data brokers in the state to delete all of their personal information.
Virginia, Texas and Oregon also have data broker registration laws, and don’t be surprised if more states follow suit.
“It’s something that other states could take on,” Soltani said. “Users should be able to request deletion of their data from companies they probably never heard of or even encountered before.”
For more articles featuring Ashkan Soltani, click here.
