Legislative Updates

Initial Actions of California Privacy Protection Agency


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

California Privacy Protection Agency Data Privacy Law Compliance

Comprehensive laws designed to protect individuals’ personal information have been enacted over the past several years. As the United States does not have a general privacy law, many states have initiated the introduction of such legislation, with California leading the way with its California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

The CPRA amends various parts of the CCPA, and one of the changes includes the creation of a new privacy enforcement authority. The CCPA was originally enforced by the California Office of the Attorney General (OAG). The CPRA shifts this authority by establishing the California Privacy Protection Agency (CPPA) and granting it investigative, enforcement, and rulemaking powers. While its enforcement activities will not begin until July 1, 2023, the California Privacy Protection Agency’s executive director was announced recently, and the agency has issued a call for public comments on initial rulemaking.

These initial actions mark the beginning of a critical rulemaking process and shed some light on the future of this privacy-focused regulatory agency. They also serve as a reminder for businesses subject to California’s privacy laws to pay close attention to any developments that may have impacts on their compliance strategies, as the new rulemaking process aims to both update existing California privacy regulations and adopt new regulations.

Invitation for Preliminary Comments on Proposed Rulemaking

On September 22, 2021, the California Privacy Protection Agency made the first step in a rulemaking process that will have significant impacts on companies’ compliance obligations and released an Invitation for Preliminary Comments on Proposed Rulemaking. At the same time, the Agency pointed out that the request is a preliminary step aimed to assist in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.

The California Privacy Protection Agency asked for comments on all aspects of its rule-making authority under the CPRA, but has specifically requested those concerning the creation of rules for the following subject matters:

  1. processing that presents a significant risk to consumers’ privacy or security, cybersecurity audits, and risk assessments performed by businesses, 
  2. automated decisionmaking,
  3. audits performed by the agency,
  4. consumers’ right to delete, right to correct, and right to know,
  5. consumers’ right to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information,
  6. consumers’ rights to limit the use and disclosure of sensitive personal information,
  7. information to be provided in response to a consumer request to know, and 
  8. definitions and categories.

In addition to these topics, the public may submit comments on any other area of interest related to the California Privacy Protection Agency. Preliminary comments are due by November 8, 2021.

The request for comments may allow affected businesses to offer practical perspectives on compliance implications as well as on the costs and benefits of different options. Once it publishes a notice of proposed rulemaking, the Agency will invite additional public feedback on any proposed regulations or modifications.

Get an overview of current CCPA requirements to stay aligned with the law, put appropriate mechanisms in place, and prepare for new data privacy laws that may come in the near future.

Appointment of the Executive Director

On October 4, 2021, the California Privacy Protection Agency selected Ashkan Soltani as the new Executive Director to oversee the day-to-day operations of the agency, as well as direct enforcement, rulemaking, and public awareness activities.

As a well-respected privacy and technology expert with experience in the academic and regulatory spaces, Soltani is expected to take an aggressive approach when enforcing privacy regulations and policies. Therefore, companies should take the time to review their current privacy policies in preparation for the January 1, 2023 enforcement date, but also keep watch on any new rulemaking initiated by the California Privacy Protection Agency.

Implementing CPRA Requirements to Ensure Compliance  

Although there is enough time before all aspects of the CPRA take full effect, organizations should prepare the groundwork for CPRA compliance throughout the course of 2021 and 2022. Also, if they have measures for CCPA in place, it is necessary to perform a gap assessment based on the information available regarding the CPRA.  

To ensure implementation of CPRA requirements and stay compliant, organizations can take proactive steps such as: 

  • Use data mapping to identify and document what type of personal information falls under the scope of the CPRA,
  • Include the new and modified consumer privacy rights and related disclosure obligations within privacy notices, and
  • Review data-sharing practices and inform third parties about the necessity to comply with the new regulations.  

Finally, organizations can use proper solutions to automate all core compliance tasks and stay ahead of an ever-changing legal landscape, while showing their users that they take their privacy seriously. 

Understanding the full scope of the CPRA and designing a thoughtful roadmap toward full compliance can help organizations avoid the potential repercussions once this law is fully operative. In addition to this, they will need to pay close attention to the development of new rules from the California Privacy Protection Agency, as they could have effects that reach far beyond current CCPA regulations, and affect the use of algorithms, targeted advertising, and internal compliance procedures.

Ensure effective compliance with different data privacy regulations while making a minimal impact on your company’s operations with a range of industry-leading solutions.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.