It was great to have the opportunity to see new California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani speak on Oct. 5 at the International Association of Privacy Professionals (IAPP) Privacy. Security. Risk. 2023 conference in San Diego -- and to hear more about the CPPA's approach under his leadership in continuing to roll out and increase enforcement under the California laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). In a short time, the CPPA has gotten on its feet and has been rolling out initial draft regulations and guidance, such as on cybersecurity audits and risk assessments.
The agency has also already begun making advances in the enforcement of the legal rights provided to consumers by these new comprehensive privacy laws. The CPPA's initial actions have involved collection of personal information in relation to internet-connected vehicles, but Soltani said at the conference that the agency is also in the early stages of several additional investigations that have not yet been publicly revealed.
Per Soltani, we can expect the CPPA's initial enforcement to match the enforcement priorities it previously set out, placing its focus on privacy notices and policies, the right to delete, and business responses to data subject access requests of consumers seeking to enforce their newly granted privacy rights.
It's been a whirlwind of a few years in the privacy legal space, but as we discuss with clients regularly, we're just in the initial phases of regulators' enforcement of these new laws and the rights they grant consumers. Many businesses remain too far behind the curve and, sooner rather than later, we see that catching up to them in the form of fines and other penalties available under these new laws. It's time for businesses to make building out a sophisticated, compliant, and practical data privacy compliance program a priority.