This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

'California Privacy Protection Agency's Vigilant Stance: The Dawn of a New Era of Privacy Enforcement'

It was great to have the opportunity to see new California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani speak on Oct. 5 at the International Association of Privacy Professionals (IAPP) Privacy. Security. Risk. 2023 conference in San Diego -- and to hear more about the CPPA's approach under his leadership in continuing to roll out and increase enforcement under the California laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). In a short time, the CPPA has gotten on its feet and has been rolling out initial draft regulations and guidance, such as on cybersecurity audits and risk assessments.

The agency has also already begun making advances in the enforcement of the legal rights provided to consumers by these new comprehensive privacy laws. The CPPA's initial actions have involved collection of personal information in relation to internet-connected vehicles, but Soltani said at the conference that the agency is also in the early stages of several additional investigations that have not yet been publicly revealed. 

Per Soltani, we can expect the CPPA's initial enforcement to match the enforcement priorities it previously set out, placing its focus on privacy notices and policies, the right to delete, and business responses to data subject access requests of consumers seeking to enforce their newly granted privacy rights.

It's been a whirlwind of a few years in the privacy legal space, but as we discuss with clients regularly, we're just in the initial phases of regulators' enforcement of these new laws and the rights they grant consumers. Many businesses remain too far behind the curve and, sooner rather than later, we see that catching up to them in the form of fines and other penalties available under these new laws. It's time for businesses to make building out a sophisticated, compliant, and practical data privacy compliance program a priority.

On 28 Aug., the California Privacy Protection Agency released its initial draft regulations for cybersecurity audits and risk assessments. The CPPA has not yet commenced its formal rulemaking process for these regulations, which will assuredly undergo several rounds of revision. Once finalized, businesses will be required to perform annual cybersecurity audits and regularly submit risk assessments to the CPPA regarding their processing of personal information. Businesses will undoubtedly be monitoring the future development and implementation of these regulations.

Tags

data privacy, privacy, cybersecurity