Call Us: 415.956.2828

California’s Privacy Protection Agency Takes Key Steps Towards a New Era of Regulation and Enforcement

by Joshua M. Deitz

While California’s Consumer Privacy Act (“CCPA”) only came into effect January 1, 2020, businesses operating in California have already seen a half dozen revisions and regulatory schemes, with the promise of new amendments and regulations set to come online on January 1, 2023. One area of uncertainty has been the creation of the California Privacy Protection Agency (“CPPA”), a dedicated consumer privacy protection agency, which was established by the passage of the California Privacy Rights Act (“CPRA”) in November 2020.

The CPPA is due to take on enforcement and regulatory responsibilities for the CCPA from California’s Attorney General when the CPPA is fully staffed. The CPPA will have a $10 million budget, over two times the budget that the Attorney General has dedicated to CCPA investigation and enforcement. The CPPA will borrow the current staff working on CCPA issues from the Attorney General until the agency hires its own workforce.

With CCPA’s enhanced budget for enforcement, businesses in California will soon be scrutinized for compliance more than ever. We recommend evaluating internal policies and systems now, before a business is subject to an investigation.

The CPPA’s Board Has Appointed its First Executive Director

On March 17, 2021, Governor Gavin Newsom appointed the five members of the CPPA board. Those board members have now appointed the CPPA’s first Executive Director, Ashkan Soltani. Mr. Soltani was deeply involved in drafting both the CCPA and CPRA, served as Chief Technologist for the Federal Trade Commission, and served as a Senior Advisor to the U.S. Chief Technology Office in President Obama’s Administration. Mr. Soltani’s background in privacy and cybersecurity preview an aggressive new role for the CPPA in driving consumer privacy regulations and enforcement forward in California.

Mr. Soltani will now be responsible for staffing the CPPA with officers, attorneys, and other employees to begin ramping up the CPPA’s regulatory and enforcement responsibilities. This includes hiring a Chief Privacy Auditor, to conduct audits of businesses covered by the CCPA in order to ensure compliance. As the CPPA will have double the resources of the Attorney General’s privacy unit, it is likely that CCPA enforcement activities will increase substantially. Businesses that have been slow to comply with the CCPA will likely face investigation letters and potential enforcement activities if they remain out of compliance.

CPPA Invites Public Comment for Upcoming Regulatory Additions and Changes

On September 22, 2021, the CPPA opened public comments for the CPPA’s initial round of rulemaking. While the CPPA has broad rulemaking authority over the CCPA, and there are several regulatory areas that are likely to see changes, the CPPA has focused on eight topics for this next round.

  1. Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses
  2. Automated Decision-making technology – access and opt-out rights
  3. CPPA Audits of business compliance
  4. Enhancing Consumers’ rights to Delete, to Correct, and to Know what information a business maintains about them.
  5. Consumers’ Rights to Opt-Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information
  6. Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information
  7. Information to Be Provided in Response to a Consumer Request to Know (Specific Pieces of Information)
  8. Updating Definitions and Categories covered by the CCPA

As the CPPA staffs up, these comments will provide ballast for the CPPA’s initial rulemaking, but should be seen as an opening salvo in what is likely to be multiple rounds of regulations on the various subjects covered by the CCPA, many of which remain relatively unsettled.

The CCPA Will Undergo Significant Changes on January 1, 2023

When the CPRA becomes effective on January 1, 2023, the CCPA landscape will change even more dramatically. The CPRA establishes new rights for consumers, extends those rights to employees and job applicants, and creates new obligations for businesses. The CPRA requires businesses to provide additional security for “sensitive personal information,” and provides consumers with specific rights related to that information. In addition, consumers will gain enhanced rights to control their personal information, including the right to correct information, and the right to access and opt out of automated decision-making technology.

One of the most significant changes for businesses is that the existing exception for employees and job applicants will expire, giving those individuals the same rights as other consumers. Businesses will have to implement new policies and procedures to provide these rights to employees, job applicants, independent contractors, and other similarly situated individuals.

How We Can Help Your Company

With CCPA’s enhanced budget for enforcement, businesses in California will soon be scrutinized for compliance more than ever. We recommend evaluating internal systems now and before a business is subject to an investigation. RJO’s Cybersecurity and Privacy Group is dedicated to helping our clients work through the changing landscape of the CCPA and other privacy legislation and regulations and can provide customized and practical assistance with data privacy preparation and compliance efforts.

Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at



The materials provided at this site are offered for informational and educational purposes only and are not offered as and do not constitute legal advice or legal opinions. The transmission or receipt of information through this website, or communications with Rogers Joseph O’Donnell via email through this website, does not constitute or create an attorney-client relationship between us and any recipient.

San Francisco, CA
  • Robert Dollar Building
    311 California Street, 10th Floor
    San Francisco, CA 94104-2695
  • Phone: 415.956.2828
  • Fax: 415.956.6457
Washington, DC
  • 1500 K Street, NW, Suite 800
    Washington DC 20005-1227
  • Phone: 202.777.8950
  • Fax: 202.347.8429