News & Announcements

This week the Asia Pacific Privacy Authorities (APPA) governance committee voted to admit the California Privacy Protection Agency (CPPA) as a member.

The Asia Pacific Privacy Authorities (APPA) is a principal forum for privacy and data protection authorities. Established in 1992, it provides members the opportunity to share ideas about privacy regulations and new technologies. Member organization also exchange best practices related to the management of privacy inquires and complaints.

“We’re incredibly grateful to be admitted to the APPA to join our Asia Pacific neighbors in our shared mission of Privacy” said CPPA’s Executive Director, Ashkan Soltani. “Technology and data bridges the ocean we share, and we expect our work with APPA’s international membership will benefit all Californians.”

The APPA has approximately 20 members from around the global. CPPA joins the Federal Trade Commission (FTC) as the second member organization from the United States. The CPPA is also a member of the Global Privacy Assembly, an international body of over 130 data protection and privacy authorities.

In 2018, California became the first state to adopt a comprehensive commercial privacy law, the California Consumer Privacy Act (CCPA). In 2020, California voters approved Proposition 24, the California Privacy Rights Act, which created the CPPA, the first data protection authority in the United States vested with the authority to issue regulations, audit businesses’ compliance, and undertake enforcement to protect consumer’ privacy.

Contact: press@cppa.ca.gov

Regulations are effective immediately

SACRAMENTO – The California Privacy Protection Agency (CPPA) marked a historic milestone by finalizing their first substantive rulemaking package to further implement the California Consumer Privacy Act (CCPA), which was approved by the California Office of Administrative Law (OAL). The approved regulations are effective immediately.

“This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” said Jennifer Urban, Chairperson of the California Privacy Protection Agency Board.

The approved regulations update existing CCPA regulations to harmonize them with amendments adopted pursuant to Proposition 24, the California Privacy Rights Act (CPRA); operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand. They place the consumer in a position where they can knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information.

“I’m incredibly impressed with the team and thankful for the Board’s thoughtful guidance,” said Ashkan Soltani, the Agency’s Executive Director. “With the regulations in place, we can now redouble our efforts to promote public awareness of consumers’ rights and businesses’ responsibilities under the law to better ensure that these privacy rights are secured.”

Lisa Kim, the Agency’s Senior Privacy Counsel and Advisor, said: “Once again California is leading the way in protecting consumer’s privacy rights. We are excited to be the first in the nation to implement comprehensive regulations on data minimization and dark patterns. With these protections, consumers can interact with businesses with more confidence and security.”

The Agency filed the final rulemaking package with OAL on February 14, 2023, initiating a 30-business day review period. This followed the CPPA Board’s vote on February 3, 2023 to adopt and approve the Agency’s rulemaking package. The regulations have not changed substantively since the Agency Board voted on modifications made at its October 29, 2022 meeting.

In response to the development, Philip Laird, the Agency’s General Counsel said: “I couldn’t be more proud of this accomplishment. I’m immensely grateful for the legal team’s incredible work.”

The formal rulemaking process began on July 8, 2022, with the publication of the Agency’s notice of proposed rulemaking action in the California Regulatory Notice Register. This followed extensive pre-rulemaking activities, including a series of instructive informational sessions and a set of stakeholder sessions in the spring of 2022, and a request for preliminary comments in the fall of 2021.

The final regulations and supporting materials will be made available on the CPPA website here as soon as they are processed.

To receive updates on the Agency’s rulemaking activity, please sign up for our email list.

Contact: press@cppa.ca.gov

Federal privacy law should be the “floor, not a ceiling”

SACRAMENTO — Today, Governor Gavin Newsom, Attorney General Rob Bonta, and the California Privacy Protection Agency (CPPA) sent a joint letter to Congress opposing preemption language in H.R. 8152, the American Data Privacy and Protection Act (ADPPA). The ADPPA, introduced in the last Congressional session, sought to replace California’s landmark law with weaker protections and could compromise the ability of the California Privacy Protection Agency (CPPA) to fulfill its mandate to protect the privacy of Californians. California today calls on Congress to set the floor and not the ceiling in any federal privacy law, and to allow states to provide additional protections in response to changing technology and data privacy protection practices.

“National data privacy laws passed by Congress should strengthen, not weaken our existing laws here in California,” said Governor Newsom. “As personal data is routinely bought and sold it is critical that consumers have the ability to consent to the sharing of this information, especially in an era where Roe v. Wade has been overturned and access to personal data can be used in legal proceedings. California has been on the leading edge when it comes to creating new digital technology, but we have also coupled these advances with stronger consumer protections. The rest of the nation should follow our lead.”

“There is no doubt that stronger federal action is needed to protect the privacy of Americans, but these actions must not preempt existing protections in place,” said California Attorney General Rob Bonta. “California is at the forefront of privacy in response to quickly changing technology. We urge Congress not to undercut the important protections that have been established through efforts by the states. Any federal law should set the floor, not the ceiling for privacy law.”

Ashkan Soltani, Executive Director of the CPPA, said: “Federal privacy protections cannot come at the expense of Californians and residents of other states that have adopted innovative privacy protections. In the last year alone, California added key new children’s privacy and reproductive privacy legislation to its existing privacy laws. But if ADPPA is adopted in its current form, not only could existing privacy protections be weakened, but it could prevent California legislators, and Californians through the ballot initiative, from passing new protections to address changes in technology. We urge federal legislators to ensure that any federal privacy law allows states to continue to innovate on privacy.”

The joint letter was submitted to the House Energy & Commerce Committee in advance of the Committee’s March 1 hearing, "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.” The Committee is expected to reintroduce ADPPA in the new legislative session.

California continues to lead on data privacy, and to adopt laws in response to rapidly evolving technology, with the strongest and most groundbreaking data protections in the nation. Californians currently have robust protections and rights to manage and control the use of their data through the California Consumer Privacy Act (CCPA). As Congress considers adopting ADPPA, California urges changes to the proposed law as the ADPPA in its current form would undermine the CCPA and would hamper state efforts to keep up with and adapt laws to changing technology.

The path forward to a robust data privacy law is one that sets a federal floor, not a ceiling, to allow states to continue to innovate and be nimble in protecting their residents. In the letter, Governor Newsom, Attorney General Bonta, and CPPA urge Congress to make changes to the ADPPA proposal that:

• Allow states to respond to changes in technology and data collection practices to allow rigorous enforcement in those areas most affecting residents, and
• Ensure that the ADPPA is passed without a preemption clause in order to protect critical data privacy protections in state law and preserve California’s authority to establish and enforce those protections.

Last fall, then-United States House Speaker Nancy Pelosi released comments outlining her concerns with ADPPA’s limits on state privacy protections. Governor Newsom, Attorney General Bonta, Assembly Speaker Rendon, and members of the California Senate have also previously released letters raising concerns about ADPPA. On July 19, 2022, Attorney General Bonta led a multistate coalition calling on Congress in its consideration of ADPPA to respect the role of states to enforce and provide for strong consumer privacy laws while advancing legislation enacting long-overdue privacy protections nationwide.

The California Privacy Protection Agency released a letter opposing H.R. 8152 last year, and in September, Agency Chairperson Jennifer Urban published an opinion piece in the San Francisco Chronicle highlighting how the ADPPA could remove existing protections from California consumers.

The California Privacy Protection Agency’s mission is to protect the consumer privacy of Californians. Established in 2020, the Agency is governed by a five-member board that consists of experts in privacy, technology, and consumer rights. The Agency has several responsibilities, such as promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA; adopting regulations in furtherance of the CCPA; and beginning July 1, 2023, the Agency is tasked with enforcing the CCPA through administrative enforcement actions. It will share CCPA enforcement authority with the Attorney General.

A copy of the letter can be found here.

The California Privacy Protection Agency (CPPA) today filed its first substantive rulemaking package with California’s Office of Administrative Law (OAL) for review. This is a key step in the process to adopt proposed regulations to implement the California Consumer Privacy Act (CCPA) as amended by Proposition 24, the California Privacy Rights Act (CPRA).

This latest development follows the CPPA Board’s vote on February 3 to adopt and approve the Agency’s rulemaking package, as modified. The Board also voted to direct staff to take all steps necessary to complete the rulemaking process, including the filing of the final rulemaking package with the OAL.

The proposed regulations are not yet in effect. They must first be approved by the OAL, which now has 30 business days to review. More information about the rulemaking process is available on the Agency’s website.

The CPPA began the formal rulemaking process to adopt proposed regulations to further implement the CCPA on July 8, 2022. The proposed regulations (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.

A copy of the proposed regulations can be found on the Agency’s website.

To receive updates on the Agency’s rulemaking activity, please sign up for our email list.

Contact: press@cppa.ca.gov

Today, the California Privacy Protection Agency (CPPA) issued an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: Cybersecurity Audits, Risk Assessments, and Automated Decision making. The invitation follows the CPPA Board’s vote on February 3, 2023 to invite pre-rulemaking comments from the public on these topics.

In November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA added new privacy protections to the California Consumer Privacy Act (CCPA), and established a new agency, the CPPA, to implement and enforce the law.

The CPRA amendments to the CCPA direct the Agency to issue regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to (1) perform a cybersecurity audit on an annual basis; and (2) submit to the CPPA on a regular basis a risk assessment with respect to their processing of personal information. In addition, the CPRA amendments direct the Agency to issue regulations governing access and opt-out rights with respect to businesses’ use of automated decision making technology.

The Agency invites interested parties to submit pre-rulemaking comments on Cybersecurity Audits, Risk Assessments, and Automated Decision making by 5:00 p.m. PT on Monday, March 27, 2023.

More information, including a copy of the invitation is available here.

Contact: press@cppa.ca.gov

The California Privacy Protection Agency (CPPA) Board voted unanimously today to adopt and approve the Agency’s rulemaking package, as modified, to further implement the California Consumer Privacy Act (CCPA). The Board also voted to direct staff to take all steps necessary to complete the rulemaking process, including the filing of the final rulemaking package with the Office of Administrative Law (OAL).

The proposed regulations are not yet in effect. They must first be approved by the OAL, which has 30 business days to review from the date of their submission. More information about the rulemaking process is available on the Agency’s website.

The CPPA began the formal rulemaking process to adopt proposed regulations to further implement the CCPA on July 8, 2022. The proposed regulations (1) update existing CCPA regulations to harmonize them with amendments to the CCPA adopted pursuant to Proposition 24, the California Privacy Rights Act (CPRA); (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.

The CCPA provides Californians with key privacy rights, including the right to know the personal information collected about them by businesses, the right to delete that information, and the right to stop its sale to third parties. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act, which amended and expanded the CCPA, and created the Agency—the first independent data protection authority in the United States—and vested it with the authority to implement and enforce the CCPA.

At today’s meeting, the Board also voted to invite pre-rulemaking comments from the public on cybersecurity audits, risk assessments, and automated decision making. The Agency plans to issue the invitation in the coming weeks. To receive notifications regarding rulemaking activities, please subscribe to our email list here.

Materials from this meeting are available here.

Contact: press@cppa.ca.gov

Founding California Privacy Protection Agency (CPPA) Board Member Chris Thompson has announced that he is departing the Agency Board, effective immediately.

Mr. Thompson made the announcement at the December 16 meeting of the CPPA Board. At the meeting, Mr. Thompson thanked Chairperson Jennifer Urban and the other members of the Board. “I am proud of what we have done together, and I know that you all are going to continue to do great things. I am honored to have had the opportunity to serve on this Board and to get to know and serve with all of you,” said Mr. Thompson.

The CPPA is vested with full administrative authority to implement and enforce the California Consumer Privacy Act, as amended by Proposition 24, the California Privacy Rights Act. The Agency Board consists of five members: two members appointed by the Governor; one member appointed by the Assembly Speaker; one member appointed by the Senate Rules Committee; and one member appointed by the Attorney General.

Chairperson Urban said: “We have been very fortunate to have Mr. Thompson’s expertise, his outlook, and his dedication on the Board. As we’ve moved through startup, development, and building stages, I have especially valued Mr. Thompson’s focus on building an Agency with a strong organizational foundation, including careful attention to culture and values."

Mr. Thompson was appointed to the Agency Board in March 2021 by Governor Gavin Newsom. His formal resignation occurred on December 9, 2022.

Mr. Thompson recently began his new role as Chief of Staff for Los Angeles Mayor Karen Bass. He was previously Senior Vice President of Government Relations at LA28. He held multiple positions at Southern California Edison from 2013 to 2020, including Vice President of Local Public Affairs and Vice President of Decommissioning. Prior to that, he held multiple positions in the U.S. Senate and U.S. House of Representatives.

Contact: press@cppa.ca.gov

Today, the Global Privacy Assembly (GPA) voted to admit the California Privacy Protection Agency (CPPA) as a full voting member. The Global Privacy Assembly is a global forum of over 130 data protection and privacy authorities. Previously known as the International Conference of Data Protection and Privacy Commissioners, it was established in 1979 to help advance privacy by fostering cooperation and information-sharing among privacy authorities across the globe.

The GPA voted to admit the CPPA at the 44th Annual Global Privacy Assembly, “A Matter of Balance: Privacy in The Era of Rapid Technological Advancement,” held in Istanbul, Turkey. CPPA’s Executive Director, Ashkan Soltani, gave a keynote address at the open session portion of the meeting.

In 2018, California became the first state to adopt a comprehensive commercial privacy law, the California Consumer Privacy Act (CCPA). In 2020, California voters approved Proposition 24, the California Privacy Rights Act, which created the CPPA, the first data protection authority in the United States vested with the authority to issue regulations, audit businesses’ compliance, and undertake enforcement to protect consumer’ privacy.

The Agency joins the Federal Trade Commission (FTC) as the second voting member of the GPA from the United States. Observing members from the US include the Consumer Financial Protection Bureau (CFPB), National Telecommunications and Information Administration (NTIA), and the Privacy and Civil Liberties Oversight Board (PCLOB).

Contact: press@cppa.ca.gov

Attorney General Rob Bonta has appointed Alastair Mactaggart to the California Privacy Protection Agency Board.

The California Privacy Protection Agency is governed by a five-member board. Under the Agency’s implementing statute, the Board Chairperson and one Board Member are appointed by the Governor; one Board Member is appointed by the Rules Committee of the Senate; one Board Member is appointed by the Speaker of the Assembly; and one Board Member is appointed by the Attorney General.

Mr. Mactaggart will begin his duties immediately.

Mr. Mactaggart replaces Board Member Angela Sierra, who has played a key role in establishing the CPPA since her appointment by Attorney General Xavier Becerra. She will begin a new role as a member of the State of California’s Racial and Identify Profiling Advisory (RIPA) Board.

“It is with tremendous gratitude that we say goodbye to Angela Sierra. She has been an exemplary asset, providing sound advice and devoting countless hours to help build the Agency. The Agency, and all Californians, will remain indebted to her for her work to advance consumer privacy,” said Executive Director Ashkan Soltani.

Prior to her work on the Board, Ms. Sierra served as Chief Assistant Attorney General of the California Department of Justice’s Public Rights Division, overseeing the work of the Division’s over 400 employees in areas related to safeguarding civil rights, protecting consumers against misleading advertising claims, fraudulent business practices and privacy violations, maintaining competitive markets, protecting consumers’ health care rights, preserving charitable assets and safeguarding the State’s natural resources and environment.

Contact: For inquiries regarding Attorney General Bonta’s appointment, please contact agpressoffice@doj.ca.gov. For inquiries about the Agency’s work or the Board, please contact press@cppa.ca.gov.

SACRAMENTO – California Privacy Protection Agency Executive Director Ashkan Soltani released the following statement commending United States House Speaker Nancy Pelosi for her comments on the American Data Privacy and Protection Act (ADPPA), highlighting concerns with ADPPA’s limits on state privacy protections.

“The California Privacy Protection Agency applauds Speaker Pelosi’s commitment to ensuring strong privacy protections, in California and across the country. We look forward to working with the Speaker and Chairman Pallone to ensure that any federal privacy legislation sets a true floor for privacy protections and preserves the key role of the states to innovate, particularly in response to rapidly evolving threats to privacy.”

In July, the California Privacy Protection Agency Board voted unanimously to oppose as currently drafted proposed federal privacy legislation that seeks to significantly weaken Californians’ privacy protections by pre-empting the California Consumer Privacy Act and other state privacy laws. Governor Gavin Newsom, Assembly Speaker Anthony Rendon, Senate President Pro Tempore Atkins and California Attorney General Rob Bonta have all also raised concerns regarding the broad preemption language in the bill.

CPPA Board Member Lydia De La Torre stated: “Preemption to me doesn't really align with ensuring that Californians or, for that matter of residents of any state, enjoy the highest possible privacy protections.” “This is particularly concerning to me in an era... where Roe has been repealed.”

Contact: press@cppa.ca.gov

SACRAMENTO — Today, the California Privacy Protection Agency sent a letter to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy opposing H.R. 8152, the American Data Privacy and Protection Act (ADPPA).

The bill, which advanced out of the House Energy and Commerce Committee last month, seeks to replace California’s landmark law with weaker protections and compromises the ability of the newly-founded California Privacy Protection Agency (CPPA) to fulfill its mandate to protect the privacy of Californians.

On July 28, 2022, the CPPA Board voted unanimously to oppose ADPPA and any other bill that seeks to preempt the California Consumer Privacy Act (CCPA). The Board, however, voted to support a privacy framework that would set a “true floor” on privacy and allow states to further innovate on those protections. Governor Newsom, Assembly Speaker Rendon, ten attorneys general, including California’s Rob Bonta, and members of the California Senate have also released letters raising concerns about ADPPA.

The CPPA, created and funded in 2020 by the California voters, is the first data protection authority in the United States, and has as its the sole focus the protection of California residents’ privacy rights. Led by a five-member Board, it is vested with the authority to issue regulations, audit businesses’ compliance, and undertake enforcement to protect Californians’ privacy.

Ashkan Soltani, Executive Director of the CPPA, said: “Americans deserve more than ADPPA. In an era in which Roe v. Wade has been overturned, Americans need the ability to have meaningful protections over sensitive information that can be used to incriminate them. Yet ADPPA would remove important safeguards that are already available to Californians today and tie the hands of states from improving privacy protections in the future. We urge lawmakers to focus their efforts on ensuring that any privacy legislation follows the model of other federal privacy laws and sets a floor, not a ceiling, on privacy rights.”

California Representatives Eshoo and Barragán, both members of the House Energy and Commerce Committee, voted against ADDPA at last month’s markup. Every member of the California delegation voted in favor of an amendment that would allow the states to pass stronger laws — which Rep. Eshoo proposed.

Contact: press@cppa.ca.gov

SACRAMENTO –The California Privacy Protection Agency Board voted unanimously today to oppose as currently drafted H.R. 8152, the American Data Privacy and Protection Act (ADPPA), proposed federal privacy legislation that seeks to significantly weaken Californians’ privacy protections by pre-empting the California Consumer Privacy Act and other state privacy laws.

The Board also voted to oppose any bill that similarly threatens crucial privacy protections for Californians but, via a third motion, left room for the Agency to support federal privacy legislation that provides a “true floor” that allows states to implement stronger protections.

ADPPA was advanced by the House Committee on Energy & Commerce on July 20, 2022. Governor Gavin Newsom, Assembly Speaker Anthony Rendon, and California Attorney General Rob Bonta have all submitted letters critical of the broad preemption language in the bill. While ADPPA would extend privacy rights in states where they do not currently exist, most protections Californians currently enjoy under the CCPA would likely be preempted, including, notably, the CCPA’s constitutionally-protected “floor” for privacy protections, California’s ability to strengthen the law in the future, and the Agency’s ability to protect Californians’ privacy rights under the California law. Agency staff outlined the impact that the bill would have on Californians in a memo released on Tuesday.

Chairperson Jennifer Urban stated: “Californians for 50 years, at least, have enjoyed privacy rights in our Constitution and have continuously built on those.” “States need to be able to be responsive and California, in particular...needs to be aware of its protections via the floor, and we should take every step we can to make sure that Californians don't lose that protection.”

Board Member Chris Thompson stated: “It appears to me that there is a false choice in this bill that....the strong rights of Californians (and others) have to be taken away in order to provide weaker rights federally.” “There is an alternative. We can have both. We can have a federal floor that enables states to continue to innovate in this policy area.” “[W]e need to be able to continue to act to protect Californians’ rights and to drive forward and adapt to other technological standards of technological innovation.”

Board Member Angela Sierra stated: “States are in the best position to really react and address to changes in technology.” “There is room for federal legislation, but at the same time allowing the States to be able to address what is going to be very important.”

Board Member Lydia De La Torre stated: “Preemption to me doesn't really align with ensuring that Californians or, for that matter of residents of any state, enjoy the highest possible privacy protections.” “This is particularly concerning to me in an era... where Roe has been repealed.“

Board Member Vinhcent Le stated: "Pre-emption would mean that California no longer have the right to opt out of automated decision making or to get meaningful information when an automated system profiles them or makes a high stakes decisions around who has access to jobs, healthcare, credit, housing, you name it." “While I am excited about the prospect of a national privacy law, I believe it does not need to come at the expense of the privacy rights we have here in California.”

An archived video of the meeting is available here. Contact: press@cppa.ca.gov

Sacramento, CA - The California Privacy Protection Agency Board ("Board") will be holding a Special Meeting on Jul 28, 2022 pursuant to Government Code 11125.4 to Discuss and Take Possible Action on Proposed Federal Privacy Legislation, Including the American Data Protection and Privacy Act and Similar Legislation. Information on how to attend the meeting and the meeting agenda can be found on the California Privacy Protection Agency's site at https://cppa.ca.gov/meetings/

Agency to hear public comment at hearing on August 24 and 25 as part of rulemaking process

The California Privacy Protection Agency today began the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). The CPRA amendments to the CCPA give California residents new rights over the personal information that covered businesses maintain about them. The proposed regulations (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.

A copy of the proposed regulations and supporting documents can be found on the Agency’s website at https://cppa.ca.gov/regulations/consumer_privacy_act.html. A hearing on the proposed regulations will occur on August 24 and 25, 2022 at 9:00 am Pacific Time. Media and members of the public are encouraged to RSVP via the link above.

Persons who wish to submit written comments on the proposed regulations must submit them by August 23, 2022 at 5 pm Pacific Time. Comments can be submitted by email to regulations@cppa.ca.gov or by mail to The California Privacy Protection Agency, Attn: Brian Soublet, 2101 Arena Blvd., Sacramento, CA 95834. Please note that any information provided is subject to public disclosure.

The new California Privacy Protection Agency began an important new chapter on April 21, 2022, when rulemaking authority under the California Consumer Privacy Act (CCPA) formally transferred to the Agency, pursuant to the CCPA, as provided for by the California Privacy Rights Act of 2020 (CPRA).

On May 5, 2022, the Agency marked another key milestone when the California Office of Administrative Law (OAL), pursuant to Section 100 of OAL’s regulations, approved the transfer of the existing CCPA regulations to Title 11, Division 6, a new division of the California Code of Regulations that is under the jurisdiction of the Agency. While these amendments are non-substantive and merely renumber the existing CCPA regulations, they represent the beginning of the Agency’s rulemaking role.

First adopted in 2018 and effective January 1, 2020, the CCPA provides Californians with key privacy rights, including the right to know the personal information collected about them by businesses, the right to delete that information, and the right to stop its sale. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act, which created the Agency—the first independent data protection authority in the United States—and vested it with the authority to implement and enforce the CCPA.

These milestones mark the Agency’s latest step toward its first formal rulemaking. The Agency began preliminary rulemaking last year, when it collected hundreds of pages of written pre-rulemaking comments from the public. These comments are available here. Last month, the Agency Board held two days of pre-rulemaking Informational Sessions. Transcripts are available here. Earlier this month, the Agency welcomed comments from the public over three days of pre-rulemaking Stakeholder Sessions. Videos are available here.

The Agency will take its next step toward formal rulemaking on May 26, 2022, when its five-member Agency Board is expected to meet to consider a proposed course of action for the upcoming rulemaking process. Information about the meeting is available here. More information about the Section 100 transfer can be found here, which includes an explanatory statement and a chart that explains the renumbering.

The text of the current CCPA regulations is available here.

SACRAMENTO – The California Privacy Protection Agency has selected Ashkan Soltani as the Agency’s new Executive Director. He began his duties today.

As Executive Director, Soltani will carry out the day-to-day operations of the Agency, which is governed by a five-member board which will implement and enforce the California Consumer Privacy Act of 2018 (CCPA) including Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which created the Agency. He will also oversee enforcement activities, rulemaking, and public awareness, and will build and lead the Agency staff.

Among his other accomplishments, Soltani was an architect of both measures and is considered one of the country’s leading experts on privacy and security.

“We are thrilled to have Ashkan join the California Privacy Protection Agency,” said Agency Board Chair Jennifer Urban. “His background in technology and privacy, and his work on both the CCPA and the CPRA give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.”

“California is leading the way when it comes to privacy rights and I’m honored to be able to serve its residents,” said Soltani. “I am eager to get to work to help build the Agency’s team and begin doing the work required by CCPA and the CPRA.”

Soltani is a Distinguished Fellow at the Georgetown University Law School at both the Institute for Technology Law and Policy and the Center on Privacy and Technology. He previously served as a Senior Advisor to the U.S. Chief Technology Officer in the White House Office of Science and Technology Policy under the Obama Administration, and as the Chief Technologist for the Federal Trade Commission, where he helped create the Office of Technology Research and Investigation.

He was also recognized as part of the 2014 Pulitzer Prize winning team for his contribution to the Washington Post’s coverage of national security issues, and has served as the primary technical consultant on the Wall Street Journal’s investigative series “What They Know,” which was a finalist for a 2012 Pulitzer Prize.