The California Privacy Protection Agency’s new executive director Ashkan Soltani is uniquely poised to tackle enforcement and rulemaking for The Golden State’s landmark privacy laws despite steep time and staff constraints, attorneys and privacy professionals say.
Soltani, a former Federal Trade Commission official with deep knowledge of the technology industry, is tasked with promulgating regulations under the California Privacy Rights Act, a directive he must tackle while also adding employees to the still-nascent agency. He was named executive director Monday.
But that “tall order” can be adeptly tackled when the agency is led by someone like Soltani, who has substantial regulatory experience, said Odia Kagan, a partner at Fox Rothschild LLP in Philadelphia.
“If you understand how the technology works and the interplay between tech and privacy principles, the regulations or guidance you draft have a much higher chance of making sense and being workable,” Kagan said. “In Europe, there have been situations where the guidance or the expectations don’t match the reality of the tech, so having someone who really knows privacy and technology is really important.”
Soltani didn’t respond to a request for comment.
Formerly chief technologist for the FTC, Soltani has an intimate understanding of how technology works, which is critical for laws such as the California Consumer Privacy Act and the California Privacy Rights Act, said John Davisson, senior counsel at the Electronic Privacy Information Center.
And as one of the architects of the CCPA and CPRA, Soltani understands firsthand the nuances and gray areas present in those statutes, allowing him to effectively craft rules that clarify some of the uncertainties, Davisson said.
“It’s going to require the right combination of technical knowledge and lawmaking ability, and bringing those two tracks together is something that Ashkan is very well suited to do,” he said.
There’s a “broad spectrum” of areas for which rules must be promulgated under the CPRA, said Greg Szewczyk, a partner at Ballard Spahr LLP in Denver. That includes topics ranging from dark patterns to sensitive personal information to cybersecurity audits and risk assessments.
Soltani’s previous agency experience gives him a deep understanding of the “nuts and bolts” of both the law and agency operations and will allow him to more effectively issue regulations, Szewczyk said.
The agency will have the ability to launch investigations and conduct enforcement actions against companies that fail to follow California’s consumer privacy laws. Soltani’s extensive experience and independent research into topics such as online cookies and behavioral advertising could signal a willingness to go after companies that violate the law with those technologies, Szewczyk said.
“Reading the tea leaves, there’s going to be a big focus on ad tech,” he said. “His appointment signals that there will likely be a strong enforcement effort by someone who has the bona fides of consumer advocates.”
Large social media and tech companies such as
Soltani in testimony before the U.S. Senate Committee on Commerce, Science, and Transportation last month name-dropped those companies and detailed how he’d helped bring successful cases against them while at the FTC.
“He explicitly mentions Big Tech several times,” Krasnow said. “It makes you wonder whether those companies will also be an enforcement priority at the new agency.”
In issuing regulations for a technically complex privacy law, Soltani must do so while crafting a team and building a first-of-its-kind regulator in the U.S., Davisson said.
“There’s a whole lot to do in a year, and the agency isn’t even remotely staffed,” he said. “You’re building the airplane as you’re flying.”
Data protection authorities in Europe also have had challenges with staffing, Kagan said, and building a new agency from the ground up won’t be easy. But Soltani can take some comfort from the precedents established in Europe and draw inspiration from what data protection authorities did overseas to establish their teams, she said.
In the end, how successful the agency will be at reining in unlawful data privacy practices may depend in how it gets off the ground, Szewczyk said.
“What goes on in the first year is going to have a big impact on where things are in five years,” he said.