How California is Building the Nation’s First Privacy Police

by David McCabe. Originally published in the NY Times

Ashkan Soltani, the head of California’s new online privacy regulator, needed help launching the first agency of its kind in the United States. So he called the state’s Horse Racing Board.

Soltani asked Scott Chaney, executive director of the racing board, which oversees roughly 10 racetracks, about the ins and outs of running a small agency in California’s sprawling state government. They discussed how to handle remote work and hiring in the pandemic. Chaney also offered advice for navigating the public sector.

Soltani is “literally inventing a state department,” Chaney said. “He’s almost inventing it from the ground up.”

Soltani faces the daunting task of overseeing the first government body in the United States with the sole job of regulating how Google, Facebook, Amazon and other big tech companies collect and use data from millions of people. The office, the California Privacy Protection Agency, will be a more than 30-person group with a $10 million annual budget to help enforce the state’s privacy law, which is among the most stringent in the country.

But first the agency has to be built — and Soltani, 47, a privacy expert who once served as the Federal Trade Commission’s top technologist, has to overcome the lack of precedent. So he has reached out to groups not exactly adjacent to what his agency will be, like the racing board and others, for help navigating his new position.

He has already encountered challenges. He and his colleagues have received reams of feedback from industry lobbyists. They face questions from privacy activists about whether their budget is substantial enough to police the world’s largest companies. The board discussions need to be open to the public. And in the coming months, they must translate the feedback they have received into hard rules.

“It’s easily the most difficult thing I’ve done in my life, but also I think potentially the most impactful,” said Soltani, who has been working from his home in Oakland, California.

The new California agency reflects a larger shift in how the rules of the global internet are being set — and who is setting them. State capitals and foreign countries are taking a hands-on approach to limiting online data collection, curtailing the tech giants’ power and moderating extreme content on social media.

They are filling a vacuum left by Congress. Lawmakers from both parties have long said they would support a national privacy law. But negotiations in Washington have stalled, partly because of a dispute over whether a federal law should supersede state laws. Like California, Colorado and Virginia have enacted privacy laws. Utah passed a privacy bill this month and other states are considering their own proposals.

Hayley Tsukayama, a legislative activist at the Electronic Frontier Foundation, said lawmakers around the country were closely watching California’s developments.

“We’re hearing from lawmakers who are looking at bills and saying, ‘Do we need a privacy agency?’ ” she said.

California’s Privacy Protection Agency stems from a 2018 state privacy law that gives residents the right to request their data from websites and have it deleted. The state attorney general was put in charge of creating rules under the law and suing companies that violated its terms. In 2020, privacy activists successfully campaigned to pass a ballot measure that added more provisions to the law and established the new agency to carry them out.

“We have the opportunity to protect privacy, understanding how that interacts with all of the innovative technologies that we’ve built here in California,” said Jennifer Urban, a law professor at the University of California, Berkeley, whom Gov. Gavin Newsom tapped to lead the new agency’s five-member board.

The board began meeting last year to discuss building the Privacy Protection Agency from scratch. In October, it hired Soltani, who has won a Pulitzer Prize, as the agency’s executive director.

Soltani soon went on a listening tour. In addition to the horse racing regulator, he talked with California’s Department of Justice, its consumer finance regulator and the state medical board. He also spoke with contacts involved in setting up federal agencies.

Soltani initially worked with staff members who were borrowed from other state agencies. The agency’s acting top lawyer previously was at the Department of Motor Vehicles, where he helped write rules for autonomous vehicles.

Hiring is now a big focus for the agency. The agency has posted jobs for a permanent general counsel, a director of public affairs and a senior policy adviser. It has told the state Legislature that it hopes to pay roughly 34 employees in the coming year.

The effort has attracted global interest. Wojciech Wiewiorowski, the European Data Protection Supervisor, said he spoke with Soltani this year and saw the California agency — with Silicon Valley in its backyard — as a potentially fruitful ally to rein in the tech giants.

Soltani also discussed the agency with President Emmanuel Macron of France and other officials at a dinner last year in Paris.

Cédric O, France’s secretary of state for the digital economy, who attended the meeting, said the country was “following with great interest what’s happening in California.” He said that he had spoken with Soltani and that the two had compared notes on tech regulation.

California’s approach will test whether having an agency solely for policing online privacy can make the United States a tougher regulator of tech giants.

Dedicated data protection agencies are the norm in Europe, where they enforce the bloc’s General Data Protection Regulation, which mandates how websites can collect data from users. But reviews of how these groups have enforced the law have been mixed. Critics have said European governments lack the resources to take on Google, Amazon and others.

California faces similar doubts. The new agency’s $10 million annual budget pales in comparison with Google’s $76 billion in profit last year. And many tech companies that could be in its sights are enmeshed in the state’s economic fortunes and political machinations.

The agency “will be subject to a certain amount of political pressure,” said Tracy Rosenberg, executive director of the nonprofit Media Alliance, a San Francisco Bay Area public interest group, who also works with Oakland Privacy, a community group. “We don’t really know how the governor and Legislature are going to react if there is pushback because of actions the agency takes.”

The agency’s proponents said its independence was protected in part by its structure, with unpaid board members appointed separately by different elected officials. Soltani described the initial funding as “like the ante in a poker game” because voters have “bought in” for at least $10 million, but said the Legislature could give more.

The agency’s first task will be to turn the state privacy law, which is broad, into detailed regulations for industry. That runs the gamut, from how data is used for targeted ads to more novel areas of the law, like how algorithms use personal information to make automated decisions. The law also demands that businesses adhere to the privacy preferences that online users set in their browsers; it is up to the agency to decide what that means in practice.

Eventually, the agency will have the ability to enforce its rules. Businesses may also be required to submit audits of their cybersecurity risk to the agency. It has asked for input on what, exactly, those audits should include.

The agency has asked the public, nonprofits and businesses to submit comments to guide its initial rules. Privacy activists and industry groups have filed hundreds of pages of comments, trying to sway the agency’s decisions. Google, for example, asked the regulator to write rules that provide “flexibility for businesses to respond to consumer requests in a manner that prioritizes substance over form” and to line up with privacy laws in other states.

A Google spokesperson, Jose Castaneda, said in a statement that the company advocated national privacy legislation and as “the California Privacy Protection Agency continues its work, we will continue to constructively engage to ensure we protect our users’ privacy.”

The Privacy Protection Agency’s board announced in February that it would hold workshops, likely this month, for more commentary from privacy experts and academics. At a meeting that month, Soltani said the group was likely to issue its first regulations later in the year so it could balance hiring a staff with the complex questions it had to address.