The agency “will be subject to a certain amount of political pressure,” said Tracy Rosenberg, the executive director of the nonprofit Media Alliance, a Bay Area public interest group, who also works with Oakland Privacy, a community group. “We don’t really know how the governor and Legislature are going to react if there is pushback because of actions the agency takes.”
The agency’s proponents said its independence was protected in part by its structure, with unpaid board members appointed separately by different elected officials. Mr. Soltani described the initial funding as “like the ante in a poker game” because voters have “bought in” for at least $10 million, but said the Legislature could give more.
The agency’s first task will be to turn the state privacy law, which is broad, into detailed regulations for industry. That runs the gamut, from how data is used for targeted ads to more novel areas of the law, like how algorithms use personal information to make automated decisions. The law also demands that businesses adhere to the privacy preferences that online users set in their browsers; it is up to the agency to decide what that means in practice.
Eventually, the agency will have the ability to enforce its rules. Businesses may also be required to submit audits of their cybersecurity risk to the agency. It has asked for input on what, exactly, those audits should include.
The agency has asked the public, nonprofits and businesses to submit comments to guide its initial rules. Privacy activists and industry groups have filed hundreds of pages of comments, trying to sway the agency’s decisions. Google, for example, asked the regulator to write rules that provide “flexibility for businesses to respond to consumer requests in a manner that prioritizes substance over form” and to line up with privacy laws in other states.
A Google spokesman, Jose Castaneda, said in a statement that the company advocated national privacy legislation and as “the California Privacy Protection Agency continues its work, we will continue to constructively engage to ensure we protect our users’ privacy.”
The Privacy Protection Agency’s board announced in February that it would hold workshops, likely this month, for more commentary from privacy experts and academics. At a meeting that month, Mr. Soltani said the group was likely to issue its first regulations later in the year so it could balance hiring a staff with the complex questions it had to address.
“We’re building the car while we drive it,” he said.
