The New Standard of Privacy: Adapting to Today’s Regulatory Shifts and Tomorrow’s Data Protection Challenges

Great.
Well, thank you Daniel. I really appreciate the opportunity
to, uh, speak with, uh, the, the, the folks at Data Grail
as well as the, the attendees right here.
So, um, as you, uh, thanks for the kind introduction.
So, yes, I'm Tom Kemp.
I'm the Executive Director
of the California Privacy Protection Agency
because there's so many four letter acronyms, CCPA,
C-P-R-A-C-P-P-A, we're, we're actually now going, uh,
with a nickname called Cal Privacy.
So you, you may, uh, hear me refer to the agency
as Cal Privacy, uh,
through my brief little presentation right here.
And so the interesting thing is, is that
our agency was actually created
by the voters here in California with Prop 20, uh,
four in 2020.
Um, and so that actually makes us incredibly unique, um, in
that I think we're probably the only, uh,
privacy law in the United States
that was created by the voters.
And we're we're focused in on implementing, enforcing,
and raising awareness of our landmark privacy laws.
And today, I'll show you how we're trying
to make privacy easier for Californians through legislation,
rulemaking enforcement, and public engagement.
So if you can go to the next slide, um, I wanna talk about
our core focus areas,
and four of which have actually been CRE are created
by Prop 24, the statute itself,
so the California Privacy Rights Act, that amended the CCPA.
Um, and then the fifth one was created
by a bill passed in 2023 called the Delete Act.
Um, and I'm gonna refer to that, uh, system
that we're building as drop, which is the delete request
and opt out platform.
So from a policy and, uh, legislation perspective, um,
where you actually, and I also should say that most, um,
enforcers, um, in other states,
like at the attorney general level,
they just focus mainly on rule making enforcement.
But in the statute itself, uh, we're, we're required to
do policy and legislation, and so we could help support
and shape privacy, uh, laws
that reflect the evolving digital landscape.
We can also do public awareness.
And so this is a good example of raising public awareness
and we can educate Californians about their privacy rights
and how to exercise them,
but also, uh, educate businesses about their obligations.
We do rule making, which we're trying
to translate the legislation into clear enforceable
regulations, and we also do enforcement.
I'll talk a little bit about that.
And then finally, as I mentioned
before, through, uh, SB 360 2, the California Delete Act,
we're building this system that will launch on January 1st
that will enable mass deletions for data brokers.
So if you could go to the next slide, please.
That, um, I just wanna briefly talk, um, in
that first category of policy legislation.
Uh, we were very active this year, both sponsoring
and supporting bills here in California.
Probably the one that will impact, uh, most folks, uh,
is the, the signing by Governor Newsom of AB 5 66,
which is the California Op Me Out Act.
And this is going to require all web browsers
to offer opt-out preference signals.
You may know that as global privacy control, that's,
that's one implementation of it as well.
Um, and so that feature will be, you know, part
and parcel, uh, of web browsers and available to consumers.
We also, um, supported
and, uh, worked on a bill
that actually amended the delete act that
provided additional, uh, transparency requirements of,
of data brokers as well.
So, you know, and, and please expect us to actually propose
and, and work with authors in California
with additional legislation on a yearly basis as well.
If you can go to the next slide, please.
That, um, many of you are familiar
with our rulemaking, uh, work.
And so, um, our rulemaking first needs to be approved
by our independent board.
Uh, and then from there, it goes to the, uh,
OAL here in California, the Office
of Administrative Law for for approval.
And so for the DROP system that was created
by the DELETE act, or that's required by us to, uh, build
for the DELETE Act, uh, there's a set of regulations
that were approved by the board
and now, uh, with the, uh, OAL for review,
but probably most of you are familiar
with the proposed regulations that we put forth in the areas
of automated decision making, risk assessment,
cybersecurity, insurance, and updates.
And those, in fact, were actually approved, uh,
by the Office of Administrative Law.
And portions of the regulations go into effect on
January 1st, 2026.
And if you go to the next slide, please, that you'll,
in terms of actual implementation dates,
I just wanna make you guys familiar with, um, you know,
that there are some requirements
and some specific dates that you need to be aware of.
And, and one thing that we're gonna do here with the,
with Cal Privacy is we're going
to actually have information sessions
to provide more details on
how businesses can operationalize, uh, these regulations.
And so in the area of cybersecurity,
and by the way, uh, uh, California will
actually lead the nation in terms
of our cybersecurity audit requirements,
no other state matches.
Uh, what we have, probably the only one that's kind of close
to it is in New York, but the,
but that's only associated with financial services firms.
This actually applies to all businesses as defined, uh,
in the CCPA.
And we have a tiered rollout in terms of the, uh,
requirement for submitting certification based
on the size of the company.
We also, uh, have requirements as it relates
to risk assessments.
The compliance actually begins January 1st, 2026.
Uh, but you do have time by April 1st, 2028
to actually submit the attestation
that the risk assessments were completed.
And then, uh, that is a summary
of risk assessment information.
And then finally, of, uh, we also have requirements
as it relates to automated decision making.
Um, and the compliance starts on
January 1st, 2027.
If you go to the next slide, please.
We've also been very active from an enforcement perspective,
um, that we're actually joint enforcers of the CCPA.
It's not only Cal Privacy, the agency that,
that I am the executive director of,
but it's also the California Attorney General.
So you'll actually also see enforcement actions from the ag.
And, and their most recent one was, uh,
for a business called Healthline.
Our most recent one was with a,
a retailer called Tractor Supply.
And they were required to pay $1.35 million in
changes business practices.
What we found was, uh, you know, per the, uh,
settlement agreement, that there was a failure
to maintain an adequate privacy policy, uh, that, uh,
employment, um, is now
and has been covered through the CCPA.
And so there was a issue
with non-conforming California job applica applicants
of their privacy rights.
Um, and then there was a failure
to provide effective opt-out mechanisms, including support
for the global privacy control.
Um, and then the final thing that we, we, we brought up and,
and was part of the settlement was that,
and we drew attention to the fact that there was, uh,
that there wasn't proper contractual safeguards
with the disclosure of personal
information to third parties.
Also, another thing that's been going on is that we,
we've been working in concert with other enforcement, uh,
agencies across the United States.
And so we did launch a joint investigative sweep
with the Attorney Generals of California,
uh, Colorado and Connecticut.
So there's four entities
that are looking at support right there and then, um,
and then issued, uh, over a half dozen fines to data brokers
that failed to meet the legal requirements to register.
Um, and then we also are part and,
and participants in a bipartisan multi-state, uh, coalition,
uh, called the Consortium of Privacy Regulators.
And so these actions reflect our strategic goal
to vigorously enforce our California privacy laws
and protect Californians from harms.
So if you go to the next slide, another thing
that we we're also focused on that I brought forth in
that prior slide is that we're trying
to be aggressive about raising awareness
and visibility for consumers to be able
to operationalize their, their privacy rights.
Um, and so we do have a website privacy.ca.gov
that provides practical tips for Californians.
Um, and we're, we're coming out with a,
an a campaign here in California
that will educate Californians about their
privacy rights as well.
And as I mentioned before, we will also be doing, um,
various, uh, evangelism to, to businesses, to,
to raise awareness and visibility, uh, for
what their requirements are, uh, as it relates
to the new set of regulations that passed.
Um, and then, uh, finally on the last slide right here,
just kind of looking ahead to, you know,
what we're thinking about, uh, in 2026, really a,
a major milestone is delivery of the drop platform.
Again, this is a website
that gives Californians a secure single portal
to delete their data from all registered data brokers.
There's currently 535 data brokers, so it's a one-stop shop.
Um, and that website will go live January 1st, 2026.
And so I know the data grail has done an amazing job
of having such a large audience for today's event.
And if you're a Californian
or you have relatives in California, uh,
definitely have them, uh, check out, um,
the privacy.ca.gov site starting January 1st.
Um, and take advantage of this platform.
We also have a separate standalone, uh, CPPA website
with our privacy site.
And as part of our rebranding, we're actually going
to be integrating, uh, the websites together.
We're doing a website merge.
Um, so many of you with, uh, companies that, uh, are,
you know, sometimes you upgrade your website, move things
around, we're doing the same thing as well.
Um, and so everything will be consolidated on a single, uh,
web platform, which will also include the drop site.
And then finally, building upon the success that we have,
uh, last legislative season, uh, with the signature of some
of the bills by Governor Newsom that we supported,
we do plan to continue legislation, uh, and supporting and,
and, uh, sponsoring legislation
with the California legislature that will strengthen, uh,
privacy protections.
And then finally, we continue to plan to work
with the Consortium of Privacy Regulators.
These are the attorney generals in other states
that are responsible for enforcement of their privacy laws
to promote consistency and share best practices.
So that's it for my, uh, brief presentation here.
So, uh, Daniel, I think you,
you wanna ask me some questions? Uh, fire away. Yeah,
Yeah, no, thank you.
Um, and appreciate kind
of the insight you're providing there, Tom, I think, um,
you know, folks are definitely looking for it,
and I'm glad you could join us to give a bit
of perspective in what you see ahead.
Um, you know, with respect to the drop release,
I think this is obviously a major one for, for next year.
Um, could you share a little bit about
how you think about the potential impact on, you know,
privacy laws in California and where you see that going?
Yeah, absolutely. So, just
as the CCPA was the nation's first comprehensive privacy
law, the Delete Act is the world's first law
that enables consumers to exercise new data,
broker deletion rights at scale.
One thing i, I, I do wanna point out is that the deletion
that goes, that is facilitate
through the drop is actually different from a right
to delete that you have with CCPA.
So it's actually kind of a, a, a different, uh, you know,
uh, set of requirements associated with it
that we all put forth, both in the statute as well
as in the regulations that in the process of being approved.
And so, uh, we really think that this is a game changer.
And, um, it's the ability to
exercise privacy at scale, um, for consumers.
Uh, professor Daniel Solo, which probably many
of us have read, you know,
talks a lot about the individual control model
that we have here in the United States where, uh,
it unfortunately kind of becomes a set of chores
for consumers to have to go to every website
or every data broker and make that request.
Um, and given the fact that there's hundreds
of data brokers, it's not something that, uh,
a consumer can do easily.
Um, and so what we wanna do is facilitate the ability
to say, please delete my information
and opt me out moving forward.
Um, and that's what really what the Drop platform is.
So that will, it's being built, um,
and we're going to launch that
for Californians on January 1st,
and then starting in August, the data brokers will,
uh, also integrate into the site
and then begin processing the deletion, um,
and drop requests, uh, that we have
through the actual system itself.
Wonderful. Yeah, thanks for sharing there.
So, shifting gears a little bit, um,
obviously there's been a lot
of focus on automated decision making technologies, um,
and you know, how those impact privacy.
Um, can you talk to me a little bit about the,
the regulations there
and how you think, you know, that that relates
to things that we're talking about today?
Yeah. So Cal privacy was given the mandate
to create a DMT regulations,
and A DMT is probably one
of the highest risk AI use cases, right?
Um, and so, you know, I, I don't want to give the impression
that Cal privacy with the name privacy, you know,
is focused on, um, artificial intelligence as it relates
to generative ai, et cetera.
But clearly a lot of AI use cases,
including automated decision making, uh, utilize
and take advantage of personal
and sensitive personal information.
And that's where we get involved.
Um, and, you know, we're not about doing regulations
for the sake of doing regulations.
The actual statute itself says you must create
these regulations.
Same thing with cybersecurity audits, um, as, as well
as risk assessments.
So these are things that were actually in asked
by the voters and, and,
and we, we are required to put these forth.
So, um, now specific to your A DMT question, you know,
these rules apply to businesses that use A DMT
to make significant decisions,
like whether someone gets a loan, a job, housing,
education, or healthcare.
And what, just drilling down on a little bit more detail,
again, we've kind of have a staggered start date for this.
So in the case of for, for cybersecurity
for risk assessment, specific
to A-A-D-M-T starting January 1st, 2027, businesses must a,
provide pre clear pre-use notices explaining
how the A DMT works and what it's used for.
Uh, the second item is offer consumers the right to opt out
unless there's a meaningful human review process in place.
And, uh, you know, third, give consumers the right
to access information about
how A DMT was used in their case.
Now, these are some
of the strongest A DMT governance standards in the country,
and they really reflect, um,
our leadership here in California in terms
of aligning privacy rights with emerging technology.
And so what we're trying to do is, you know, clearly the,
the CCPA gives consumers privacy rights and the regulations,
and what the, what the voters also said is that we want you
to prevent privacy harms as well.
And so specific to A DMT, the goal here is to ensure that,
uh, automated decision making is used responsibly
and transparently in a way that reflects individual rights,
not just automate, you know,
decisions without accountability.
So that's kind of the thought process right there.
It was a long and careful process.
It took four years for us to come out with these,
uh, regulations.
Um, and I think in the end we landed at a good place where,
um, it, uh, enhances dramatically
and, uh, privacy rights here in California, uh,
but also facilitates the abilities for businesses
to operationalize, um, these, uh, regulations as well.
Yeah, appreciate your point on transparency there.
Um, I guess, you know, in terms of data practices, um,
what role do you think businesses should play in educating
consumers on their privacy rights?
Yeah, look, I mean, if you look at a lot
of the enforcement actions that we're taking,
you know, we're basically walking a mile, you know,
in the consumer's shoes.
We're, we're we, what we do is,
and by the way, we, we also have a very robust
consumer complaint, uh, system as well.
And, um, our director of, uh, enforcement,
Michael Macau at our last, uh,
Cal Privacy board meeting said, on average
we get 150 consumer complaints a week.
So that kind of gives you a feel for the volume.
I mean, so we're getting thousands of consumer complaints
and the consumers, you know, why are they complaining?
Because they're trying to, for example,
exercise their privacy rights and their stifled.
And so what my recommendation is to businesses is, you know,
first and foremost, you know,
actually wear the consumer hat.
Can you go to your website?
Can, can a consumer easily exercise their privacy rights?
And, um,
and so what we find is, is that people don't kind
of think about that, um, ironically.
Um, and, and so
therefore consumers get frustrated, stymied,
they filed complaints, and in fact, the complaint with the,
the actual, uh, last enforcement action, uh, you know,
really started with a consumer complaint with a California
complaining about the, the entity that we just recently,
uh, settled with.
So, look, um, at the same time, you should also be aware
that we are evangelizing, we're talking
to Californians all the time about, uh,
their ability to exercise pri privacy rights,
and they expect companies to respect them.
And so, um, so I personally think that
for businesses out there,
that if you actually take a consumer centric approach of,
of your website and how you interact to enable consumers
to frictionlessly, um, exercise their privacy rights,
you're gonna get benefits from it.
So, um, mm-hmm. You know, it, it builds trust that you,
you could be the good guys to be respectful
of consumers, uh, rights.
And so we fundamentally believe that having
clear accessible privacy tools
and disclosures could actually be a competitive advantage.
And if you're doing the, the right
thing, let consumers know.
It, it builds loyalty.
You know, you know, if you're a business, you, you know,
tell people, Hey, we don't, we don't sell your,
your data to data brokers.
Right. You know, that's a, that's a good thing.
That could be a differentiator in the market, right? Right.
And so transparency should not be seen as a burden,
but as a way to strengthen your brand
and align with the increasing growing consumer expectations
because consumers' expectations are dramatically growing,
um, not only in California, but as we add more
and more, uh, other state laws as well.
Right, right. Yeah, that's a nice segue into sort
of the next question I wanted to, to chat through.
So, you know, um,
how do you think about consumer expectations
and how privacy laws can kind of keep up there with the, uh,
also rapid change on, on the technology front as well?
Look, uh, we fundamentally mentally believe that
exercising privacy rights should be easy.
It, it shouldn't be buried in legalese, it shouldn't be,
you know, hidden covered up with dark patterns, et cetera.
Right? And, and the, and the law and,
and the regulations make it quite clear,
and we even did a, um, advisory as it relates
to dark patterns as well.
And, you know, clearly as technology evolve,
privacy protections must evolve with it.
And that's why we're, we are really focused on, you know,
enabling, um, consumers to operationalize their privacy and,
and, and make it useful.
I mean, people talk about like this privacy paradox, like,
like, oh, people care about privacy,
but they don't exercise it, and so
therefore they don't really care about it.
No, no, no. Actually, the statistics show
that people do care about it.
Um, for example, 9.3 million people in 2020 voted
for the California Privacy Rights Act, the Prop 24,
that is more votes in any statewide race.
It's a top 10, you know, vote getter, right? In turn.
And, and if you look at people exercising apple's, uh,
app tracking transparency, like the adoption rate
of is in the 70, 80, 90%, I don't know the exact numbers,
but it's clearly over 50.
So people do care about privacy, right?
But, but the problem is it's too difficult
and they get frustrated.
And so we're trying to kind of break that frustration loop,
um, and we're doing that with the drop system
for data brokers to facilitate deletions.
And we're, we're doing that with the global privacy
and control, or what we call it here in California
with Cal Privacy is the opt out preference signals
to facilitate the ability to opt out, uh, and, and, and,
and basically send the signal.
Please do not sell
or share, uh, my personal information, you know, at scale.
Yeah, no, that makes sense.
And I, I definitely see the same trends in terms of, uh,
people passionate about privacy.
Um, so you touched on AB 5 66 a little bit there.
Um, would you mind just providing a little bit more color?
So that's California's Opt Me Out act.
Um, yeah, just be helpful.
I think that's a, probably a newer one for folks, so, yeah.
Yes. Well, first of all, um, you know, it is in the law,
it's the regulations that businesses, you know,
must respect an opt-out preference signal, um,
and, uh, people historically.
And so if you're a business, you need to,
you know, support that, right?
Um, as a, as a means a mechanism for, for Californians
to say, please do not sell or share my information.
And the availability of
that was somewhat limited.
Now, there are some smaller market share wise browsers
that support, um, the sending
of an opt-out preference signal.
There's brave, there's DuckDuckGo, there's Mozilla,
and then there's also plugins as so associated with, say
for example, Chrome on Windows.
Like, uh, there's the, uh, EFF has privacy Badger
and I, I'm not endorsing any, any of these things.
I'm just giving you some representative examples right here.
But the, the problem is, is that like on the,
on mobile browsers, you, you can't install a, uh, plugin,
um, a third party extension.
And, uh, and most of the major browsers, uh,
that consumers use, it's not a built-in feature.
And so we felt that that was, uh, arming, um, and, and,
and, and holding back, um, Californian's ability
to exercise this privacy, right?
So what this does require all the major internet browsers
to include a built-in privacy setting that, again,
we call this the opt-out preference signal.
Um, and then what happens is, is that when you turn this on
as a consumer, your browser automatically tells websites you
visit, please do not sell or share my personal information.
And once you set it,
your preference is sent everywhere you go online.
And as I mentioned before,
because of the CCPA businesses must, uh, honor the,
the opt-out preference signal.
And so this doesn't change the fact
that businesses, you know, have to honor this,
but it probably, when it goes in effect, um, and,
and the browsers have to support it by January 1st, 2027,
um, I think that, uh, businesses will see a dramatic
increase in the volume, uh, of, uh,
signals that they get.
Um, and so that's something that they should be aware of,
and I'm certainly hoping that some
of the major browser vendors actually, uh, deploy
and, uh, upgrade their technology before January 1st, 2027.
So they're pro, you'll probably see some browsers in 2026
that previously didn't support support it now.
Yeah. Yeah.
And I would just say as a call out for folks, while we wait
for the, the browsers to update, um,
data Grail does provide a free tool.
It's called the Consent Checker.
It tracks whether, um, the site does honor A GPC.
Um, so if you go to our resources section, it's a free tool,
um, you can download that, um,
or I should say you can use the
service and check your website.
Um, so take a lookout for that.
Uh, last question for you, Tom.
Um, where do you see state by state regulation going?
We are, we're in a place
where I feel like we've got a patchwork, we got 20 states,
uh, pretty tough for, for businesses.
Where, where do you see things going?
Yeah, I mean, look,
the clearly is not a federal privacy law.
So states, you know, are kind of forced to lead the way.
Uh, just like when it came to data breach notification,
California was the first, right?
And then 20 years later, like, you know,
like the 50th state, you know, uh, finally came out
with the Data Breach Notification law, you know,
after California, you know, uh, did the initial one.
Um, but look, I I wanna say that there's
actually significant common ground across jurisdictions in
the United States and, um,
and our statute, you know, actually requires us to work, uh,
towards consistency and privacy protections.
And we take this very seriously,
and in fact, how privacy is actively collaborating
with other states through forms like the consortium
or privacy regulators that I talked about
before, to share best practices and promote consistency.
And so what you're seeing is, is
that I don't think I've seen an example
of an enforcement action that, you know, wouldn't have,
have potentially happened in other states, um mm-hmm.
Uh, et cetera. So there actually, uh, is a high degree
of consistency in terms of the state laws, in terms
of the rights that that, that, uh, consumers have.
There's a, a fair degree of consistency in terms of how
the regulators are looking to enforce this,
and we're talking with each other to, to make sure, um,
that they're, they're to, to minimize the potential impact.
Now, clearly, it would be nice to have a federal law.
Our, our position is to have one, um, that doesn't,
you know, uh, set a floor, um,
that it should have a high ceiling to allow, um,
entities such as ourselves to be able
to continuously innovate
because technology is moving so fast, you really don't want
to kind of, if you look at the historic federal privacy,
you know, timeframe, you know, we're still dealing
with COPA version one, you know?
Right. Um, and, uh,
and I, I really think in the, in the world
of artificial intelligence
and how fast technology is moving,
you do need the flexibility.
But, but, uh,
and so we, we, we prefer, uh, a high, uh,
floor, uh, versus setting a ceiling from that regard.
Um, and then, you know, the, the other thing is, is that,
you know, uh, justice Brandeis said, you know,
states are the laboratories of democracy.
We're clearly being in California here, the first
with the CCPA, the first comprehensive, the first
with the Delete Act, et cetera.
Um, and, and it's really cool that we're actually seeing,
you know, other states looking at our success
and wanting to, you know, mimic, um,
what we're doing as well.
And we're certainly open to, uh, engaging
with other, um, entities.
Um, and the statute calls for this to support, you know,
having a consistent, uh, set of privacy rules
and legislation, uh, across the United States.
Wonderful. Well, look, thank you
so much for joining us, Tom.
Um, I, I'm sure I speak for everyone, uh,
on the session today and those that will listen
to the recording, um,
definitely appreciate your
perspective on where things are going.
Um, the current state, giving a bit of insight into
what we should expect in 2026 and 2027.
Uh, and, um, yeah, stay tuned for more sessions coming up.
And thanks again Tom,
and I'm sure we'll talk again very soon.
Thank you so much, uh, Daniel
and Data Grill for hosting me today.
Appreciate it.