The Lawfare Podcast: CPPA’s Tom Kemp on Data Brokers, Privacy, and State Enforcement (March 25, 2026)

Episode Overview

In this episode of The Lawfare Podcast, host Justin Sherman speaks with Tom Kemp, Executive Director of the California Privacy Protection Agency (CPPA, or Cal Privacy), about the agency’s pioneering work in state-level data privacy, focusing particularly on California's new data broker regulations, the recently launched Drop system, and strategies for effective state enforcement. The conversation also explores bringing technologists into the privacy field and highlights enforcement priorities, cooperation among states, and the most pressing data privacy trends facing consumers today.

Key Discussion Points & Insights

1. The California Privacy Protection Agency (CPPA): Mission and Scope

• Establishment and Authority:

  • CPPA was created by Prop 24 (2020) to enforce the California Consumer Privacy Act (CCPA) and the California Delete Act (04:06).
  • Unique as the nation's only independent agency devoted solely to privacy, differentiating itself from Attorney General-led privacy enforcement in other states (04:06).

• Six Core Functions (04:06):

  • Rulemaking
  • Promoting public awareness ("raising privacy literacy for consumers")
  • Auditing
  • Enforcement
  • Policy and legislation
  • Administration of the Delete Act

• Notable Quote:

  "In effect, we are the nation's only independent agency focused on privacy, and California is also the first state to have a comprehensive privacy law."
  — Tom Kemp (04:06)

2. The Data Broker Industry and Legislative Evolution

• Definition & Problems:

  • Data brokers are companies that collect and sell personal data without a direct relationship with consumers, often operating "in the shadows" (07:09).
  • Exercising privacy rights was historically burdensome ("20–30 minutes per broker, up to 10 days total") (07:09).

• Legislative History:

  • Vermont passed the first data broker registry law (2018), followed by California’s AB 1202 (2019, effective 2020) (07:09).
  • Introduction of the Delete Act (SB362), moving registry oversight to CPPA and mandating a centralized deletion mechanism (Drop system) (07:09–11:17).

• Notable Quote:

  "Even if you’re given a list of, say, 500 entities that have your information... it may take 10 full days of your time to be able to tell these businesses... to delete your data."
  — Tom Kemp (07:09)

3. The Drop System: One-Stop Data Deletion and Opt-Out Portal

• How It Works:

  • Californians enter basic info in an online portal to submit a deletion/opt-out request (11:36).
  • Data is hashed and matched with broker databases; brokers must delete matched records and keep a suppression list for future matches (11:36–16:48).
  • Starting August 1, 2026, data brokers are required to process requests and provide status updates viewable by consumers (11:36).

• Key Innovations:

  • Reduces the consumer time burden from "up to 10 days" to about 6-8 minutes (11:36).
  • System is "living and breathing," allowing users to update info and check request status (11:36).
  • Over 256,000 Californians have already signed up, despite major deletions not processing until August (16:48).

• Memorable Quote:

  “This really fully enables the exercise of privacy rights at scale by having a one-stop, literally a one-click mechanism to say, please delete my information...”
  — Tom Kemp (16:48)

4. Transparency and Data Broker Disclosures

• Expanded Registry Requirements:

  • Essential data points now disclosed: collection of child, reproductive health, geolocation, gender identity, immigration, citizenship status info, and whether data is sold to law enforcement, federal government, or foreign actors (17:43).

• Key Stats (17:43):

  • 580+ registered data brokers (increased from 540 in 2025 and ~450 prior to Kemp's tenure)
  • 110 brokers collect geolocation; 68 collect gender identity; 52 sell to the U.S. federal government; 31 to GenAI developers; 33 to foreign actors

• Impact:

  • Public and civil society groups can filter and assess risks more easily (17:43).
  • Raises awareness about the breadth of sensitive data being collected and sold (17:43).

• Memorable Quote:

  "There’s a lot of people’s sensitive personal information going to places they may not want it to or ever think it would go to."
  — Tom Kemp (24:20)

5. The Importance of Bringing Technologists into Privacy Enforcement

• CPPA’s Approach:

  • Hires technologists (including PhDs) throughout the agency in enforcement, auditing, and product development (26:15).
  • Built the Drop system in partnership with the California Department of Technology, leveraging existing infrastructure for identity verification (26:15).

• Advantages:

  • Greater ability to assess complex data flows, conduct independent technical investigations, and evaluate compliance directly (26:15).
  • Reduces dependence on third-party vendors (32:40).

• Advice for Other States:

  • Strong technical talent is available, especially as demand for PhDs in industry has softened (33:13).
  • CPPA supports and collaborates with the Consortium of Privacy Regulators (now 10 states). Ongoing joint enforcement sweeps and sharing of technical knowledge (33:13).

• Memorable Quote:

  "As an agency... it's nice that... we have just as smart people from a technology side on our side of the fence as they do as well."
  — Tom Kemp (33:13)

6. New Data Broker Registry System

• Features:

  • Launches March 26, 2026 (38:36).
  • Publicly accessible and filterable list with expanded disclosure fields.
  • Integration with Drop: consumers can see which brokers deleted their info or did not find a match; complaints can be filed directly via the portal (38:36).
  • "Sandbox/API" available for data brokers to test the platform (38:36).

• Key Point:

  • Not only about consumer tools, but also about increasing registration, transparency, and broker readiness for the new rules (38:36).

7. Enforcement, Priorities, and Looking Forward

• Recent Enforcement Examples:

  • Broad range: Ford, Honda (auto sector), Tractor Supply, Todd Snyder (retail), student-targeted firm (44:15).
  • Focus on eliminating friction to exercising privacy rights and mandating changes to business practices (44:15).
  • Enforcement against egregious brokers: Data Masters (banned from the state), a broker selling "scary information" agreed to exit the market (44:15).

• Guidance and Sweeps:

  • Enforcement advisories on data minimization and dark patterns.
  • Participating in joint sweeps on children’s apps/websites and global privacy control compliance (44:15).

• Complaint System & Open Investigations:

  • Receives >150 complaints/week; 100+ ongoing investigations (44:15).

8. Jurisdiction and National Security Considerations

• Foreign Data Sales:

  • Required tracking/survey of sales to foreign actors (51:25).
  • CPPA has full authority to pursue cases involving international companies if Californians’ data is involved (51:25).

• Notable Quote:

  "We can go after global entities because we regulate the collection and use of Californians data.... All the obligations that are in our law... apply to all businesses."
  — Tom Kemp (51:25)

9. Trends and Over-the-Horizon Risks

• Emerging Risks:

  • Wearables and IoT devices: collecting more sensitive information, including biometrics and neural data.
  • Automated Decision-Making Technologies (ADMT): new regulations effective January 1, 2027 will provide consumers with rights to opt-out if ADMTs are used for critical decisions without human intervention (53:56).

• Memorable Quote:

  "Wearables present a risk... collecting sensitive personal information beyond just your jogging route, including biometric and neural data."
  — Tom Kemp (53:56)

Timestamps for Key Segments

• [02:34] — Kemp on CPPA's revolutionary consumer-centric approach
• [04:06] — Six core functions of CPPA
• [07:09] — The challenge of consumer privacy rights and evolution of broker laws
• [11:36] — In-depth breakdown of the Drop System
• [16:48] — Drop’s impact and adoption rates
• [17:43] — Data broker registry, disclosures, and notable findings
• [26:15] — Value and lessons of bringing technologists into privacy agencies
• [33:13] — Practical advice on talent and state collaboration
• [38:36] — The new public data broker registry and complaint process
• [44:15] — Enforcement priorities and major cases
• [51:25] — Jurisdiction over global companies and foreign surveillance concerns
• [53:56] — Over-the-horizon privacy threats (wearables, ADMT)

Notable Quotes & Memorable Moments

• "This really fully enables the exercise of privacy rights at scale by having a one-stop, literally a one-click mechanism..."
  — Tom Kemp (16:48)

• "It's nice that... we have just as smart people from a technology side on our side of the fence as they do as well."
  — Tom Kemp (33:13)

• "There’s a lot of people’s sensitive personal information going to places they may not want it to or ever think it would go to."
  — Tom Kemp (24:20)

• "We can go after global entities because we regulate the collection and use of Californians data. All the obligations... apply to all businesses."
  — Tom Kemp (51:25)

Thematic Takeaways

• CPPA’s Drop System and expanded registry set a new standard for consumer privacy tools in the US, making data rights scalable, transparent, and accessible.
• State-led enforcement is increasingly collaborative and technically sophisticated, with California spearheading both best practices and interstate cooperation.
• Ongoing vigilance is needed in emerging risk areas like wearables, AI-driven automated decisions, and cross-border data transfers.
• Effective recruitment of technologists into state agencies is possible and crucial for robust enforcement and public protection.

This episode provides essential context for anyone interested in data privacy law, consumer rights, state-level enforcement, or the technical realities of protecting personal data in the modern digital economy.