Lawfare Daily: CPPA’s Tom Kemp on Data Brokers, Privacy, and State Enforcement

Warby Parker / Siemens Advertiser

Taking care of your eyes shouldn't be a hassle. That's why Warby Parker is a one stop shop for all your vision needs. Our prescription glasses and sunglasses are expertly crafted and unexpectedly affordable. Stop by a nearby store or use our app to virtually try on frames and get personalized recommendations. Did we mention we offer eye exams and take vision insurance too? For everything you need to see, head to your nearest Warby Parker store or visit warbyparker.com today. That's warbyparker.com want to turn your timeline

Tom Kemp

into a fast lane digital? Twin it to outpace the field with fast and confident decisions. Transform the everyday with Siemens.

Podcast Host / Advertiser

You know folks, when I started the Lawfare podcast, it was kind of terrifying. You know, I didn't really know how to podcast anything. I had no idea if anybody was going to listen to it. What if people think it's dumb? What if I make an idiot of myself? Over time the thing has proven the test of time. It has a listenership, but it was a really scary moment and I know it is for others and that it helps when you have a partner like Shopify on your side to help. What is Shopify? Shopify is the commerce platform behind millions of businesses around the world and 10% of all E commerce in the United States. From household names like Allbirds and Mattel and Heinz to brands that are just getting started, you can tackle all the important tasks in one place. From inventory to payments to analytics and more. There's no need to save to multiple websites or to try to figure out what platform is hosting the tool that you need. Everything's in one place, making your life easier and your business operations smoother. So it's time to turn those what ifs into with Shopify. Today, sign up for your $1 per month trial@shopify.com lawfair go to shopify.com lawfair that's shopify.com lawfare.

Tom Kemp

What it's really focused on is enabling privacy rights at a scale that's not possible in the current notice and choice framework that we have here in the United States. So it is pretty, I would say pretty revolutionary in terms of kind of flipping the balance back to the consumers.

Justin Sherman

It's the Lawfair podcast. I'm Justin Sherman, contributing editor at lawfair and CEO of Global Cyber Strategies with Tom Kemp, Executive Director of the California Privacy Protection Agency or cppa, AKA Cal Privacy.

Tom Kemp

Yes, we can go after global entities because we regulate the collection and use of Californians data. All the obligations that are in our Law around data minimization, honoring privacy rights, security of personal information applied to all businesses.

Justin Sherman

Today we're talking about California's new drop system and the data broker industry bringing technologists into public service and the future of state privacy enforcement. So first, what are the California privacy protection agencies main statutory and regulatory focus areas? And then second, are there any major differences that you see between the CPPA and the authorities and resources of other states as it pertains to this issue? Set?

Tom Kemp

Absolutely. And thanks Justin, for having me on. The California Privacy Protection Agency, now known as Cal Privacy, was created via the voters here in California with the passage of Prop 24 in 2020. And the agency itself is responsible for implementing, enforcing and raising awareness of the California Consumer Privacy act, or CCPA and the California Delete Act. And so if you look at what we do, our mission is really focused in six primary areas. First, rulemaking. Second, promoting public awareness, I.e. raising privacy literacy for consumers and telling businesses about their obligations. We have an auditing function, we have an enforcement function. We also can do, and we do do policy and legislation work. And we're also finally responsible for the administration and implementation of the Delete act, which is something that we'll probably talk a little bit more about later. In effect, we are the nation's only independent agency focused on privacy. And California is also the first state to have a comprehensive privacy law. And now we're in a situation where there's about 20 other states that have a privacy law in terms of kind of what's unique about our agency vis a vis, say attorney generals that are responsible for enforcing their state's comprehensive privacy laws. I think there's a few unique areas, one of which is the policy and legislation that we can actually propose and sponsor legislation working with authors. I think the public affairs aspect that was written into the statute is pretty unique in terms of specifically being tasked with going out and evangelizing what consumers privacy rights are. And the third and final thing is this Delete act, the accessible deletion mechanism that consumers here in California can now access.

Justin Sherman

We'll start perhaps in reverse order, although we'll come back to the other elements you mentioned. So one of the most recent major developments in California in terms of privacy and consumer rights as you're referring to, is the deployment of the delete request and opt out platform or the drop system. This is focused on data brokers, as many listeners know, a topic we'll say, that's also of some interest to myself. So talk to us first about the the legal system in California, you just mentioned the Delete act for data broker registration and deletion. How does that work? How has it changed in the past few years?

Tom Kemp

Yeah, so clearly there historically has been a move afoot over the last eight, 10 years to give consumers more transparency into the data broker industry. And data brokers, at least in California, are defined as businesses that we do not have a direct relationship with that nonetheless collect and sell our personal information and sell it to third parties. And what happened is initially in Vermont, a data broker registry law was passed in, I think it was 2018. And then California adopted a similar law, which was AB 1202 in 2019, and it went into effect in 2020, and it housed this data broker registry with the Attorney General. So the thought process was that it would give consumers more awareness of who these entities are because oftentimes that they, because they don't have a direct relationship with you, they kind of operate in the shadows. And as you've written extensively, it's a very significant industry. Oftentimes people refer to it as, in the privacy world is third party data collection because of the lack of direct relationship. But the issue is that it's very difficult for consumers to exercise their privacy rights. Even if you're given a list of, say 500 entities that have your information, you still have to go out and contact each and every one of them and say that takes 20 to 30 minutes of interaction of filling out a form or sending an email. And then they respond and you kind of go back and forth like volleyball or ping pong. And then you multiply that 20, 30 minutes times 500 entities that may have your information. That may take 10 full days of your time to be able to tell these businesses that again, you don't have a direct relationship with, in effect, you and your data is the product. They don't sell anything to you. And you can kind of see that just the raw scale of trying to enable your privacy rights to say opt me out and or delete my information is basically next to impossible for the average consumer. And so what I did in a personal capacity is see that there was various proposals at the federal level, like the federal Delete act proposed by Senator Cassidy and Ossoff. I mean, heck, even Tim Cook in 2019, who is the CEO of Apple, wrote an editorial in Time magazine saying that there should be a data broker clearinghouse where people can make requests. Senator Wyden even had a proposal even before the federal Delete act proposal. And so what I did is I proposed to my state senator, state Senator Becker, I live in California here and we worked together and he was the author of SB362, the Delete act, which did a few things. A it transferred the data broker registry from the Attorney General to this dedicated independent agency, Cal Privacy, or the California Privacy Protection Agency that I described before. So this was a net new ad of responsibility for the agency with this bill. But more importantly, it also tasks the agency with creating this accessible deletion mechanism, or what we now call the drop system, the delete request and opt out platform. And if you want, I can drill down a little bit more on the drop system itself and what's going on. But that's kind of what's happened here in California at a very high level.

Justin Sherman

Please do drill down both into what it does, as you noted, but also curious to hear more of your thoughts on you mentioned the time saving, but other ways that drop sort of changes fundamentally what's possible for consumers in terms of effectuating their rights.

Tom Kemp

Yeah, I mean, drop is a very unique system in that it's kind of a living, breathing system in that consumers, effective January 1st of this year, go into a portal, a website, in which they confirm their residency here in California and they put some basic personal information and they have the flexibility as putting just simply their date of birth and their zip code, or they can put their email address and phone number. They can also put their mobile advertising ID or other device ID that uniquely identify them. So they can put in as little or as much information to facilitate matching. And then they hit submit. And we find that most consumers, this whole process takes maybe 6, 7 minutes in totality. So that's the investment of time that a consumer will have to make as opposed to 10 whole days of doing this interaction. And so then what happens is once they submit this information, that information is stored in a secure manner. The data actually gets hashed into different lists. And then starting August 1st, the registered data brokers and we have over 580 data brokers that are now registered with the state. And what the data brokers will do starting August 1, 2026, is that they will access the various list that map to the data that they may have. So they may download the hashed list of phone numbers or email addresses. There's another list with the device IDs that the consumers put in and then they then take their data in their databases, use the same hashing algorithm, and then determine if there's any matches. So if there isn't a match, they don't know who actually submitted the information. So if a hashed phone number of theirs doesn't match one of the hashed phone numbers in our system, then there's no match. But if there is a match, then they're responsible for actually permanently deleting the information. But at the same time, they actually have to maintain a suppression list. So if down the road, if they do get the consumer's email address or phone number or whatnot, then they have to check it against the totality of all the drop submissions. And then from there, if they do have a match, or if they don't have a match, they have to report back that there was no match associated with it. So the consumers can actually, starting in August, go back and see the status of their deletion request. And furthermore, the consumers, if they get a new email address or phone number or they remember that they were in a prior zip code, they can enter that information. So when I say it's a living, breathing system, it means that consumers can enhance and update their personal information. Again, we just ask for the minimal amount of information to do the matching. They can check the statuses and then meanwhile, data brokers are on every 45 day basis starting August 1st, are going in, getting the list and continuously building the suppression list, continuously doing the deletion and continuously feeding back updates into the system as well. So it is a very unique. No one else in the whole world is doing something like this. And so it's definitely first of its kind. But really at the end of the day, what it's really focused on is enabling privacy rights at a scale that's not possible in the current notice and choice framework that we have here in the United States. So it is pretty, I would say, pretty revolutionary in terms of flipping the balance back to the consumers as opposed to, as Professor Salaf describes it, as consumers having a never ending set of chores to be able to exercise their privacy rights. This really fully enables the exercise of privacy rights at scale by having a one stop, literally a one click mechanism to say, please delete my information and also opt me out moving forward as well. So incredibly powerful. And just the overwhelming support that we've had here in California has been amazing that since we've launched it with the full understanding by consumers that the deletions won't occur. So we kind of expect the adoption will be more back end loaded as we get closer to August 1st. We've had over 256,000 Californians already signing up for it.

Justin Sherman

Yeah, that's tremendous numbers. The privacy chores quote is great. I'll also say, and you can respond to this or not. But just as a fine point for folks who are less familiar with this ecosystem, I think part of potentially why you're highlighting also the cost piece is I'll add that there are a number of private companies that will offer purport to offer the ability to submit opt outs on people's behalfs. We have to pay for them. It certainly is notable, as you said, that California is doing so for free at no cost to the consumer to effectuate their rights. Do you envision in the coming months any particular challenges for expanding it, as well as opportunities for ways to whether it's just broaden access and awareness of the system or to update it technically in any way?

Tom Kemp

Yeah, I mean, obviously we're very much in the mode right now of evangelizing this and raising awareness to Californians. If you are a listener and you are a Californian, please go to privacy.ca.gov it's right there on the homepage and you can click on it. Then again, it only takes you 6, 8 minutes to have this huge advantage of being able to take control of over your personal information. And then in terms of what's happening moving forward, the delete act was actually amended last year with SB361, which was a bill also done by Senator Becker. And then prior to taking this position, I've been at Cal Privacy as the executive director for a year. I also recommended this to him as well. And this increased disclosure requirements for data brokers moving forward. And so before the registry asked some basic information of the data brokers, and it asked for basically three bits of information that the data brokers have to provide, whether or not they collect the data of children, whether or not they collect reproductive health, and whether or not they collect geolocation information. SB361 basically added another 12 to 15 additional data points which the data brokers have to provide, which includes immigration, citizenship status, union membership, whether or not they sell the data to the federal government as well as law enforcement, and whether or not they collect specific government identifiers. And then another piece of information we asked for was what additional unique identifiers that the data brokers use to track consumers. And so now that the registry has actually the registration period has concluded and we begin processing and getting the data broker registry ready for publication and the publication of the new data broker registry will happen on March 26, that with this additional information I think that we've gotten from data brokers, as well as the increase in the number of data brokers that have registered that at the end of calendar year 2025, we were at 540 or so data brokers. And I can tell your listeners that will be at over 580. That a couple things we found some really unique information and that may lead us to do additional research based on the information that's provided. And one of which, as I mentioned before, is we'll have a better feel for what identifiers that data brokers utilize to identify consumers. And that may instruct us to moving forward to add those identifiers that we ask of consumers so that there can be a better or chance of matching that occurs. So we're going to kind of take this updated information of knowing how data brokers what they key off of from an identifier perspective, we may turn around and update the actual platform to facilitate more matching. But really interesting statistics from the actual registry itself. It turns out that there's actually of the 580, that there's 110 data brokers collect precise geolocation. And so what that tells us is that we probably not probably, but we will continue and expand our evangelism and education with consumers how they can actually provide their mobile advertising id, how they can make the decision to turn off tracking as well. So it seems like there's a very large, as you're probably aware of industry of data brokers that specifically collect precise geolocation. And so this number has grown year over year. As we compare from last year based on these results, it has told us that we as an agency need to do more to educate Californians on how to get their maid put it into the drop system and then just overall raise awareness. Some other interesting metrics coming from the data broker registry. We found that there was 68 data brokers that collect information about gender identity and expression. Maybe there's a lot of civil society groups, such as the LGBT community and civil society groups there that may want to be aware of that and they may want to educate and evangelize to their members that the drop system could be used as a means to not have that type of personal information be sold to anyone with a credit card. We also have found that there are 52 data brokers that share and or sell data to the federal government. So we're talking a little bit less than 10%. And there are 31 data brokers that share and sell to Genai developers. And so this type of data, we definitely plan to raise awareness for consumers that this is the kind of how your data is being used, which should make it even more of interest for Californians to use the drop system because maybe in the end they do not want their data being sold to the foreign government. We found that there were 33 data brokers that sell to what's defined in the law as foreign actors. I talked about the precise geolocation, the gender identity, identity expression, et cetera. So it turns out, no surprise to you, Justin, there's a lot of people's sensitive personal information going to places they may not want it to or ever think it would go to. And so we're going to continue to raise awareness how this data is being collected and sold and what people can do, at least in California, to effectuate their rights to take control over their sensitive personal information.

Justin Sherman

Very good. And as many listeners know, and as you just said, there's a tremendous degree of opacity in this industry as well. So any data is useful. The federal government sale as well is salient. There was discussion, as some may have seen, of that in some recent congressional testimony. So this is a great segue because one thing I wanted to talk to you about in particular is bringing technologists into public service, but in particular into privacy and cybersecurity rights and enforcement. And I'll just editorialize. I'll say I think you and the team in California writ large over several years has done quite a good job in this area bringing technologists into the agency, having folks who are not just tech fluent attorneys, but perhaps computer scientists or other sorts of deep technologists working on the staff. And we're now seeing, we had a lawfare podcast on this several months ago, other states basically looking to do more of this as well, hire technologists either to build tools internally to help with cases, to do both. So all to say, how do you think building a system like Drop would have gone, or would it have been possible without having those kinds of technologists and that expertise in house? And then can you talk in general about the delta between having a privacy and tech regulatory agency with and then without technologists on staff writ large? And again, I'm not saying that a state without a computer scientist or something doesn't know how to do enforcement, but in terms of what does having that kind of background on the team enable?

Tom Kemp

Absolutely. Having technologists on staff, from product managers to software developers, certainly helped a small agency like ours design and deliver a modern user friendly platform. In Drop, we also partnered with the California Department of Technology to help build this, which I'm going to refer to as cdt, which is the California Department of Technology. CDT had built a identity gateway which facilitates the ability for Californians to verify their residency. And so actually the front door of the drop system is this identity gateway. So it was not only us partnering with cdt, our technical people partnering with CDT to help build this, but we're actually leveraging some additional infrastructure that they provide to facilitate that. Only Californians can use this service, but more broadly, yeah, it's been very important for us to bring on technologists. So we have a couple of technologists, for example, in our enforcement division who are actually PhDs, and we're right now building out our audit division. And we've hired our chief privacy auditor, Sabrina Ross, and her first hires are technologists as well. It is key and critical in a very complex data economy to be able to take a look at data flows, to be able to assess the whole process of consumers being able to exercise their privacy rights not only from a web browser, but from mobile devices. And by bringing more technologists on staff, it increases the chance of us being able to determine if there actually either been compliance issues and or violations as well. And it allows us to translate statutory requirements into actual audits, actual enforcement actions, et cetera, as opposed to us relying on vendors to interpret the law to that. Oftentimes we'll ask and they'll come back, but we'll ask a business as part of an enforcement action to provide us information. But we can actually vet and verify ourselves. And it also gives us the flexibility to just go out and do our own research and see what's going on as well. So yes, that has been a big focus of our agency to bring in technical people not only to help us build this drop system, but to help facilitate historically our enforcement and now the audit function that focuses on whether or not businesses are in compliance, as opposed to enforcement focusing on whether or not businesses are violating the law.

Podcast Host / Advertiser

Deleteme makes it easy, quick and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable. Delete Me sends you regular personalized reports showing what information they found about you, where they found it, and what they removed. The New York Times Wirecutter has named Delete Me their top pick for data removal services. And you know, if you're somebody with an active online presence, you probably know that if you're going to protect your privacy, nobody's going to do it for you. You've got to do it yourself. This is a step that you can take. But if you're not somebody with an active online presence. They're still getting data about you. They're still using it to facilitate phishing attacks on you, to facilitate identity theft. And if you've never been the victim of one of these things, you probably know somebody who have, and it's probably only a matter of time before it happens to you. Delete Me can help. So take control of your data and keep your private life private by signing up for Delete Me now at a special discount for our listeners. Get 20% off your Delete Me plan when you go to JoinDeleteMe.com lawfare20 and use the promo code lawfare20 at checkout. The only way to to get 20% off is to go to JoinDeleteMe.com Lawfare20 and enter code lawfare20 at checkout. That's JoinDeleteMe.com Lawfare 20 code lawfare20.

Tom Kemp

Want to turn challenges into chances. Go digital enterprise and adapt to every change by combining the real and digital worlds.

Warby Parker / Siemens Advertiser

Transform the everyday with Siemens if your eyes are the windows to your soul and your glasses are the windows to your eyes, then it's pretty important to find your perfect frames. That's why at Warby Parker, we've made shopping for eyewear as easy and fun as can be. Peruse endless styles in our stores or use our app to virtually try on frames and get personalized recommendations. To find your next favorite pair of glasses, sunglasses or contact lenses, or to locate your nearest Warby Parker store, head over to warbyparker.com that's warbyparker.com if you

Podcast Host / Advertiser

work in university maintenance, Grainger considers you an MVP because your playbook ensures your arena is always ready for tip off. And Grainger is your trusted partner, offering the products you need all in one place, from H Vac and plumbing supplies to lighting and more. And all delivered with plenty of time left on the clock. So your team always gets the win. Call 1-800-GRAINGER visit grainger.com or just stop by Grainger for the ones who get it done.

Justin Sherman

It's a good point that you have kind of that that spectrum of activity as well as some of the risks it eliminates to not have to do procurement, dependence on third parties, and so forth. Are there any lessons in particular you want? You mentioned some in there, but any other lessons you want to share with other states in terms of how to best bring technologists into their agencies? And I'm thinking everything from actual recruitment all the way through to retention and talent development?

Tom Kemp

Yeah, what we're definitely finding is because of the changes that have occurred at the federal level, both with the FDC and the cfpb, that there are a lot of very strong technologists that are on the market and that these entities and agencies at the federal level, at least in the past, have done kind of comparable types of research as well. So at the state level, there's certainly opportunities to have people that have done this type of auditing and enforcement research. Furthermore, that because of the job market with AI, that there isn't as strong demand for entry level developers or PhDs in computer science. And so what we're finding is that there's some incredibly strong people that are graduating with PhDs in Computer Science that have done a lot of privacy research. They're actually out there and available, and that they would be perfect people for us as well. So, to be candid, just having come from the private sector and always having PhDs on staff that are literally rocket scientists in some cases to do software development as well as software architecture and all that stuff, now that I'm in the public sector and as part of a regulator enforcer, I'm just amazed at the quality that's available out there. And so it's nice that as an agency that we won't, if we can actually verify when we're going through enforcement actions what businesses are telling us, because we have just as smart people from a technology side on our side of the fence as they do as well. So I think that's great for us and I certainly encourage. And we started to see and actually other state regulators and agencies in the area of privacy have been calling us up and picking our brain about how we've gone about bringing technologists on staff. I should also point out that one thing that I think that we've taken a really big lead on is trying to work nicely and well with and collaborate with other states. We've really. We're kind of the driving force behind this concept, which we call the Consortium of Privacy Regulators. And it's now grown to 10 states, including here in California, not only us, the Cal Privacy Agency, but the California Attorney General, and who also, I should be very clear, has joint enforcement of the ccpa. And so actually in California there's dual enforcers, but with the other states, it's primarily their Attorney General. The Consortium of Privacy Regulators is bipartisan. So we have both Democrats and Republicans. And that's a way that we share expertise and resources. We truly value this collaboration. And one area in which we've been collaborating with is with our technologists with their growing set of technologists that they're bringing on. And so that enables us to do, for example, enforcement sweeps with other states that are on technical topics. Specifically we are, and I can't provide too much detail, but at a high level we have a joint enforcement sweep with the Attorney General of California, Connecticut and Colorado regarding the support of the global privacy control, which is just like the drop system enables exercise of privacy rights at scale for third party data, the GPC enables privacy at scale for do not sell and shares. And so we are collectively working with these other attorney generals to do an investigatory sweep to determine compliance with gpc. And again that does take potentially technologists taking a look at whether or not signals are being received and whether or not they're really following through, businesses are following through on the opt outs that are being sent. And so that's a lot of hands on technologists and checking things out. And we're doing that in conjunction with other attorney generals in other states.

Justin Sherman

I was going to say I'm sure you're getting these calls and having these conversations already. So in the vein of new developments and new efforts, by the time this podcast airs, California will have debuted a new registry system for data brokers. So you already gave us a rundown of the current as of this taping registry system, but what is this new registry and how does it differ from the list of third party data brokers that California has historically published?

Tom Kemp

Yeah, there's a number of Differences Difference number one is that SB361 asked for additional information from the data broker registries. And so as I alluded to before, you can now and obviously the registry is accessible to anyone in the world, including academics, journalists, just everyday Americans or anyone else. When this registry posts, which will happen March 26, anyone will be able to quickly filter and see who are actually are the data brokers that collect precise geolocation, sell to Genai developers, sell our data to foreign actors who are the data brokers that share and sell our data to the federal government, et cetera. These additional data points really reflect some of the harms that legislators and consumers perceive that are associated with the collection and sale of data in these areas. So that's very new in terms of the additional amount of information that's available to consumers to be able to filter to get a better feel for it. The second is the fact that as I mentioned before, that there's a larger number of data brokers that are out there and we have internally focused on really trying to drive registrations. We put together A data broker strike force within our enforcement division to ensure that as many data brokers that should be registered are registered, so we have a greater number. When I joined the agency a year ago last April I think it was Privacy Rights Clearinghouse wrote a report saying that there were approximately 450 data brokers registered. That actually has been a priority of the agency to make sure that again as many are registered. So we were able to build that number up at the end of the calendar year to over 540. Now we're at over 580. And then the other nice thing is that when you pair it with the drop system, that inside the drop system, even after you submit your request as a consumer, you'll be able to see starting in August which of the data brokers specifically deleted your information or said that there wasn't a match. And the cool thing is inside the drop system that if you're a consumer and you believe that starting in August that a data broker has reported back that they couldn't match your information, but you believe your information is still being displayed, still had by the actual data broker and they ignored the request that was made within the system. You can actually file a complaint and we'll take a look at that. Please don't file complaints now because data brokers, they're not required until the starting August and then have 45 days afterwards to actually process and send the updates as well. And then finally the other thing that's happening with the drop system and the data broker registry is that also at the end of the month we are making the what we call a sandbox or an API available to the 580 plus data brokers so they can begin testing the whole process of doing the matching as well as submitting the updated statuses once they've processed the request as well. So now is the time be kind of behind the scenes that the data brokers should be actually going out and testing the system and making sure that they're ready as well. So there's a lot of stuff happening behind the scenes, but those are some of the things that have happened and are happening in the near term. So it's not just about building the actual drop system for consumers. The website, the single click portal, it's ensuring that as many data brokers are registered, it's about providing the transparency, it's providing the system that allows for Californians to see the status and the data brokers report back the statuses of the matches, et cetera. So a lot of work happening right now and I'M very proud of the amazing progress in terms of the record number of consumer signups as well as the record number of actual data brokers that have registered.

Justin Sherman

As I say all the time, people should not have to pay to effectuate their privacy rights. So that's all great. This is a good place to start zooming back out and looking more forward. We've been talking a lot about data brokers, but as you mentioned at the outset, California's privacy laws provide a pretty wide range of action on a variety of different privacy issues that go beyond the sale of people's data. As you look ahead to 2026 or maybe even think about 2027, what are your top enforcement priorities? And for whatever you want to call out, can you say more about what motivates your thinking and California's focus on those subjects?

Tom Kemp

Absolutely. So we've clearly made it a priority to bring a broad spectrum in enforcement actions across a broad spectrum of industries. And we've recently announced just the other week, enforcement actions against companies like Ford Motor Company. We previously did enforcement action against Honda. So we're talking about, for example, large automobile manufacturers. We've also looked at retail companies like a company called Tractor Supply Company Todd Snyder. So at the retail level, and then we also had enforcement action against a company that primarily targeted students. And so what we've focused very much on in this initial set of enforcement actions is making sure that there is not friction being placed in enabling consumers to be able to exercise their privacy rights. And so the settlement agreements have not only included fines and we've had a couple of million dollar plus fines, but also to change business practices. And what we're trying to do is in these settlements that we actually spell out, like how the businesses have allegedly did not meet the mark and did not allow consumers to effectuate their privacy rights. And so we want to use these settlement agreements as kind of clear messages that we're sending the broader community out there of things that we really care about. And as I mentioned before, people have actually had to change their business practices. For example, one of the settlement agreements was that one of the entities actually had to hire a UX designer and actually kind of fix the user interface that they have for consumers to be able to exercise their privacy rights. We've also did a number of enforcement actions against data brokers. And part of the enforcement actions have actually had businesses agree to, for example, in the case of a company called Data Masters, which was a Texas data broker that was buying and selling lists of people with Alzheimer's to actually exit the California market. They agreed to do that as part of the settlement. We had another data broker that was advertising that they sell scary information about people, which clearly made it clear that they were potentially looking for or promoting the idea that you could maybe use this information to make people's lives miserable or dox them. And as part of the settlement agreement, they actually decided to close down as well. So that's kind of the range of what we've been doing from a enforcement perspective in which we find companies or had them change their business practices either in a more minor way or more significant way as well. And so you'll continue to see our enforcement division dig deep into how businesses are implementing California's rights. We also have put forth a number of enforcement advisories that also kind of telegraph kind of areas of concern. The very first enforcement advisory we put forth involved data minimization. We've also had enforcement advisory about dark patterns. And then finally, we've also done some joint announced some joint investigation sweeps as well as talking about our strike force when it comes to data broker. So I previously talked about the investigation sweep that we're doing with attorney generals of California, Colorado and Connecticut around gpc. But we're also involved in an enforcement Sweep with over 30 data protection and privacy authorities around the world in examining websites and mobile apps commonly used by children. So kind of the combination of the enforcement actions and the great levels of detail in the settlement agreements that articulate what the issues that we found and also combine that with the enforcement advisory and the investigation sweeps that we announced should give businesses a good feel for things that are of interest to us that we really deeply care about. And then the final thing I'll. Or the final two things I'll say is because we have a very robust complaint system, we actually get over 150 complaints per week. And that number is growing from consumers. And there have been a lot of our enforcement actions have been based on actual consumer complaints. So Californians have a means and mechanism to complain of what's going on with our agency. And then the final kind of data point that I will provide is that we do have over 100 open investigations going on right now. So we've really ramped up the team. And so I think what you'll see is some more enforcement actions being announced. And at the same time, as I alluded to before, we're not the sole enforcer here in California. The attorney General. And they've been doing some great work as well. And we continue to collaborate with them around Enforcement. So you actually have two enforcers here associated with the California Consumer Privacy act to enforce the laws here in California.

Justin Sherman

Right. And as you said, that's not the case in plenty of states where it's really the AG's office that is the the enforcer. In our last several minutes here, I want to ask you about you mentioned earlier the question of certain data brokers selling to foreign actors. And I want to ask you more about that. But with technology use cases and privacy issues writ large, which is that we've seen a few other states such as Texas or Florida, file lawsuits against apps like TikTok or Temu or others where the allegations in those matters focus not on privacy issues that are agnostic to country or the recipient of the data, but on allegations specifically around the fact that in those cases they are owned by a Chinese entity. And what's the risk in those cases that the Chinese government could acquire the data? Is California thinking at all about those foreign adversary nexus questions vis a vis your state privacy regime? Including of course you have the tech capital of the country, if not the world in California. Is that lower down on the priority list? How do you see those kinds of debates in relation to your other enforcement activities?

Tom Kemp

Yeah, I mean clearly with the data broker registry, the legislature required us to ask of data brokers, are you selling to foreign actors? So clearly there has been some legislation that had us basically take a look at this and in this case it's more of a transparency. But I think in the end the privacy protections we have in place in California guard against the misuse of data not only nationally and internationally. Yes, we can go after global entities because we regulate the collection and use of Californians data. Like you said, California obviously is an enormous state. It's the fourth largest economy in the world. All the obligations that are in our law around data minimization, honoring privacy rights, security of personal information apply to all businesses. And these businesses can be based outside our jurisdiction because again, the definition of a business is not something entity that's domiciled here, but it's based on the collection of Californians personal information. And so we can reach out there. And we do have looked at international companies as part of our investigations and I'll just kind of leave it at that. So it's not just a situation where a business has to be headquartered here in California or based in the US we do look at global companies or entities that are overseas that may be collecting significant amounts of California information as well. So yeah, obviously we're going to follow what the statute said. But the statute does give us the ability to look globally because at the end of the day it's Californians information and we're responsible for ensuring all businesses meet the obligations from a privacy and security perspective.

Justin Sherman

All right, last but certainly not least, I want to continue with the looking forward framing. Are there one or two tech industry trends or privacy practices that you and you could be the agency or you personally, Tom, but that you see as the biggest near term or over the horizon risk to consumers?

Tom Kemp

Yeah, I mean, we're definitely keeping our eyes on tech industry trends and I don't want to suggest that we're looking in some areas more than others because, you know, clearly the landscape is broad and our enforcement team is always looking into a wide range of ongoing issues and upcoming trends. But I can share one that is very broad. I think wearables present a risk that they collect so much sensitive personal information. And some of the sensitive personal information goes beyond your daily jogging route, includes consumer biometric and our neural data. And I think that trend of wearables collecting this information will only increase. And so I think that kind of gives a good example of kind of looking at IoT and these type of devices. Again, it's not simply us being concerned about websites, no matter what type of system or application that collects a lot of sensitive personal information. We're very much interested in the other area where we actually passed and got approved some robust regulations is in the use of automated decision making technologies. And our regulations kick in on January 1, 2027 that will give consumers the ability to opt out based on the criteria of what the ADMT does as it relates to making a critical decision without any human intervention and making that critical decision in a number of key industries as well. So consumers will have a right to know that ADMT is being used, as well as a right to opt out, as well as a right to object to the usage if they're so inclined. And so starting in 2027, we'll start to look to enforce more significantly the use of ADMT technologies as well. So those kind of give a couple examples of kind of trends or areas of interest or focus for us.

Justin Sherman

That's all the time we have. Tom, thanks very much for joining us.

Tom Kemp

Oh, it's been great. Thanks, Justin.

Justin Sherman

The Lawfair podcast is produced by the Lawfair Institute. If you want to support the show and listen ad free, you can become a LawFair material supporter@lawfairmedia.org support supporters also get access to special events and other bonus content we don't share anywhere else. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfairmedia.org the podcast is edited by Jen Patia and our audio engineer. This episode was Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.

Tom Kemp

Want to change the efficiency game AI it automate tedious tasks to spend more time on the future.

Warby Parker / Siemens Advertiser

Transform the everyday with Siemens.