Lawfare Daily: CPPA’s Tom Kemp on Data Brokers, Privacy, and State Enforcement

[Intro]

Tom Kemp: What it's really focused on is enabling privacy rights at a scale that's not possible in the current notice and choice framework that we have here in the United States. So it is pretty. I would say pretty revolutionary in terms of kind of flipping the balance back to the consumers. It's the Lawfare podcast.

Justin Sherman: I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies with Tom Kemp, executive director of the California Privacy Protection Agency, or CPPA, AKA Cal Privacy.

Tom Kemp: Yes, we can go after global entities because we regulate the collection and use of Californian's data, all the obligations that are in our law around data minimization, honoring privacy rights, security, personal information apply to all businesses.

Justin Sherman: Today, we're talking about California's new drop system and the data broker industry bringing technologists into public service and the future of state privacy enforcement.

[Main Episode]

So first, what are the California Privacy Protection Agency's main statutory and regulatory focus areas? And then second, are there any major differences that you see between the CPPA and the authorities and resources of other states as it pertains to this issue set?

Tom Kemp: Absolutely. And thanks, Justin, for having me on the California Privacy Protection Agency, now known as Cal Privacy, was created via the voters here in California with the passage of Prop 24 in 2020. And the agency itself is responsible for implementing, enforcing and raising awareness of the California Consumer Privacy Act or CCPA, and the California Delete Act.

And so if you look at what we do, our mission is really focused in six primary areas. First, rulemaking. Second, promoting public awareness, i.e. raising privacy literacy for consumers and telling businesses about their obligations. We have an auditing function, we have an enforcement function. We also can do, and we do policy and legislation work.

And we're also finally responsible for the administration and implementation of the Delete Act, which is something that we'll probably talk a little bit more about later. So in effect, we are the nation's only independent agency focused on privacy. And California is also the first state to have a comprehensive privacy law. And now we're in a situation where there's about 20 other states that have a privacy law.

In terms of kind of what's unique about our agency, vis-a-vis, say attorney generals that are responsible for enforcing their state's comprehensive privacy laws. I think there's a few unique areas, one of which is the policy and legislation that we can actually propose and sponsor legislation working with authors.

I think the public affairs aspect that was written into the statute is pretty unique in terms of specifically being tasked with going out and evangelizing what consumer's privacy rights are. And the third and final thing is this Delete Act. The accessible deletion mechanism that consumers here in California can now access.

Justin Sherman: We'll start perhaps in reverse order, although we'll come back to the other elements you mentioned. So one of the most recent major developments in California in terms of privacy and consumer rights as you're referring to is the deployment of the delete request and opt out platform or the drop system.

This is focused on data brokers, as many listeners know, a topic we’ll say, that's also of some interest to myself. So talk to us first about the legal system in California. You just mentioned the Delete Act for data, broker registration and deletion. How does that work? How has it changed in the past few years?

Tom Kemp: Yeah, so clearly there historically has been a move afoot over the last eight, 10 years to give consumers more transparency into the data broker industry and data brokers, at least in California, are defined as businesses that we do not have a direct relationship with that nonetheless, collect and sell our personal information and sell it to third parties.

And what happened is, initially in Vermont, a data broker registry law was passed in, I think it was 2018, and then California adopted a similar law, which was AB1202 in 2019, and it went into effect in 2020. And it housed this data broker registry with the attorney general. So the thought process was that it would give consumers more awareness of who these entities are, because oftentimes that they, because of the, they don't have a direct relationship with you, they kind of operate in the shadows, and it's as you've written extensively, it's a very significant industry.

Oftentimes people refer to it as, in the privacy world is third party data collection because of the lack of direct relationship. But the issue is that it's very difficult for consumers to exercise their privacy rights. Even if you're given a list of, say, 500 entities that have your information, you still have to go out and contact each and every one of them and save—that takes, 20 to 30 minutes of interaction of filling out a form or sending an email, and then they respond and you kind of go back and forth like a volleyball or ping pong, and then you multiply that 20, 30 minutes times 500 entities that may have your information, that may take 10 full days of your time to be able to tell these businesses that again, you don't have a direct relationship with.

In effect, you are you and your data is the product. They don't sell anything to you. And you can kind of see that just the raw scale of trying to enable your privacy rights to say, opt me out and or delete my information is basically. Next to impossible for the average consumer. And so, what I did in a personal capacity is see that there were various proposals at the federal level, like the Federal Delete Act proposed by Senator Cassidy and Ossoff.

I mean, heck, even Tim Cook in 2019 who is the CEO of Apple wrote an editorial and Time magazine saying that there should be a data broker clearinghouse where people can make requests. Senator Wyden even had a proposal even before the federal Delete Act proposal. And so what I did is I proposed to.

My state senator, Becker I live in California here, and we worked together and he was the author of SB 3602, the Delete Act, which did a few things. A, it transferred the data broker registry from the attorney general to this dedicated independent agency, Cal Privacy, or the California Privacy Protection Agency that I described before. So this was a net new add of responsibility for the agency with this bill.

But more importantly, it also tasked the agency with creating this accessible deletion mechanism or what we now call the DROP system, the Delete Request and Opt-out Platform. And if you want, I can drill down a little bit more on the DROP system itself and what's going on.

But that's kind of what's happened here in California at a very high level.

Justin Sherman: Please do drill down. I mean both into what it does as you noted, but also, you know, curious to hear more of your thoughts on, on, you mentioned the time saving, but other ways that DROP sort of changes fundamentally what's possible for consumers in terms of effectuating their rights.

Tom Kemp: Yeah, I mean, DROP is a very unique system in that it's kind of a living, breathing system in that consumers, effective January 1st of this year, go into a portal, a website in which they confirm their residency here in California. And they put some basic personal information and they have the flexibility as putting just simply their date of birth and their zip code, or they can put their email address and phone number. They can also put their mobile advertising ID or other device IDs that uniquely identify them so they can put in as a little or as much information to facilitate matching. And then they hit submit.

And we find that most consumers, this whole process takes maybe six, seven minutes in totality. So that's the investment of time that a consumer will have to make as opposed to 10 whole days of doing this interaction. And so then what happens is once they submit this information, that information is stored in a secure manner. The data actually gets hashed into different lists.

And then starting August 1st, the registered data brokers and we have over 580 data brokers that are now registered with the state. And what the data brokers will do, starting August 1st, 2026, is that they will access the various list that map to the data that they may have.

So they may download the hashed list of phone numbers or email addresses. There's another list with the device IDs that consumers put in, and then they then take their data in their databases, use the same hashing algorithm, and then determine if there's any matches. So if there isn't a match, they don't know who actually submitted the information.

So if a hashed phone number of theirs doesn't match one of the hashed phone numbers in our system then there's no match. But if there is a match, then they're responsible for actually permanently deleting the information. But at the same time, they actually have to maintain a suppression list.

So if, down the road, if they do get the consumer's email address or phone number or whatnot, then they have to check it against the totality of all the DROP submissions. And then from there, if they do have a match or if they don't have a match, they have to report back that there was no match associated with it.

So the consumers can actually, starting in August, go back and see the status of their deletion request. Furthermore, the consumers, if they get a new email address or phone number, or they remember that they were at a, in a prior zip code, they can enter that information. So when I say it's a living, breathing system it means that consumers can enhance and update their personal information.

Again, we just ask for the minimal amount of information to do the matching. They can check the statuses. And then meanwhile, data brokers are on every 45-day basis, starting August 1st are going in, getting the list and continuously building the suppression list, continuously doing the deletion, and continuously feeding back updates into the system as well.

So it is a very unique‑No one else in the whole world is doing something like this. And so it's definitely first of its kind, but really at the end of the day, what it's really focused on is enabling privacy rights at a scale that's not possible in the current notice and choice framework that we have here in the United States.

So it is pretty, I would say pretty revolutionary in terms of kind of flipping the balance back to the consumers as opposed to as Professor Asaf describes it as consumers, you know, having a never-ending set of chores to be able to exercise their privacy rights. This really fully enables the exercise of privacy rights at scale by having a one stop, literally a one click mechanism to say, please delete my information and also opt me out moving forward as well.

So incredibly powerful and just the overwhelming support that we've had here in California is, has been amazing since we've launched it with the full understanding by consumers that the deletions won't occur.

So we kind of expect the adoption will be more backend loaded as we get closer to August 1st. We've had over 256,000 Californians already signing up for it.

Justin Sherman: Yeah that's tremendous numbers. I, the privacy chores quote is great. I'll also say and you can respond to this or not, but just as a fine point for folks who are less familiar with this ecosystem, I think part of—

Potentially while you're highlighting also the cost pieces is all add that there are a number of private companies that will offer purport to offer the ability to submit opt-outs on people's behalves. But you have to pay for them. So it's certainly as notable as you said, that California is doing so for free at no cost to the consumer to effectuate their rights.

Do you envision in the coming months, any particular challenges for expanding it as well as opportunities for ways to, whether it's just broaden access and awareness of the system or to update it technically in any way?

Tom Kemp: Yeah, I mean, obviously we're very much in the mode right now of evangelizing this and raising awareness to Californians.

And so, if you are a listener and you are a California, please go to privacy.ca.gov. It's right there on the homepage and you can click on it and then again, it only takes you six, eight minutes to, you know, have this huge advantage of being able to take control over your personal information.

And then in terms of what's happening moving forward, the Delete Act was actually amended last year with SB361, which was a bill also done by Senator Becker. And then prior to taking this position I've been at Cal Privacy as a, the executive director for a year. I also recommended this to him as well. And this increased disclosure requirements for data brokers moving forward.

And so before the registry asked some basic information of the data brokers, and it asked for basically three bits of information that the data brokers have to provide: whether or not they collect the data of children, whether or not they collect reproductive health, and whether or not they collect geolocation information.

SB 361 basically added another 12 to 15 additional data points, which the data brokers have to provide, which includes immigration/citizenship status, union membership, whether or not they sell the data to the federal government. As well as law enforcement and whether or not they collect specific government identifiers.

And then another piece of information we asked for was what additional unique identifiers that you, the data brokers, use to track consumers. And so now that the registry has actually the registration period has concluded and we begin processing and getting the data broker registry ready for publication and.

The publication of the new data broker registry will happen on March 26th. That with this additional information, I think this that we've gotten from data brokers as well as the increase in the number of data brokers that have registered that at the end of calendar year 2025, we were at 540 or so data brokers. And I can tell your listeners that we will be at over 580.

That a couple things. We found some really unique information and that may lead us to do additional research based on the information that's provided. And one of which of, as I mentioned before, is we'll have a better feel for what identifiers that data brokers utilize to identify consumers, and that may instruct us to moving forward to add those identifiers that we ask of consumers, so that there can be a better or chance of matching that occurs.

So we're gonna kind of take this updated information of knowing how data brokers, what they key off of, from an identifier perspective, we may turn around and update the actual platform to facilitate more matching.

Really interesting statistics from the actual registry itself. It turns out that there's actually, of the 580, that there's 110 data brokers collect precise geolocation. And so, what that tells us is that we probably, not probably, but we will continue and expand our evangelism and education with consumers how they can actually provide their mobile advertising ID, how they can make the decision to turn off tracking as well.

So. It seems like there's a very large, as you're probably aware of industry of data brokers that specifically collect precise geolocation. And so, this number has grown year over year as we compare from last year. Based on these results, it has told us that we as an agency, you know, need to do more to educate Californians on how to get their made, put it into the drop system and then just overall raise awareness.

Some other interesting metrics coming from the data broker registry, we found that there were 68 data brokers that collect information about gender identity and expression. And so maybe there's a lot of civil society groups, such as the LGBT Community and Civil Society groups there, that may want to be aware of that, and they may want to educate and evangelize to their members, you know that the DROP system could be used as a means to not have that type of personal information be sold to anyone with a credit card.

We also have found that there are 52 data brokers that share and or sell data to the federal government. So we're talking a little bit less than 10%. There are 31 data brokers that share and sell to gen-AI developers.

And so this type of data, you know, we definitely plan to raise awareness for consumers that this is the kind of how your data's being used, which should make it even more of interest for Californians to use the DROP system because maybe in the end they do not want their data being sold to the foreign government.

We found that there were 33 data brokers that sell to what, what's defined in the law as foreign actors. I talked about the precise geolocation, the gender identity, expression, et cetera. So there, it turns out, no surprise to you Justin, there's a lot of people's sensitive personal information going to places they may not want it to or ever think it would go to.

And so, you know, we're gonna continue to raise awareness, you know, how this data is being collected and sold and what people can do, at least in California to effectuate their rights to, to take control over their sensitive personal information.

Justin Sherman: Very good. And as many listeners know, and as you just said there, there is a tremendous degree of opacity in this industry as well. So any data is useful. The federal government sale as well as is salient. There was discussion is some may have seen of that in some recent congressional testimony.

So, this is a great segue because one thing I wanted to talk to you about in particular is bringing technologists into public service, but in particular into privacy and cybersecurity rights and enforcement.

And, you know, in, I'll just editorialize, I'll say, you know, I think you and the team and California at large over several years has done quite a good job in this area, bringing technologists into the agency, having folks who are, you know, not just tech-fluent attorneys, but perhaps computer scientists or other, you know, sorts of deep technologists working on the staff.

And we're now seeing—we had a Lawfare podcast on this several months ago—other states basically looking to do more of this as well: Hire technologists either to build tools internally to help with cases, to do both. So all to say, how do you think building a system like DROP would've gone? Or would it have been possible without having those kinds of technologists and that expertise in-house?

And then can you talk in general about the delta between having a privacy and tech regulatory agency with, and then without technologists on staff at large? And again, I'm not saying that, you know, a state without a computer scientist or something doesn't know how to do enforcement. But in terms of, you know, what does having that kind of background on the team enable?

Tom Kemp: Absolutely, having technologists on staff, from product managers to software developers certainly helped a small agency like ours design and deliver a modern user-friendly platform and DROP. We also partnered with the California Department of Technology to help build this, which I'm gonna refer to as CDT, which is the California Department of Technology.

CDT had built an identity gateway, which facilitates the ability for Californians to verify the residency. And so actually the front door of the DROP system is this identity gateway. So it was not only us partnering with CDT, our technical people partnering with CDT to, to help build this, but we're actually leveraging some additional infrastructure that they provide to facilitate the, that only Californians can use this service.

But more broadly, yeah, it's been very important for us to bring on technologists. So we have a couple of technologists, for example, in our enforcement division who are actually PhDs, and we're right now building out our audit division, and we've hired our chief privacy auditor, Sabrina Ross. Her first hires are technologists as well.

And so it is key and critical in a very complex data economy to be able to take a look at data flows, to be able to assess the whole process of consumers being able to exercise their privacy rights, not only from a web browser but from mobile devices, et cetera. And by bringing more technologists on staff it increases the chance of us being able to, you know, determine if there're actually either been compliance issues and or violations as well.

And it allows us to translate statutory requirements into, you know, actual audits, actual enforcement actions et cetera, as opposed to us relying on vendors to interpret the law to, you know, that oftentimes, you know, we'll ask and they'll come back, but it, we'll ask a business as part of an enforcement action to provide us information, but we can actually vet and verify our ourselves, and it also gives us the flexibility to just go out and do our own research and see what's going on as well.

So yes, that has been a big focus of our agency to bring in technical people, not only to help us build this drop system, but to help facilitate historically our enforcement and now the audit function that focuses on whether or not businesses are in compliance as opposed to enforcement focusing on whether or not businesses are violating the law.

Justin Sherman: It's a good point that you have that spectrum of activity as well as some of the risks it eliminates to not have to do procurement dependence on third parties and so forth. Are there any lessons in particular you want, you mentioned some in there, but any other lessons you might wanna share with other states in terms of how to best bring technologists into their agencies? And I'm thinking everything from actual recruitment all the way through to retention and you know, talent development.

Tom Kemp: Yeah. What we're definitely finding is because of the changes that have occurred at the federal level, both with the FDC and the CFPB, that there are a lot of very strong technologists that are on the market.

And that these entities and agencies at the federal level, at least in the past, you know, have done kind of comparable types of research as well. So, at the state level, there's certainly opportunities to have people that have done this type of auditing and enforcement research.

You know, furthermore, that because of the job market, you know, that with AI that there isn't as strong demand for, you know, entry level developers or PhDs in computer science. And so what we're finding is that there's some incredibly strong people that are graduating with PhDs in computer science that have done a lot of privacy research.

They're actually out there and available. And that they would be perfect, you know, people for us as well. So to be candid just the, you know, having come from the private sector and always having PhDs on staff that are, you know, literally rocket scientists in some cases, you know, to do software development as well as software architecture and all that stuff.

Now that I'm in the public sector and as part of a regulator enforcer, I'm just amazed at the quality that's available out there. And so it's nice that as an agency that we, we won't, if we can actually verify what when we're going through enforcement actions, what businesses are telling us.

'cause we, we have just as smart people from a technology side on our side of the fence as they do as well. So I think that's great. You know, for us, and I certainly encourage, and we started to see and actually other state regulators and agencies in the area of privacy have been calling us up and picking our brain about, you know, how we've gone about bringing technologists on staff.

I should also point out that one thing that. I think that we've taken a really big lead on is trying to work nicely and well with and collaborate with other states. And so we've really, we're kind of the driving force and it behind this concept which we call the Consortium of Privacy Regulators, and it's now grown to 10 states, including here in California, not only us the Cal Privacy Agency, but the California Attorney General and who also, I should be very clear, has joint enforcement of the CCPA. And so, so actually in California there's dual enforcers.

With the other states, it's primarily their attorney general. The consortium of privacy regulators is bipartisan. So we have both Democrats and Republicans, and that's a way that we share expertise and resources. We truly value this collaboration. And one area in which we've been collaborating with is with our technologists, with their growing set of technologists that they're bringing on. And so that enables us to do, for example enforcement sweeps with other states that are on technical topics.

Specifically, we are and I can't provide too much detail, but at a high level we have a joint enforcement sweep with the attorney generals of California, Connecticut, and Colorado regarding the support of the global privacy control, which is—just like the DROP system enables exercise of privacy rights at scale for third party data, the GPC enables privacy at scale for do not sell on shares. And so we are collectively working with these other attorney generals to do an investigatory sweep to determine, you know, compliance with GPC.

And again, that does take, you know, potentially technologists taking a look at, you know, whether or not signals are being received and whether or not they're really following through, businesses are following through on the opt-outs that are being sent. And so that's a lot of like hands-on technologists and checking things out. And we're doing that in conjunction with other attorney generals in other states.

Justin Sherman: I was gonna say I'm sure you're getting these calls and having these conversations already. So, in the vein of new developments and new efforts, by the time this podcast airs, California will have debuted a new registry system for data brokers.

So you already gave us a rundown of the current as of this taping registry system. But what is this new registry and how does it differ from the list of third party data brokers that California has historically published?

Tom Kemp: Yeah. There's a number of differences. You know, difference number one is that SB 361 asked for additional information from the data broker registries.

And so, as I alluded to before, you can now and obviously the registry is accessible to anyone in the world, including academics, journalists, just everyday Americans, or anyone else. When this registry posts, which will happen March 26th, anyone will be able to quickly filter and see who are actually, are the data brokers that collect precise geolocation, sell to gen-AI developers, sell our data to foreign actors who are the data brokers that share and sell our data to the federal government, et cetera.

And so the, these additional data points, you know, really are kind of reflect some of the harms that legislators and consumers perceive that are associated with the collection and sale of data in these areas. So that's very new in terms of the additional amount of information that's available to consumers to be able to filter, to get a better feel for it.

The second is the fact that, as I mentioned before, that there's a larger number of data brokers that are out there and we have internally focused on really trying to drive registrations. We put together a data broker strike force within our enforcement division to ensure that as many data brokers that should be registered are registered. So we have a greater number.

When I joined the agency a year ago last April, I think it was Privacy Rights Clearinghouse wrote a report saying that there were approximately, you know, 450 data brokers registered, that actually has been a priority of the agency to make sure there's, again, as many are registered. So we were able to build that number up at the end of the calendar year to over 540. Now we're at over 580.

And then the other nice thing is that when you pair it with the DROP system. Inside the DROP system, even after you submit your request as a consumer, you'll be able to see starting in August, which of the data brokers specifically deleted your information or said that there wasn't a match.

And the cool thing is, inside the DROP system, that if you're a consumer and you believe that starting in August that a data broker has reported back that they couldn't match your information, but you believe your information is still being displayed, still had by the actual data broker, and they ignored the request that was made. Within the system, you can actually file a complaint and we'll take a look at that—

Please don't file complaints now, because data brokers they're not required until starting August and then have 45 days afterwards to actually process and send the updates as well.

And then finally, the other thing that's happening with the DROP system and the data broker registry is that also at the end of the month, we are making the, what we call a sandbox or an API available to the 580 plus data brokers so they can begin testing the whole process of doing the matching as well as submitting the updated statuses once they've processed the request as well.

So, now's the time, kind of behind the scenes that the data brokers should be actually, you know, going out and testing the system and making sure that they're ready as well. So there's a lot of stuff happening behind the scenes, but those are some of the things that, that, that have happened and are happening in the near-term.

So it's not just about building the actual DROP system for consumers, the website, the single click portal, it's ensuring that as many data brokers are registered, it's about providing the transparency, it's providing the system that allows for Californias to see the status and the data brokers report back the statuses of the matches, et cetera.

So a lot of work happening right now. And I'm very proud of the amazing progress in terms of the record number of consumer signups as well as the record number of actual data brokers that have registered.

Justin Sherman: As I say all the time, people should not have to pay to effectuate their privacy rights. So that's all great.

This is a good place to start zooming back out and looking more forward. We've been talking a lot about data brokers, but as you mentioned at the outset, California's privacy laws provide a pretty wide range of action on a variety of different privacy issues that go beyond the sale of people's data.

So, you know, as you look ahead to 2026, or maybe even think about 2027, what are your top enforcement priorities? And for whatever you want to call out, can you say more about what motivates your thinking and California's focus on those subjects?

Tom Kemp: Absolutely. So we've clearly made it a priority to bring a broad spectrum in enforcement actions across a broad spectrum of industries.

And we've recently announced just the other week enforcement actions against companies like Ford Motor Company. We previously did a enforcement action against Honda. So we're talking about, for example, large automobile manufacturers. We've also looked at retail companies like a company called Tractor Supply Company, Todd Snyder. So at the retail level. And then we also you know, had an enforcement action against a company that primarily targeted students.

So what we've focused very much on in this initial set of enforcement actions is making sure that there is not friction being placed in enabling consumers to be able to exercise their privacy rights.

And so the settlement agreements have not only included fines, and we've had a couple of million dollar plus fines, but also to change business practices and what we're trying to do is in these settlements that we actually spell out, like how the businesses have allegedly did not meet the mark and did not allow consumers to effectuate their privacy rights.

And so we want to use these settlement agreements as, you know, kind of clear messages that we're sending the broader community out there of, you know, things that, that we really care about. And as I mentioned before, people have actually had to change their business practices. For example, one of the settlement agreements was that one of the entities actually had to hire a UX designer and actually kind of fix the user interface that they have for consumers to be able to exercise their privacy rights.

We've also did a number of enforcement actions against data brokers and part of the enforcement actions have actually had businesses agree to, for example, a case of a company called Data Masters, which was a Texas data broker that was buying and selling lists of people with Alzheimer's to actually exit the California market. They agreed to do that as part of the settlement.

We had another data broker that was advertising that they sell scary information about people you know, which clearly made it clear that you know that they were potentially looking for or promoting the idea that you could maybe use this information to make people's lives miserable or dox them. And as part of the settlement agreement, they actually decided to close down as well.

So that's kind of the range of what we've been doing from an enforcement perspective in which we've, we find companies or change, had them change their business practices either in a more of a minor way or more significant way as well.

And so you'll continue to see our enforcement division dig deep into how businesses are implementing California's rights. We also have put forth a number of enforcement advisories. That also kind of telegraph kind of areas of concern. The very first enforcement advisory we put forth involved data minimization. We've also had enforcement advisory about dark patterns.

And then finally we've also done some joint announced, some joint investigation sweeps as well as talking about our strike force when it comes to data broker. So I previously talked about the investigation sweep that we're doing with attorney generals of California, Colorado, and Connecticut around GPC, but we're also involved in enforcement sweep with over 30 data protection and privacy authorities around the world in examining websites and mobile apps commonly used by children.

So kind of the combination of the enforcement actions and the great levels of detail in the settlement agreements that articulate what the issues that we found, and also combine that with the enforcement advisory and the investigation sweeps that we announced should give businesses a good feel for things that are of interest to us that we really deeply care about.

And then the final thing I'll, or the final two things I'll say, is because we have a very robust complaint system, we actually get over 150 complaints per week. And that number is growing from consumers and there have been a lot of our enforcement actions have been based on actual consumer complaints.

So Californians have a means and mechanism to complain of what's going on with our agency. And then the final kind of data point that I'll, I will provide is that we do have over a hundred open investigations going on right now. So we've really ramped up the team.

And so I think what you'll see is, you know, some more enforcement actions being announced. And at the same time, as I alluded to before, we're not the sole enforcer here in California, the attorney general, and they've been doing some great work as well. And we continue to collaborate with them around enforcement. So you actually have two enforcers here associated with the California Consumer Privacy Act to enforce the laws here in California.

Justin Sherman: And as you said, that's not the case in plenty of states where it's really the AG's office that is the enforcer. In our last several minutes here, I wanna ask you about, you mentioned earlier the question of certain data brokers selling to foreign actors—

And I want to ask you more about that but with technology use cases and privacy issues at large, which is that we've seen a few other states such as Texas or Florida file lawsuits against apps like TikTok or Temu or others where the allegations in those matters focus not on privacy issues that are agnostic to country or the recipient of the data, but on allegations specifically around the fact that in those cases they're owned by a Chinese entity.

And what's the risk in those cases that the Chinese government could acquire the data? Is California thinking at all about those foreign adversary nexus questions vis-a-vis or state privacy regime? Including, of course you have the tech capital of the country, if not the world in California. Is that lower down on the priority list and you know, how do you see those kinds of debates in relation to and your other enforcement activities?

Tom Kemp: I mean, clearly with the data broker registry we the legislature and, you know, required us to ask if data brokers, are you selling to foreign actors? So clearly there has been, you know, some legislation that, you know, had us take, basically take a look at this. And in this case it's more of a transparency.

But I think in the end, the privacy protections we have in place in California guard against the misuse of data, not only nationally and internationally. So yes, we can go after global entities because we regulate the collection and use of Californian's data. You know, like you said, you know, California obviously is an enormous state.

It's the fourth largest economy in the world. And so all the obligations that are in our law around data minimization, honoring privacy, rights, security, personal information applied to all businesses. And these businesses can be based outside our jurisdiction because again, the definition of a business is not something, a entity that's domiciled here, but it's based on the collection of Californian's personal information.

And so we can reach out there and we do have looked at, you know, international companies as part of our investigations and I'll just kind of leave it at that. So, you know, it's not just situation where the, a business has to be, you know, headquartered here in California or based in the U.S. we do look at, you know, global companies or entities that are overseas that may be collecting significant amounts of California information as well.

So, yeah, that, that's you know, obviously we're gonna follow what the statute said, but the statute does give us the ability to look globally, because at the end of the day it's Californians’ information and we're responsible for ensuring all businesses meet the obligations from a privacy and security perspective.

Justin Sherman: Alright, last but certainly not least, I wanna sort of continue with the looking forward framing. Are there one or two tech industry trends or privacy practices that you, and you could be the agency or you personally, Tom, but that you see as the biggest near term or over the horizon risks to consumers?

Tom Kemp: Yeah I mean, we're definitely keeping our eyes on tech industry trends, and I don't wanna suggest that we're looking in some areas more than others. 'cause you know, clearly the landscape is broad and our enforcement team is always looking into a wide range of ongoing issues and upcoming trends.

But I can share one that is very broad. I think wearables present a risk that they collect so much sensitive personal information and some of the sensitive personal information goes beyond your daily jogging or route includes consumer biometric and our neural data. And I think that trend to wearables collecting this information will only increase.

And so I think that's kind of a, you know, gives a good example of kind of, you know, looking at, you know, IOT and these type of devices. Again, it's not simply us being concerned about websites, you know, it's no matter what type of system or application that collects a lot of sensitive personal information.

We're very much interested in the other area where we actually passed and got approved some robust regulations as in the use of automated decision-making technologies. And our regulations kick in on January 1st, 2027. That will give consumers the ability to opt out based on the criteria of what the ADMT does as it relates to making a critical decision without any human intervention and making that critical decision and in a number of key industries as well.

So consumers will have a right to know that ADMT is being used. As well as a right to opt out as well as a right to object to the usage if they're so inclined. And so starting in 2027, you know, we'll start to look to enforce, you know, more significantly the use of ADMT technologies as well. So those kind of give a couple examples of kind of trends or areas of interest or focus for us.

Justin Sherman: That's all the time we have, Tom, thanks very much for joining us.

Tom Kemp: Oh, it's been great. Thanks Justin.

Justin Sherman: The Lawfare Podcast is produced by the Lawfare Institute. If you want to support the show and listen ad-free, you can become a Lawfare material supporter at lawfaremedia.org/support. Supporters also get access to special events and other bonus content we don't share anywhere else. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Goat Rodeo. Our theme song is from ALIBI Music.

As always, thank you for listening.