How CalPrivacy Balances Enforcement, Transparency, and Innovation

Tom: [00:00:00] I think that's the key message. And I'm very conscious coming from the private sector to ensure that we can not only have privacy rights be operationalized for consumers, but it's also important for me to make sure that businesses can operationalize the law and regulations as well.

And, and we're constantly dealing with that balancing act, and I think we're doing a pretty good job.

Hello, my name is Arlo Gilbert. I'm the founder of osano, and today I'm your host on the Privacy Insider. Today's guest is Tom Kemp, executive Director of the [00:01:00] California Privacy Protection Agency. Tom brings a rare perspective to privacy regulation because he didn't start in government, he started in tech.

He's a serial founder and a former CEO who built and scaled enterprise cybersecurity companies and then made a deliberate shift into public service. Along the way, he became one of the most influential voices in modern privacy policy authoring containing big tech and helping shape landmark laws like the CPRA.

In this conversation, we talk about what changes when a builder steps into the role of regulator and what the tech industry still gets wrong about privacy today.

Arlo: Tom, welcome to the show.

Tom: What an introduction. thank you so much. great to be here and thanks for having me on.

Arlo: Well, Tom, so you are the head of Cal Privacy, the regulatory arm of the state of California that's responsible for enforcing all of the laws in the [00:02:00] state of California that relate to data privacy. those are some really big shoes that you must be standing in. I would love to understand a little bit about how you got there, because you didn't start out as a, as a civil servant and, I've been dying to understand the journey of how a business person suddenly finds themselves in this critical role in government.

Tom: Yeah, no, it's been a, a interesting, journey. And so I actually started, as an entrepreneur and my last company I was the founder and CEO of a cybersecurity company called Centrify. And we saw firsthand the massive data breaches that were happening with businesses. And my reaction is, oh my gosh, this, the size and scale of the amount of personal information that is being hacked and leaked out is, is incredible.

And we had reached a size, in our [00:03:00] business that when GDPR came out that we actually had to go through GDPR compliance. So I'm probably pretty unique. I'm probably one of the few regulators that actually have had to go through a compliance exercise myself. And so the combination of firsthand witnessing cybersecurity hacks going through.

GDPR compliance and, and kind of digging into this really sparked an interest in privacy for me. And when my company was acquired and I saw that there was a ballot proposition, prop 24 in 2020, which is the California Privacy Rights Act, that amended the CCPA, I said, I have to get involved. So I was one of a few volunteers working on this campaign, and this was really interesting.

This really represents the first time that privacy was put forth to the voters and it overwhelmingly passed. With 9.3 million votes. Now 9.3 million people is probably greater than 10, 15 [00:04:00] states populations combined. So this really shows that there's an interest in desire and privacy, and I basically was the chief marketing officer of that,political campaign.

And so that further motivated me to get involved in privacy. So I started doing policy advisory work, and worked in California. I advised State Senator Becker on SB 360 2, the California Delete Act, and then started talking with other states. And so when this opportunity came up. To run, the California Privacy Protection Agency, which is the independent agency that was created by Prop 24.

I jumped at it for a couple reasons. One, I completely believe in the mission, to enhance Californian's privacy rights and, ensure that businesses are meeting the obligations. So clearly it aligned with the, all the volunteer work and the policy work I did. I also felt that as a CEO. Of a company I, could manage and having, a lot of good [00:05:00] privacy and cybersecurity expertise through the years, I could add value there as well.

I also felt that I could understand that balance between innovation and putting guardrails. And then also I have some kind of pet things that I really care about, one of which is really making privacy easier for consumers. And I felt that this could be a good platform to help facilitate. So it was really great timing and so pleased to be able to work, here in California in this role, working with a lot of great people in, in the agency itself.

Arlo: I mean, making that jump from, so, you know, you had a kind of a transition from private industry into civil service. what has that experience been like for you just personally, you know, having a, now sitting in a government seat instead of sitting in the, the, the private citizen seat.

is it exciting? Is it, is it a lot of work? I think everybody would love to just know a little bit about what is it

Tom: Well, having been in Silicon Valley for 30 years and I [00:06:00] started my career at Oracle, then started doing startups, and I, co-founded a company that actually went public. And then the last one. Was acquired at Centrify, was acquired by a private equity firm. So I've experienced multiple exits and, as CEO raised over $90 million from venture capitalists, in my, last role.

So I fully understand what it's like to be in the tech industry to, sign the front of the check as, as opposed to the back of the check, worry about payroll, and build an organization over 500 people that you're directly responsible for, as well. And the one thing is, is that, you know, coming from Silicon Valley, you just assume that everyone in Silicon Valley are the smartest people in the room.

And what I found is at, at least at Cal Privacy, that we have super smart people that really care about the mission. Now in the private sector, oftentimes the mission is, can I. You know, work at a [00:07:00] company that can go public, you know, or, or get acquired. and a lot of the motivation, I'm not saying all, but a good chunk of it is can I build something that's su sustainable, that can have escape velocity, that can meet that product market fit, and then be able to have a great exit?

especially to Ford living in Silicon Valley. The mission here, at least at Cal Privacy is to serve the people of California. So people are equally mission driven. here at this agency it's just a different mission and, you can do things and, you know, big things in the, the private sector, but oftentimes, you know, the kind of the things that you do may be limited.

To, you know, hundreds of customers, especially if you're in the B2B space. But here at Cal Privacy, the impact, that you can have is with 40 million Californians. so I think that, you know, it's a different pace in government. it's a different, mission, and there's different motivations, more public service oriented, but the [00:08:00] impact that you can have, as it relates to, policy can be very significant.

So it's kind of like, Hemingway set about bankruptcy and the sun also rises. It's, with government it can be gradually, gradually, then all of a sudden suddenly, and then you can do big things, you know, based on, you know, what the legislature, what the voters did. In California, we've been doing big things.

We were the first state to come out with the data breach notification law. We were the first state to come out with a comprehensive privacy law. we were the first state to come out with this accessible deletion mechanism for data brokers. So that's the cool stuff in terms of being able to have significant impact, not only in California, but influence the, the rest of the United States or world when it comes to tech policy.

So that, that was the appeal. but obviously I love my time in the,private sector, and, public sector. Just been a, it's, it's been great.

Arlo: I gotta Tell you, you know, hearing you talk about this, I can just see you beaming and, you know, your passion about this subject matter is really [00:09:00] palpable. I think the people of California are very fortunate to have somebody in that seat who understands both sides of it really well. When you talked about the contributions, you made, prior to joining Cal Privacy, you had done some work on, on some of the regulatory, work in California.

How much of that was informed by what we were seeing across the pond and with GDPR? was that, was that used as some, some good design principles? were there any pieces in there where you kind of scratched your head and said, there's no way we're gonna get this through in the United States? as much as you feel comfortable sharing about that, I'm curious.

Tom: Well, I was still CEOO of, Centrify in 2018 when the CCPA passed. and and that was very much informed by what's going on with the GDPR, but obviously, you know, we have a different constitutional framework. and so, you know, Europe is opt in, we're more of an optout, because of, based on constitution, [00:10:00] Supreme Court rulings, things of that nature as well.

and then my involvement really came in 2020, where I worked on the campaign. I, I didn't write the, the, CPRA, the California Privacy Rights Act, that amended, but I was. Kind of tasked in this campaign with articulating why you needed to come out with something just two years after the CCPA was passed and also did have the opportunity to significant amount of comparison and contrasting to articulate where the CCPA was still behind the GDPR.

Like there wasn't in C-C-P-A-A right of correction, for example. And obviously in Europe you have data protection authorities and there was no independent agency. And so, so definitely learn the differences. And clearly CPRA was there to kind of further bridge the gap that did exist between, GDPR and the CCPA.

But the [00:11:00] key thing was, was that not only creating an independent agency, but not allowing privacy to be chipped away. 'cause what happened in 2019 was that industry started, you know, kind of whacking away at the CCPA and, and it was becoming quite clear that privacy was gonna become reduced based on special interest, trying to say, oh, can you, you know, water this down, water that down.

And the motivation for the CPRA was to set a higher floor, with the legislation. And in effect, it really made the CCPA, a large building block. And what we've been seeing over the last few years is that legislators. Here in California have been very comfortable of adding little tiny Lego pieces on top of the CCPA and being able to do it in an agile mechanism, kind of like agile software development as opposed to more of a waterfall.

[00:12:00] Mechanism where you can rapidly innovate. And so that's why, for example, just like two years ago, that, neural data was added to the definition of sensitive personal information. And so you can come up with these smaller bills or bigger bill bills, like the delete act that build upon the CCPA. And so what we see here in California is rapid policy innovation because we've set a high floor for privacy here in, in California through the ballot proposition.

Again, 9.3 million voters voted for this. There is a huge hunger. To have more privacy in the face of the rapid technological innovation and the data economy, that's driving, our, our economy forward. And one thing I will point out is even after we pass the CCPA and people say, oh, that's gonna, you know, hurt innovation, California has actually moved from the fifth largest economy in the world to the fourth largest economy.

So you can balance [00:13:00] innovation with privacy. I think that's the key message. And I'm very conscious coming from the private sector to ensure that we can not only have privacy rights be operationalized for consumers, but it's also important for me to make sure that businesses can operationalize the law and regulations as well.

And, and we're constantly dealing with that balancing act, and I think we're doing a pretty good job.

Arlo: Agreed. and I do remember when, CCPA came out, when CPRA came out, those were. You know, at the time, the media and, and many businesses decried it as, this is the end, it's all over, we're gonna be done for, and yet here we are, everything's still going along except businesses are being a little bit better about taking care of the data that they're, they're holding for California citizens.

So, kudos, whatever you're doing over there seems to be working. so tell us about Cal Privacy. I mean, Cal Privacy is a, you know, could be a, I think of [00:14:00] Cal and I think of Berkeley. so, so what is Cal privacy? It, it's an agency. And, and what is the mandate and, and, and what do you do at Cal Privacy?

Tom: yeah, absolutely. So, we were created by the voters and we are the enforcers and regulators of the California Consumer Privacy Act or CCPA. And, we're an independent agency and we're governed by five board members, two of which are appointed by the governor, one by the attorney general, one by the, speaker pro tem, and one by the,se Senate Pro tem, excuse me.

And one by the speaker, of the assembly. And they appoint an executive director to run the day-to-day operations. And for certain matters, we have quarterly board meetings in which the, the board votes on like enforcement actions, approves regulations, you know, helps set the overall strategy. and I was [00:15:00] appointed by the board of directors in this role.

So one thing I wanna point out is we're independent. And, I'm not a, appointee by, the governor, of the state of California. So I'm not a political appointee. and in terms of our responsibility specific to the CCPA, it's regulations, to provide clarification. and so we've come out with various regulatory packages through the years, and most recently we came out with a very comprehensive set of regulations regarding automated decision making, risk assessments and cybersecurity audits.

We do enforcement, and I should point out, it's a dual enforcement here in California. The, California Attorney General, which I'll call the DOJ. So if you hear me reference DOJ, it's, Rob Ante's organization. The Attorney General. They can also do enforcement. and we do collaborate with, with each other.

and that that's typical of most. You know, regulations and enforcement, that's typical of most other privacy laws in terms of, [00:16:00] you know, being done by like an attorney general in a different state. But there's two other unique things that we do. They kind of go beyond other, privacy regulators and enforcers that, we can do and we do do public affairs.

And so it's very important for us to raise privacy literacy here in California and evangelize what rights are and communicate to businesses what their obligations under the law are. So we do have a big, public affairs effort here. And then the fourth area is policy and legislation. And we actually, can support and sponsor legislation.

It does need to be approved by our independent board. So we in the past have actually sponsored legislation like last year, the California Opt Me Out Act that requires browsers to put a toggle or switch to support the global privacy control. What we call here in California is the opt out preference signal, or oops.

and then furthermore, we are required as, part [00:17:00] of our policy and legislation team to work with not only state legislators here in California and other, governmental bodies, but also across jurisdictions. And so we do spend a lot of time, we, key, policymakers in other states or at the international level.

And the vision behind that was, is that if we further evangelize privacy rights across other jurisdictions and, that will provide harmonization of our laws with other laws that are out there, will make it easier for consumers and businesses, but it will further cement our privacy rights as well. So those are the four areas by the CPRA, the California Privacy Rights Act that amended.

With Prop 24 C, the CCPA. And then we, the legislature gave us a fifth area, which is through SB 360 2. That was passed in 2023. that was the bill that I worked with Senator Becker on, advised him, and then it was signed by [00:18:00] Newsom and that moved the data broker registry from the Attorney General, the DOJ here in California to the agency Cal Privacy, and required us to build the accessible deletion mechanism.

And so we're responsible for this, drop system, the delete request and opt up platform. So those are the big five, areas of, of what we focus on, and that's how we've come into being through the voters. And that's how we're, we're structured organizationally.

Arlo: It's funny, the, the parallels between between a startup and Cal privacy just kind of keep popping up. You know, you've got this, this public affairs need, right? That just translates directly into the marketing that a company has to do. We have to make awareness, we have to teach people about their rights.

And we did see that with GDPR. you know, GDPR started and it was pretty quiet until people became aware of their rights. And then we started seeing a flurry of activity. So when you think about the, the types of enforcement and your general [00:19:00] approach to enforcement, a lot of businesses and practitioners are understandably quite nervous about privacy enforcement.

It's, it's a scary area because there's a lot of gray area around what privacy means. so I'm really curious, you know, we often don't get an opportunity to, to kind of peek behind the curtain with a, regulator. how would you describe Cal Privacy's enforcement philosophy?

Tom: Yeah, no, we have an incredibly talented enforcement team that has a number of tactics that I, I can't share with you, but I can say that over the past year, the division has brought forth enforcement actions across a wide spectrum of industries and business practices. So we don't limit ourselves to a specific sector.

We determine where privacy protection is most needed in our communities, and then act upon that as well. And these, enforcement actions have resulted in [00:20:00] fines for violations. But we've also, want to make sure that, businesses that have been violating the law actually change their business practices.

And so we've seen examples in which. we required a company to hire a UX designer to make sure that their interface with consumers was better. We've had a situation with a data broker that, based on failure to register, that they actually decided and we agreed that they should shut down, altogether.

And then most recently there was a data broker that was selling list of medical conditions. and based on the enforcement action, they agreed to exit the California market. So it's a combination of not only fines for violations, but also, on occasion we will actually require changes to business practices.

Now. one thing that is very important is that we try to be [00:21:00] very transparent. We try to telegraph and signal things that we care about and here's how we go about it. So, first and foremost, we come out with enforcement advisories. So, for example, we came out with an enforcement advisory really early on about, data minimization.

We've talked about, dark patterns, we've talked about, the registration of data brokers as it relates to their, their subsidiaries and brands, et cetera. So we try to be very clear, like if you see an enforcement advisory from us, that is something we care about. The second thing that we try to do to, to be very, Transparent with the, business community is that we will announce enforcement, sweep or joint investigations. And so for example, we have come out with a joint investigatory sweep with the Attorney General of California, with the Attorney General of Colorado and Connecticut regarding support for the global privacy [00:22:00] control.

So that can telegraph to people that this is something that we care about. And then finally, in the actual enforcement actions, we try very hard to document where a given business has not met the obligations that are required of them under the CCPA. And so we spell out the allegations against these entities and we try to make it so that.

Other businesses can learn from it. So I think it's the combination of advisories, investigatory sweeps, the announcement of those as well as, past, enforcement actions should give a real clear vision in terms of what things that we care about, at least in the near, you know, in the, in the current,climate that we have right here from a privacy perspective.

So that's kind of an overview in terms of, you know, how we go about things and how we try to be transparent

with the business community.

Arlo: amazing. I feel [00:23:00] smarter already. so when does Cal privacy en enforce enforcement regulators? These are scary words to businesses, right? I think we all, as business people often associate that with, you know, the 1920s, you know, rating the liquor, the liquor sales places and knocking down the doors, you know, or the, or the SEC coming in and banning you from an industry.

But in privacy, that's not really exactly how it works. When does Cal Privacy decide whether they want to work with businesses to try to help them to remediate and, and mitigate problems versus when our like immediate penalties,on the table for noncompliance?

Tom: Uh, again, I think there's a couple things. first, as I said before, we try to be transparent in terms of things that we care about from an enforcement perspective with the past,actions, advisories, investigatory sweeps. Furthermore, one thing [00:24:00] that we're embarking on is we're gonna do a really good job of educating businesses on the new set of regulations.

So throughout this calendar year. Expect us to present and provide more, color commentary on automated decision making, risk assessment, cybersecurity, et cetera. And so we want to make sure that not only are we telling people about the, enforcement, kind of vision and things that we care about, but we also wanna make sure that people are educated on what their obligations under newer,statute or newer regulations as well.

Now, as it relates to kind of the more specifics, you know, obviously a lot of these things are kind of facts specific, so I don't wanna make a blanket statement, as it relates to any business out there. But what I can say that if our enforcement team reaches out to a business. It is really, I important to work with our team [00:25:00] right here.

And so we certainly encourage collaboration, communication, and candor, right? We urge businesses to be forthcoming with the facts. We think that credibility and disclosure are key. And we also realize and recognize that we all, that we oftentimes start with without the full set of facts. Our goal is to be thorough and fair as it relates to, any reach outs that we do here.

And lack of responsiveness and poor communication are not productive for, for any entities. and you know, and we fully understand when you hear from a regulator and then disclosing information to a regulator can bring anxiety, but the best approach is to own the facts. Build credibility and work constructively with us.

So those are kind of my, my guidance. I, again, I can't just talk about specifics right there because, it, it's hard for me to do given, [00:26:00] you know, the, the, the wide range of industries of businesses, et cetera. But hopefully through podcasts such as yours. And I again appreciate you, you having me on to be able to talk about this as well as looking what we've published should really provide, you know, some great guidance for what's the best way to, you know, interact

with us. and I will, say that I think that, the level of transparency that you are providing at Cal privacy is significantly greater than we have seen many other privacy regulators, put the efforts into. I know in our own community of data privacy software, some places when there's a new regulation, everybody's kind of scratching their head, they're, how, how do we interpret this?

Arlo: What does it mean? There's a lot of ways we could read this law. And it, it's really fantastic that you're providing that advisory and businesses would be very well served to pay attention to those things. So, kudos, [00:27:00] to everybody at Cal Privacy for taking that approach. So you're the only regulatory agency for privacy in the us.

But other state's attorneys generals are starting to, to crank up privacy enforcement. And you talked a little bit about collaboration on, for example, the GPC signaling, but just even building that bridge, across state lines, is quite an achievement. I, I'm really interested to understand how you guys collaborate with those other states.

Tom: Absolutely. Look, as I mentioned before, we wanna make sure that, you know, we, we are harmonized with other states to make it easier for businesses and consumers. Furthermore, we know we don't have a monopoly on the best way of going about regulations enforcement. and so we do wanna collaborate with our sister agencies in other states.

And so I'm very proud of the fact that we were really kind of the lead driver behind [00:28:00] this entity called the Consortium of Privacy Regulators. And that's 10 or 11 State Attorney Generals. Sorry, I forget the exact number right there. And us Cal Privacy. And it, basically is focused on collaborating and discussing and sharing best practices and tips as it relates to the implementation enforcement of privacy laws across the country with a shared goal of protecting consumers.

And one thing is, is that people will sometimes say, oh, there's a patchwork of privacy laws. It's so difficult, blah, blah, blah, blah, blah. Right? But it turns out that. Basically all the privacy laws have the same bones, the same fundamental rights. There may be some slight variations out there, but given the, the relative commonalities, it just makes sense for us to collaborate.

And one thing that Michael Macau, our director of enforcement does bring up is that he says that he hasn't seen an [00:29:00] example of an enforcement action that's happened in one state that wouldn't actually be taking up in another state. and by the way, that we also ha, it's a, it's not just blue states.

There's red state participants, in this. And we welcome all. State, you know, attorney generals to join because it's, good to collaborate and it's led to some joint investigatory sweeps, like what we've talked about with the GPC, with Colorado, Connecticut and California. and then furthermore, we're not stopping there.

We do fundamentally believe that building partnerships on an international level. we'll also further increase privacy protections, for California. So we are a member of the Global Privacy Assembly. We're a member of the apac, privacy group, with other, countries. we have, memorandum of understandings with, the ICO and the UK Canal and France, south Korean, privacy agency.

So, it is important because, you know, we certainly, [00:30:00] it's, we don't have a not invented here, mindset. If we can learn about best ways to go about doing certain things, and making sure that we can provide harmonization and consistency, I think that's a, a big win for consumers and businesses.

Arlo: Something you said really stuck out to me. You talked about how although these laws may be significantly different and there may be nuances in enforcement timelines, penalties, specific violations, they do share a common set of bones. And, you know, internally we've always talked about this concept of the, the kindergarten rules of data privacy.

Right? Which are we, I think we, we always talk about, don't take something that belongs to somebody else, Billy. And if you have something that belongs to somebody else, Billy, and they want it back, give it back to 'em. And, and if they wanna know where you're keeping it, be honest. You know, these, these feel like really fundamental principles of a civilized society, less so than burdensome [00:31:00] regulations.

And I think that the. The faster that businesses can realize that regulators are simply out there trying to make sure that we're all following the golden rules and, and the basic set of principles about how to respect each other the less scary it gets.

Tom: yeah, I, I actually, I wanna comment on that. Thank you. I mean, if you look at the enforcement actions, that, you know, like one enforcement action was, Californians were, asking to opt out, just like, don't sell or share my information. And then the business was asking for their driver's license and other personal identifi identification.

So they were asking for more, you know, than maybe what the consumer initially provided, which was an email address. So, so I think that we haven't had a situation at least yet where people said, oh my gosh, you know, they're dinging these companies or these, you know, ticky tack falls. Right? I most people think that, like, that was a clear charge.

Right. You know, using a basketball analogy, [00:32:00] right there. and so yeah, so we're, we're trying to be reasonable here, but People, California and other states have a core set of privacy rights, and so we've been very much focused in our initial set of enforcement action is to enable people to exercise their rights and trying to make sure that people either purposely or inadvertently, you know, are not putting up hurdles and, and roadblocks to enable people to, please don't sell my share or my information,

for example.

Arlo: well on the topic of enforcement of privacy rights and being able to enable citizens to be able to exercise their rights easily. California has recently done some pretty groundbreaking work with your DROP program, and that stands for delete request and opt out platform. Would you tell us a little bit about this?

This feels like you're, you're bringing your software roots into the, into the government here.

Tom: Well, yeah, this is a, great example of a [00:33:00] lot of different things. so first and foremost, it's a great example of how the CCPA is a big Lego piece and the ability for the legislature to plop a new piece on. and so the, this drop system is the accessible deletion mechanism that was called for by SB 360 2 that was passed in 2023 in California.

So that's an example of being able to embrace and extend, an existing privacy law through the legislature. it's another great example of the desire. And this is something that I personally really care about, is to enable privacy rights at scale. So, you know, it's interesting that people oftentimes talk about the privacy paradox and the privacy paradox at a high level is, is that.

People will say that, oh, well, yeah, consumers, they, they talk a good game about, you know, wanting to protect their personal information, not disclose information, but they just go ahead and [00:34:00] just give it away anyway. So, and kind of like the kind of hypocrites and all that stuff. Right? I mean, you could argue that, well, unfortunately, the way that the modern economy and to access key services, you have to do that.

There's no alternatives not to having. Certain types of applications from the large gateway providers or gatekeeper providers. But I think also the bigger issue is, is that it's so difficult to exercise privacy rights at scale, as proce professors Saev says is that, you know, what people are in is a set of never ending chores.

and at some point people say, this is just too difficult. And so they, but even though they vote, 9.3 million people vote for Prop 24, it's just not easy for them to exercise their privacy rights, especially at scale, given the number of websites, mobile apps that are out there. And so what we're trying to do here at Cal Privacy is to make [00:35:00] privacy easy.

And one way to do that is in the context of data brokers and through the delete act. Is that if you look at the current way, that consumers would have to go about trying to delete their data from data brokers who are entities that they don't have a direct relationship with, where in effect their data is the product.

consumers don't buy products from data brokers. Their data is the product being sold to other entities that they don't even know about is that if they try to go out and say, please opt me out and or delete me. They would have to go to hundreds of data brokers spend 20 to 30 minutes each in making these requests, and then they would have to rinse and repeat it, you know, six months down the road as the data brokers repopulate.

So what the drop system is, is basically a single click mechanism. To communicate to data brokers that are registered with the state of California, please delete my information. And so we went live with the system on January 1st of this year. I'm [00:36:00] incredibly pleased with the, overall outpouring of interest.

And so you'll be the first to know and your listeners to know that we're now over 217,000 people. In basically 35 days that have registered for the site. So you can divide 217 by three 15. That kind of gives you a feel for how many are doing this on a daily basis. And what they do is they go to this website, they verify that they're California residents, so sorry, people in other states, please talk to your lawmakers to, to get this.

And the website is privacy.ca.gov/drop. They verify their residency, they put some basic information in, like their date of birth, their zip code, email address, phone number. Those later two have to be validated with multifactor authentication. and then they hit the submit button and that data is immediately stored in a secure manner.

It's hashed. And then starting in August of this year [00:37:00] that the data brokers that are registered with the state will have to come back into the system. and grab the list, of the various data. All again, stored in a, a secure manner. And then they have to take their data, like their email addresses, they have in their databases, they have to store it in a hashed format, and then they match.

If they can't match, they don't know who the consumer is, right? But if there is a match, then they have to delete and then they have to submit the status of the deletions back to our system. So it's a closed loop system and it basically take what would take consumers 10, 20 days in a year to do, they're able to do in, in a span of five minutes.

So it's, it's revolutionary in terms of giving a single click mechanism, to enable Californians to take control of their personal information.

Arlo: You're spot on about the complexity of trying to opt out of many different systems, especially the ones that you didn't even know you had opted [00:38:00] into. you know, I love analogies, but we always think about, data is a little bit like a sneeze. Like once it gets out, it's pretty hard to get it back in.

and, you know, again, kudos for, for putting together the first, the first of your kind, platform here to accomplish these goals. And congratulations on all the growth. That is quite impressive. And I'm, I'm curious approximately how many data brokers are in the system?

Tom: Yeah. so as of the end of last year, there were 545 data brokers that registered. we haven't officially announced the numbers, and we'll make the new revised data broker registry. Available, at the end of February or March. But I can tell you based on the registration period that we have gone over the 545, so your, your listeners are not only getting the 217,000 number, but the new data point is, is that we have exceeded the [00:39:00] 545, we'll obviously officially publish it, once we, you know, clean the data and make it pretty and be able to publish the registry, on our website.

But there will be a higher number, of registrations than there were, last year, which is incredibly powerful again, because it's a means and mechanism to basically tell these entities, please delete my information if, if they have that information. But if they don't have the information, then it's also an opt-out, you know, mechanism as well.

So it's, it's really great. technology, as you said, it's the first of its kind. Incredibly pleased, about the interest from other states, wanting to replicate this. And I will, if any policy makers are listening, which they probably are to your great podcast here, that California Privacy Protection Agency, we're open for business to having any form of communication, as well as discussions regarding, best practices for building this or even [00:40:00] discussing sharing technology,with other states and other, you know, like entities to, enable that for their citizens as well.

'cause again, we fundamentally believe that, having other states adopt comparable. Tools like ours or privacy laws actually further cements our privacy rights here in California. So we're super excited to share drop, with others, but I will state that if you're in another state, you please don't go to privacy.ca.gov 'cause the residency verification will say no.

and, it, it's not allowed for for people to try to, game the system, that way,

Arlo: so your best bet if you're not in California is go find the broker whose information, who have your information, and, and utilize their direct opt-out mechanism and hope that your state government decides to adopt something as progressive.

Tom: or,

or you can move to California. We, we, we welcome you as well. So that's the other alternative. actually we, California, over the [00:41:00] last year or two, we've been having a net increase in population as well. So maybe that will, this drop system will further accelerate. I don't know. So, but we'll see.

Arlo: I love it. just so we can clarify for our audience, what is a data broker is a data broker. My local restaurant that has a, a fishbowl with a bunch of business cards in it is a data broker. Just Facebook, I mean, what, what is a data broker?

Tom: well, the, the good news is because, the Delete Act is a plugin piece on top of the CCPA. We share the same, many of the same definitions. So the first of which is, you have to be a, a business. under California, consumer Privacy Act. And so a business is a, a, a for-profit that does business in California.

and meets one of three thresholds, which includes the threshold could be greater than, 20. I think the current number is like 26 million. I don't quote me on that. It's on our website. 'cause there, it used to be 25, but [00:42:00] there's a always that adjustment going up. and then, or a data volume threshold, in terms of buying, selling, or sharing a hundred thousand or more consumer, households, personal information.

or they derive 50% or more of annual revenue from selling personal information as well. So typically what we've seen is a restaurant doesn't meet the requirements. A small mom and pop restaurant. Obviously if it was a big chain restaurant, and it's in the business of, you know, the selling, sharing, data, it, it may fall under it.

And then furthermore, the, definition of data broker is an entity that does not have a direct relationship with a consumer, and then turns around and, not only collects, but sells, the personal information of those consumers to, to other businesses as well. So typically a restaurant. We'll have a direct relationship with the, the, the people that come in.

you know, [00:43:00] and probably by getting the business card, there's a consent that that happens right there. so obviously if you kind of have what's typically known as a first party relationship that, that, that doesn't cover. However, we did further clarify the concept of direct relationship in the, drop regulations that went in effect January 1st.

And so if you are a business that even though you may have a direct relationship with a consumer, but then you go out and you buy a bunch of third party data, and then you turn around and sell your first and third party data. To other entities, you're kind of acting as a data bro. You not kind of, you are acting as a data broker and so therefore you would have to register as well.

So my suggestion is clearly look at the statute and also look at the regulations, to verify. So I, people sometimes say, oh, is this company a data broker? Brokers that company? And it's all fact specific. I mean, you, you would have to, obviously [00:44:00] internal privacy folks or coun outside counsel for that business should make that determination.

and I highly recommend if you are a business that is or act as this data broker last year, you need, you should register with, with the agency. So, but yeah, so that's, that's kind of my overall, just, you know, look at the, look at the statute and take into account that we do reference definitions that are in the CCPA.

Arlo: Yeah, and you know, it, it certainly sounds to me, and these are my words, that if you're a data broker, you probably know you're a data broker. it's not, it's not a business you accidentally get into, for the most part, but that's coming from me, that is not coming from top.

Tom: Well, lemme give it, actually, I'm gonna give you a ver actually, I will give a concrete example. General Motors has registered as a data broker 'cause they have elements of their business that acts as a data broker. Clearly, general Motors has direct relationships with consumers, their, their car buyers, but they have registered as [00:45:00] a, data broker based on either a subsidiary or certain brands or certain practices that they have.

I, I don't know the details, but I think that's a great example of like, why is General Motors registered? Well, it's because they are hacking as a data broker. And so I think, again. This is something that, people should be very conscious and cognizant of ensuring that if they are acting under California Law and Regulation as a data broker, they register.

Because what happens is that when the deletion need to kick in and you are violating the law and not doing the deletions, the fines are $200 per violation per day. Now, as I said before, we have 217,000 in 35, 36 days that have already registered. So come August, I don't know what the numbers are gonna be, but why don't we just guesstimate?

It's a half a [00:46:00] million, right? And say that maybe a hundred thousand of the, the half a million are in your, in a business's database, right? And you're not either. correctly processing the request, or you said, oh, I'm not gonna even register. Hey, you're gonna be on the hook for a hundred thousand dollars times, 200 times every day.

So the fines are going to be very, large. And so again, that is the, you know, I'm being nice in this call and, and kind of, you know, walking you through, that's the carrot. but the stick is, come very soon that the fines can be very significant and the fact that you didn't register doesn't mean you're still not on the hook for the deletions as well.

So I highly encourage, even though the deadline's January 31st to that, if you haven't done it by the time you listen to this, please do. And, and you [00:47:00] know, if you meet the,definition of what we have in the statute.

Arlo: Excellent advice. Talk to your legal counsel, figure out whether you might be classified as a data broker in California, and if you are, go register quickly. so you've done a huge amount. You've got drop you've, you've got a lot of different interesting enforcement actions. What's next for privacy in California?

And you guys are one of the most active in terms of privacy and privacy adjacent regulations. What's on the horizon? Well, what should businesses and consumers be thinking about that? be aware of.

Tom: Yeah, absolutely. So, we have gone through the regulatory process. We did come out with these,regulation packages for A DMT, risk assessment and cybersecurity. There's four new areas, that we wanna, come out with. They are in regulations regarding employee data. There was an exception up until 2023.

That's, that's over. So we wanna provide more clarity there. for the opt out preference signal, we wanna provide additional [00:48:00] clarity from a regulatory perspective. We also want to see if we can streamline, privacy notices and disclosures. and then there's areas where we wanna reduce friction as it relates to the exercising of privacy rights.

That could include the usage of authorized agents as well. So what we're gonna do is, and we'll talk about this in our board meeting at the end of February, we're gonna, at the end of February at the board meeting, we're gonna talk, we're gonna communicate kind of a roadmap for, you know how we're gonna get public feedback, on these areas.

So if you're a business, when we, if you wanna weigh in about how we can, do good regulations in these areas or streamline, we're all ears. and then the second thing that's on the docket for the agency is that, as I mentioned before, we can sponsor and support legislation. And we actually, have sponsored, it's been announced, that, there's gonna be a new bill in California called the Expanding Privacy Rights Act.

that also is actually, the [00:49:00] author is Senator Becker, who did the Delete Act. and that is going to, IM, clarify and improve the, the right to delete currently California. deletion right is data collected from a consumer. and we know that oftentimes,businesses will supplement the data collected from a consumer with third party data, but the consumer expectation is if they do a right to delete, they want everything deleted.

Right? And then furthermore, there's some issues with, consumers exercising their privacy rights. and so we're trying to have it more of a standardized form that, that, Californians can use to facilitate the exercise of privacy rights. So what's on? Tap is, potentially new regulations. We definitely want public feedback on this and we appreciate it.

We're gonna look at some new legislation. That was one example. There could be another piece of legislation that we're intimately involved with. And then the third thing is, is that we're going to go out, as I mentioned before, and evangelize and talk about, with businesses what, [00:50:00] what their obligations are under the regulations that we passed, last year.

So we wanna raise awareness and literacy with the bi privacy community about what the requirements are for A DMT, for risk assessment, for cybersecurity audits. And then the fourth thing is, is that, of course, the drop system we talked about, we want more Californians using it. And at the same time, come August, we wanna make sure that data brokers are successful in implementing and doing the proper deletion.

So a lot of things on the plate right now, we're super excited, but the end goal. One of our strategic goals as an agency is we want to expand privacy rights. and then of course, we talked about the enforcement. We're gonna continue down the enforcement path as well.

Arlo: that's a very ambitious roadmap. So for the moment you guys are in California, I shouldn't say you guys for the moment, as a Texan, I love the word y'all, y'all have been really leading the nation, in terms of, of regulations and we've seen attempts at federal [00:51:00] privacy regulations. are you seeing any developments around federal laws?

Tom: Yeah, I mean clearly there's been activity in the years past, for a comprehensive privacy law. and then, you know, clearly when it comes to kids online safety, when it comes to artificial intelligence, there, there is a Venn diagram overlap with, with privacy. so we have seen some recent proposals at the federal level as it relates to ai, which even include moratoriums on anyone passing in any laws, or preempting state laws as well.

Um, I will say the following, and. The agency, even pre this is the, it's, we've been consistent on this, and this predates, my tenure, which has basically been the last year, is that we do support, Cal Privacy does support a federal law that provides a baseline of privacy protections for all Americans.

So we, we, we think it's good to have a federal privacy law. [00:52:00] Our core issue that we've had with some of the past proposals is that it sets a ceiling and it doesn't allow states to go further with their own privacy laws. And so we support a privacy law that creates a floor for privacy protections, not a ceiling.

And, and why is that? why do we think that's important? We think it's important because, Technology is moving very fast and states have shown that they can be nimble in addressing new privacy harms affecting consumers. And what we've found, and so states have been more agile using that software development while what we've seen from the federal levels more of a waterfall with the development cycle being 25, 30 years.

Right. And so we do not, like in Jurassic Park, we don't want that insect stuck in amber and not being able, you know, and stuck there for, you know, centuries as well. so [00:53:00] that's one big reason, that we, fundamentally believe that states can be the. Laboratories of democracy as Justice Brandeis, talked about, and you've seen that innovation happening here in California.

We were the first state to have a data breach notification law. We are the first state to have a comprehensive privacy law. We were one of the first states to add neural data as a sensitive personal information. We're the first state to have this,data broker. you know, law that, that provides a accessible deletion mechanism.

The other concern is, is that what we've seen from past federal proposals is that people would lose rights. and so in the past proposals they didn't have something like drop, that would be shameful, for that to happen. and then, you know, the reality is about this argument about the patchwork is that if you look at most other laws involving privacy, they have allowed.

states to innovate. And typically what happens is that only one or two states have actually gone beyond [00:54:00] the, bar that was set by the floor right there. So I think it's kind of overblown the issues that people have brought forth about the patchwork and the cost associated with that, when in reality the majority of states won't go over the, the floor that will be set, but there will be states like California that should innovate to better protect their consumers.

So that's kind of our position right there, and we'll see what happens and we'll continue to evangelize and articulate, our position on this.

Arlo: And from the outside looking in, I mean, there's a little bit of. You know, you're very humble about, you know, well, we're just, we're just, you know, it's just California. But we've seen in the past that, you know, state regulations can have significant national impact. if you remember the, the mattress tags, that everybody has on their mattresses, right?

That was a California law, and the mattress makers all went, yeah, it's not worth our time to make mattresses for California, and then different mattresses for everybody else. It's easier [00:55:00] for us to just go ahead and, and meet the bar that was set in one state and kind of be done with it and not have to try and work against a patchwork.

So, in some ways, these state regulations can often drive good behavior in places where they may not even be necessarily obligated to abide by your regulations simply because it's. It's gonna be easier to just comply than it would be to try and always make sure you're meeting the very minimum in each individual state.

so as as you think about privacy, I mean, we are all,you know, at least at my company and, and you certainly spend a lot of time thinking about privacy, it's easy to, to sit around and kind of get into the, the finger wagging, you know, do this and don't do that. And that's a bad practice and that's a good practice.

But we're all people and, you know, we still surf the internet and buy our groceries on our phones and, you know, get, pizzas delivered. Is there anything that in your life, just as [00:56:00] Tom, not as the head of Cal privacy, but as Tom, is there anything that you would say do as I say, not as I do.

Tom: Oh, geez. well, if I say something, then, it can be weaponized against me. or if I, if I say I don't turn on multifactor authentication, then, then I, I, but I do, I, for all my accounts, I put multifactor authentication, so don't try to hack me. look, it's at the end of the day, the burden is so great on.

Consumers, even experts such as yourself and, and to a lesser extent I'm in you, you probably have more expertise than I do in, in a lot of these areas as well. It's just hard, right? and so one thing that we're trying to do here. Is trying to make it easier for Californians. 'cause people do want it, right?

And they do want to control their information. And so that's why we came out with drop. Another example is the opt-out preference signal that we [00:57:00] sponsored legislation that will require, starting January 1st, 2027, all browser vendors to support the global privacy control. Again, it's implemented here and referred to as the opt-out preference signal and have that switch right there.

and so by doing things like that, it will make it easier for people to say, do not self share my information, delete my data from data brokers. and also, you know, there's probably some settings, you know, on social that I need to do a better job on or double check. And eventually, to be candid, I really think.

That, you know, as businesses increasingly use AI to collect process and make decisions for us, I wouldn't be surprised that AI. Is cleverly used as an agent for us to protect our privacy. That's something that's installed on our browser or in our phone that's constantly tapping us on the shoulder.

Hopefully not that much [00:58:00] and say, oh, don't do that. Or, you know, can I send this, you know, this, opt out on your behalf? Or do you realize that you're, you have, you know, 700 accounts and you, you, you haven't used 400 of 'em in the last 10 years. So I think that there's a lot of opportunity for innovation to have an AI agent that's a personal AI agent, that's your, your privacy buddy, your privacy watchdog, et cetera.

And frankly, you know, what're we're trying to do is we're trying to raise the floor for personal privacy in California with tools like drop with, the opt-out preference signal on privacy.ca.gov. We're coming up with all these tips to improve literacy. The ceiling is really high and there's great opportunities for third parties, agents, you know, software companies, et cetera, to to further help, you know, consumers out there.

And, and I'm a hundred percent supportive of having a healthy ecosystem of not only government such as [00:59:00] California stepping in, but but also the, the private sector to, work on behalf of consumers

to improve privacy.

Arlo: tom, this has been incredibly informative. I am genuinely grateful that you've taken the time to come and join us today. And folks, you know, he mentioned it, but if you are curious about privacy and about data privacy laws in the state of California, head over to privacy.ca.gov and if you're a California citizen, go to privacy.ca.gov/drop where you can register for their drop program and you can start taking control of your own data.

I think it's a wonderful project that you guys have built and I am so excited to see how that continues to progress. Thank you for joining our show today.

Tom: Oh, it's been great. I really appreciate the opportunity to talk with you and your listeners and, have an attitude of gratitude for letting me on.

Arlo: [01:00:00]