E277 - Tom Kemp, Executive Director of the California Privacy Protection Agency
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:12] Hello, my name is Debbie Reynolds. They call me “The Data Diva”. This is the Data Diva Talks Privacy Podcast, where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.
[00:25] Now,
[00:26] I have an incredibly special guest on the show,
[00:30] Tom Kemp. He's the Executive Director of the California Privacy Protection Agency. Welcome, Tom.
[00:37] Tom Kemp: Hey, Debbie. Thanks for having me back. Obviously, I must have not done that poorly the first time around for you to invite me back, so I'm very honored.
[00:47] Debbie Reynolds: Oh, it's such a pleasure to have you here. So much has happened over the last few years. So your ascension to this new,
[00:55] incredibly important role in the state of California,
[00:59] your tireless advocacy, not only in California, but in many other states and other things,
[01:06] for privacy, you actually helped support a recommendation that I made with the Internet of Things Advisory Board around privacy, labeling, and cars, which I was extremely happy about. It was voted on unanimously, actually, and it was proved to be in that report,
[01:22] so. So, yeah, it's been really exciting to see you and see the things that you're doing.
[01:27] Tom Kemp: Well, thank you. And it's actually exciting to see the things that you've been doing. I was riding my exercise bike yesterday, watching YouTube, a hearing of the Vermont Commerce Committee, and then all of a sudden,
[01:40] there's Debbie right there testifying, so. So you've been making your rounds as well.
[01:47] So it's absolutely fantastic, the work that you've been doing. So thank you again for having me on here.
[01:52] Debbie Reynolds: Oh, my God. It's always a pleasure to talk with you.
[01:56] I will say I just have to say a couple things about you that I think are so unique, it's so funny. So when you took on this role as executive director,
[02:04] a couple of different reporters had reached out to me, and they asked me about you. They were like, so,
[02:10] you know, who's Tom? What is Tom like? And I was like, tom is what he says he is. Like, he's the real deal. He walks that talk.
[02:20] I thought it was really incredible for you to be in this role, because I feel like you're someone who really understands business as an entrepreneur.
[02:29] You are a Californian, so you're very steeped in the California ethos around privacy rights or human rights. Really cool. And you really understand the tech, so you understand the. The technology challenges that people have.
[02:43] And I feel like sometimes when we're talking about privacy,
[02:48] sometimes people feel like, okay, well, you. You only understand regulation. You only understand Tech, you only understand business. And I feel like you all those things to bear. But I want your thoughts.
[02:59] Tom Kemp: Well,
[03:00] thank you. And the check is in the mail for that kind introduction right there.
[03:05] No,
[03:06] it's been great working here at the California Privacy Protection Agency. We do have new nickname to make it easier because there's just too many four letter acronyms out there.
[03:17] California Privacy Protection Agency is the CPPA and then there's the CPRA that amended the ccpa.
[03:23] So we're just gonna go by Cal Privacy here. But it's been a great transition. I've been here almost a year.
[03:30] The people are just simply amazing. And it's not every day that you can be in this role as the nation's associated with the nation's only independent agency focused on privacy that was actually created by the voters.
[03:45] So this was a Voter approved measure Prop 24 that created this agency. So it's just been great.
[03:54] Debbie Reynolds: And it really is interesting in terms of the privacy dialogue internationally that California has its agency. So so many people,
[04:07] not only in the US in different states,
[04:10] but around the world, they're really looking very closely at California and the things that you do. And so I think of California as a bellwether state in terms of privacy.
[04:22] Just because it's been so long steeped in the PRIV ethos.
[04:27] Tom Kemp: Absolutely. Look, I mean California has led the United States for over a hundred years in consumer protection.
[04:34] We were one of the first states to focus on food safety.
[04:38] Then there was automobile safety and missions.
[04:42] We were the first state to have a data breach notification law. We were the first state to have a comprehensive privacy law. And then just even in the last year under my tenure and having this as being an incredible team effort, we've done some really kind of first in the nation things.
[05:01] We launched the drop the delete request and opt out platform.
[05:05] We sponsored and secured passage of the California Opt me Out act that requires browsers to offer opt out preference signal. Effective January 1st.
[05:15] We came out with the nation's most comprehensive set of regulations for automated decision making. Cybersecurity audits, risk assessments,
[05:23] the list goes on. So even within the last year,
[05:26] people call it the California effect. And the people of California voted for this agency and wanting us to do this to keep up to date with changes in technology.
[05:37] And as people get more concerned about their personal privacy,
[05:42] I think the agency is in a great position to not only deliver benefits and serve the people of California, but often times act as that laboratory of democracy that Justice Louis Brandeis (U.S. Supreme Court Justice) talked about and do innovation And I think it's really cool to see that other states are coming to California and say,
[06:01] hey, we really like what you're doing with opt out preference signals, with the data brokers, with cybersecurity audits, risk assessments, et cetera. So it's just an incredible role and I'm following in a long line of Californians that are really trying to raise the bar as it relates to consumer protections.
[06:19] In my case, obviously, it's on the privacy side.
[06:22] Debbie Reynolds: Well, let's talk about some of these initiatives. Let's talk about the delete request and opt out platform. This is quite extraordinary for a couple of reasons.
[06:31] One,
[06:32] as you know, as everyone should know, Vermont was one of the first states that had any type of data broker laws.
[06:39] And then nationally we had the do not call list.
[06:44] Right. And so drop is sort of a,
[06:47] a brainchild of that, but it takes it that much farther and you really were able to get the gaps there addressed. But I want you to explain to people what drop is and why it's important.
[07:01] Tom Kemp: Yeah, sure. So the, the drop system, the delete request and opt out platform,
[07:06] is the accessible deletion mechanism that was called for with the passage of California Senate Bill 362 that was authored by State Senator Josh Becker, signed into law by Governor Newsom.
[07:23] I had the pleasure to actually propose this idea to Senator Becker and worked with him on this. And so it's kind of a cool situation where three years after working with him on this that I'm now responsible for implementing this.
[07:41] But it's not an original idea, as you mentioned, that clearly there was the FTC's do not call list. In fact, Tim Cook, the CEO of Apple, called for a data broker clearinghouse with deletion capabilities in an editorial for Time magazine back in 2019.
[07:59] There has been, and there was a federal proposal by Senator Cassidy, a Republican, and Senator Ossoff, a Democrat,
[08:07] called the Delete Act. And when I ran this idea by Senator Becker, I said, this is a great idea.
[08:13] We already have a registry. To your point, Vermont was the first state to have a registry. California was the second. Now we have Oregon and Texas also having data broker registries.
[08:22] So we already had the registry. And so the proposal was with the Delete act was to move the registry administration from the California Attorney General over to Cal Privacy and, and then build upon that registry.
[08:36] This means to enable consumers to go to a website,
[08:41] verify their residency,
[08:44] put in some basic personal information like email address, phone number, mobile advertising, id, vin,
[08:51] et cetera,
[08:52] and then hit the submit button and then that data is immediately stored in a secure format. And then starting August of this year,
[09:02] the data brokers that are registered with the state and There are over 500 need to access the system and then they hash their corresponding information and then they compare our list of hashed information with their hashed information and only if they see a match,
[09:22] then they have to actually go through the deletion process and then report back.
[09:27] So it's a closed loop system that Californians enter their information in and then they can get the status data brokers pull information in a secure manner and then they report back.
[09:40] And frankly, the overall reaction to this has just been incredible.
[09:46] We launched this first statute and we successfully launched this on January 1st of 2026. So we're just talking less than 40 days ago and from when we're recording this and we've already had over 215,000 Californians, so that's about 6,7000 Californians a day going to this website,
[10:08] doing the registration.
[10:09] So it clearly shows that there is a pent up demand for a free secure tool that gives Californians kind of a single click mechanism to initiate deletion request against and for hundreds of data brokers as opposed to Californians having to contact each and every one manually and probably spending 20,
[10:35] 30 minutes on each. And if you multiply those 2030 minutes each times 500 data brokers, that's 10 days, full days. And so this completely automates that in a matter of minutes for Californians.
[10:48] So we're really pleased with the initial reaction.
[10:52] Debbie Reynolds: The setup is brilliant because I think and you can give your ideas about notice and choice. I'm sure we've all talked ad nauseam about that model,
[11:03] but the challenge has been that a lot of times when people have things like notice and choice,
[11:11] that choice is hard because as you say,
[11:15] a person going in manually, having to contact all these different companies and trying to opt out is very time consuming.
[11:23] So you kind of flip that on his head and say, okay, this person, they're going to present themselves once and then you, the company that deals with this data is your responsibility to keep up with this and do that.
[11:35] But what are your thoughts?
[11:38] Tom Kemp: Well, I think this gets to the heart of what people call the privacy paradox, which is consumers will say they really care about protecting their personal information,
[11:47] but because of the data economy and just trying to be part of society that they have to sign up for these services and in doing so they actually disclose a lot of their personal information.
[12:02] They agree to choice that they've been Given.
[12:05] And so therefore there's some people say, well, people really don't care about privacy. And our perspective is people do care about privacy. That's why 9.3 million voters voted for Prop 24.
[12:17] That's greater than the population of 10 or 15 states in the United States that back in 2020 when this agency was formed by the will of the voters. And we've also seen that with the fact that 215,000 Californians have already signed up for this site.
[12:35] So people do want privacy. But the issue is, as Professor Salav has talked about, that privacy and this model that we have is really kind of a never ending set of chores.
[12:48] And so that's why people don't exercise their privacy or take advantage of their rights, because it's too difficult to do it at scale.
[12:56] And so I think drop represents a great initial step in kind of putting the privacy paradox to bed in a limited way, maybe just for a weekend or something like that,
[13:09] to enable privacy at scale.
[13:13] And there's other things that we're doing and we can probably talk a little bit later about, like the work that we did with the Opt Meow act that requires browsers to add the opt out preference signals.
[13:24] Also maybe some of your listeners know that as the global privacy control,
[13:28] again, it's to enable privacy at scale for consumers trying to make privacy easy, trying to enable Californians to operationalize privacy. And, and so that hopefully will help with some of the imbalance that's out there in our current digital economy where we have to sacrifice our privacy just to do day to day living and interaction with our friends at work,
[13:58] et cetera. And so this ships some of the power back to the consumers. And that's why it was so exciting that if we're able with this one website to just have Californians spend three, four, five minutes going to drop and then that saves them 10 days worth of work.
[14:20] And it's actually a permanent deletion because the current model is that data brokers can go back and collect more or buy your data from other sources and repopulate. And so it's a constant whack, a mole.
[14:32] And this is kind of a, a permanent request to delete my information and opt out as well. That's why we call it the drop system. So yeah, I think it's very innovative and it really again,
[14:43] kind of goes back to what Justice Brandeis said about states being the laboratories of democracy and being able to experiment and do innovation. And I think that is why now that we've rolled this out and people are seeing the success of it.
[14:59] And we still have obviously more work to do, obviously training the data brokers to delete the information and having successful deletion occur and updating the status, et cetera.
[15:08] But we're now seeing other states saying, geez, I would really like to have something like that.
[15:14] And we're obviously open to business here in California to work with other jurisdictions and provide advice, guidance, technology, whatever it takes to raise the bar as it relates to raise the floor as it relates to the exercising of privacy rights.
[15:31] Debbie Reynolds: Absolutely.
[15:32] Well, I want your thoughts. Let's dig deeper on the global privacy control and the opt out preferences. So I did video years ago about global privacy control explaining what it was and what it isn't.
[15:46] I think for a normal consumer they thought global privacy control was meant globally opting them out of everything. And that's not exactly how the technology worked.
[15:57] But your opt out preferences signal the way that you all are articulating it sort of took it a step further. But can you explain what that is?
[16:06] Tom Kemp: Yeah, absolutely. And we also, we do on our website and by the way, the drop system, you can visit privacy.ca.gov/drop to access, if you're a Californian, to access the drop system.
[16:18] But also on privacy.ca.gov we also have a set of privacy tips including information for consumers, how to enable opt out preference signals for businesses on our cppa.ca.gov website.
[16:33] And by the way,
[16:34] we're in the process of going to merge the cppa.ca.gov site with privacy.ca.gov, so that's we're kind of integrating that together. But there's business guidance to support global privacy control, what we call the opt out preference signal.
[16:48] But at a high level it's a plugin extension toggle that you can configure in a web browser that will tell all websites you visit not to sell or share your personal information.
[17:06] And so it's kind of the equivalent that if you go to a website, you scroll to privacy notices and then you configure the cookies down below and one of which invariably be opt out or don't sell or share.
[17:18] This facilitates that. So again,
[17:22] if someone really did not want the websites and the businesses that they interact with online to not sell or share the information,
[17:32] they would have to do that manually by doing the cookie configuration or going into their account and telling the business that way. This is to enable do not sell in shares at scale via your browser.
[17:45] So in theory it should be a switch that you Just turn on now.
[17:49] It's a great idea. And we see other states also adopting this,
[17:55] for example,
[17:56] Connecticut and others. Colorado is another example.
[18:00] And so we hope that increasingly, as states come out with their comprehensive privacy laws or if there's eventually a good federal proposal, that this would be baked in to enable privacy at scale and help facilitate operationalization of privacy rights.
[18:17] But the issue that we try to tackle with this California Opt Me out act, which was AB566 by Assemblymember Josh Lowenthal, that was signed into law by Governor Gavin Newsom last year,
[18:30] is the fact that only a few browsers,
[18:34] and these browsers typically have very small market share, actually have that built in.
[18:40] Now you can download extensions for Chrome on Windows and Edge on Windows,
[18:48] but the issue is that the major browser vendors did not support this out of the box and people sometimes are reticent or don't have the knowledge to install an extension.
[18:59] But then when you go to the mobile browsers from these large vendors, you can't even install an extension on mobile browser.
[19:09] And so what this bill requires is that all browser vendors must offer an opt out preference signal switch,
[19:20] effective January 1, 2027.
[19:24] And so this hopefully will raise the floor for privacy.
[19:30] And of course it behooves California,
[19:33] Colorado, Connecticut, et cetera,
[19:35] to educate people on being able to turn on the switch. But it's much easier to educate consumers to turn on a switch if the switch is built into the browser, as opposed to not being able to turn on a switch on mobile or having to download a third party plugin.
[19:49] So that's kind of the rationale and motivation, again,
[19:52] all part of this theme of trying to make privacy easy.
[19:57] Debbie Reynolds: I'm glad that you are looking at it from that perspective because I feel like a lot of times sometimes when you see regulation, they seem to be divorced from the technological reality.
[20:09] So being able to articulate it in that way, I think makes it easier for companies to know what they need to do. And then also you're doing the consumer education part as well to try to join that together.
[20:22] Tom Kemp: Yeah, absolutely. And so that's what actually makes Cal Privacy unique compared to other regulators and enforcers in the United States. Typically, the other states do just those two areas, regulation enforcement.
[20:38] Occasionally they'll come out with a press release or have a press conference, et cetera.
[20:43] What's unique about the California Privacy Rights act, which was Prop 24 that amended the CCPA,
[20:50] was that it called for not only a creation of an independent agency, which is Cal Privacy,
[20:57] but it gave us additional responsibilities.
[21:00] So Besides regulations enforcement. And I should be very clear,
[21:04] the California Attorney General also does and is very active in also enforcing the ccpa, but it gives us the ability to do policy and legislation.
[21:15] So we can actually sponsor legislation and, or we can work closely with legislators, not only in California, but in other states and other jurisdictions to kind of raise the privacy bar and harmonize.
[21:28] And then that fourth area is public affairs. Because the authors of Prop 24 really felt strongly that the literacy associated with privacy needs to be raised and improved because people just don't understand like what things to turn on.
[21:49] They don't understand that a lot of our data economy is driven by behavioral advertising in which all their information is being mined to serve the ads.
[22:01] And increasingly that data is unfortunately becoming weaponized against people in certain areas.
[22:09] And so the authors of Prop 24 also felt that there should be a strong public affairs to make Californians aware of their privacy rights, but also to educate to businesses what their obligations are under the laws and regulations.
[22:26] Debbie Reynolds: I agree with that.
[22:27] And also you all are providing a lot of good guidance for organizations who may not know where to start or what they should be doing. So that definitely helps for sure.
[22:37] I want your thoughts about automated decision making technologies.
[22:42] I actually like this terminology because it becomes more technology agnostic, especially in a day and age where we're seeing so many reports about AI. And I've always been kind of shaking my fist at the sky.
[22:56] I'm like, let's not try to be so technology.
[23:00] Try not to just pigeonhole one technology when what we're talking about is a action or a process that organizations take with technology.
[23:08] What are your thoughts about the admt?
[23:11] Tom Kemp: Yeah, no, that's a. I mean, obviously it's becoming more important as the AI facilitates decision making at such large scale.
[23:22] And we see that a lot of critical life decisions are increasingly being made by automated decision making. So look,
[23:30] first and foremost it was in Proposition 24 that was again passed by the voters, 9.3 million voters. There was a line in the law that said that Cal Privacy has to create automated decision making regulations.
[23:46] So when we came out with the ADMT regulations, we didn't do it because we thought it was a good idea. We did it because it was the law.
[23:53] And then what we try to do with the regulations is try to place important guardrails on how businesses process personal information,
[24:02] including through automated decision making.
[24:05] So I want to be very clear that if it's not personal information being involved through the admt, that our regulations don't apply. So we are Sticking to our privacy mandate, which is the protection and enabling control and putting business obligations as the use of personal information.
[24:27] So people sometimes say, well, do you see Cal Privacy as the AI regulator? And I say,
[24:34] no,
[24:35] what we do is we're the regulator of the collection, processing, sale of personal information that could be processed and utilized by AI technologies, including automated decision making.
[24:50] And so in our case with our regulations, we focus on ADMT as it relates to the use of personal information to make a significant decision,
[25:01] like someone getting a loan, job, housing, education or healthcare. And our goal is to ensure that ADMT is used transparently and in ways that respect individual rights.
[25:17] And we feel it was actually a very long and winding road of us getting through these regulations and even defining what automated technology is.
[25:29] And we got literally thousands of comments and it took us four years,
[25:35] but in the end, I think we landed the plane on the aircraft carrier where we took into account that there should be protections for consumers in this area,
[25:46] but also that we should allow businesses to be able to operationalize these regulations and give them time as well.
[25:55] So the rights that we give under the regulations to consumers is a pre use notice,
[26:01] a request to opt out, and request to access admt.
[26:06] But again, we narrowed the definition of ADMT that involves technologies that process personal information,
[26:14] that uses computation to replace or substantially replace human decision making.
[26:21] And it only involves significant decisions concerning consumer in the areas that I talked about before.
[26:28] And then the last thing I'll say is that we wanted that the regulations are actually effective January 1, 2026 as part of the regulatory package.
[26:39] But businesses have until January 1, 2027 to implement the ADMP compliance, such as notice opt outs disclosure on January 1, 2027. So there is a buffer.
[26:52] The key message is to Debbie, you, your colleagues and the privacy as well as your listeners, is that, hey, 12 months from now, if you do ADMT and you're defined as a business under California law, you do have to give these rights to California in terms of notice opt out disclosures.
[27:14] So it's now kicked in and you have 12 months to implement this one.
[27:20] Debbie Reynolds: Thing that I think that you do really well in your role and what California has done really well.
[27:27] It's an incredibly hard thing to balance. And one is, as you know,
[27:32] being too prescriptive and then not being prescriptive enough.
[27:38] Right. So one is like, okay, setting the foundation for what you want people to understand about a law or a regulation and then giving them guidance about how to do it without being.
[27:52] Without boxing yourself in. But I just want your Thoughts on that balance? Because I feel like you do it really well.
[27:59] Tom Kemp: Well, thank you.
[28:00] And in fact, again, it goes back to the statute, which was Prop 24 that clearly called out that we should have a balance between innovation and guardrails. And one perspective that I bring is that I actually was a CEO of a technology company,
[28:18] albeit it was in cybersecurity.
[28:21] My business actually had to go through GDPR compliance. And so I'm probably one of the few regulators that have actually gone through the compliance exercise.
[28:30] And one thing that we're trying to do with the regulations is what good are having regulations if they're too difficult to implement. And so we really focused a lot on can businesses easily operationalize these?
[28:47] Do they have enough time to be able to stand these things up?
[28:51] And then furthermore, can they leverage existing audits, processes, programs that they've used to address other compliance requirements so they don't have to reinvent the wheel?
[29:07] So we're very much focused not only operationalizing privacy for consumers,
[29:13] but we're also focused on operationalizing privacy for businesses as well. And I can give you some specific examples of what we're doing to enable that. But yeah, that is part of the mindset that we do have.
[29:27] And I'm glad you put that out. That's a great point that you made.
[29:30] Debbie Reynolds: Thank you.
[29:32] Well, I want to talk a little bit about risk assessments.
[29:35] So this is,
[29:36] in my view, this is where things get real for companies. And part of this is,
[29:43] which I really like is about prevention,
[29:47] some prevention and awareness with a company about where they stand and where they need to be. So it's kind of a temperature taking type of thing. But give me your thoughts about risk assessments.
[29:59] I feel like people,
[30:01] I don't know, maybe risk assessments may seem in the US more controversial than they are in other places because we know,
[30:09] especially like in Europe,
[30:11] a lot of their laws and regulations have for years called for risk assessments. And so the risk assessment requirements that we're seeing come up in the US May be new for some companies, but I want your thoughts.
[30:23] Tom Kemp: Yeah, well, again, this was built into the statute that was passed by the voters that we had to write regulations specific to risk assessments and what the law said and what the regulations say, that businesses must perform a documented risk assessment whenever their processing of personal information poses a significant risk to consumers privacy.
[30:50] Now, the way that we define that is common triggers include selling and sharing of data,
[30:56] processing the sensitive personal information at scale,
[30:59] using automated decision making for significant decisions, decisions.
[31:03] So those are some of the examples. And so what the regulations require. And this actually again for your listeners,
[31:10] they should know that risk assessments must if you again, if you're a business defined under California law and it meets the requirements, as I just set forth, about the significant risk that these assessments must be conducted before initiating new high risk processing beginning January 1, 2026.
[31:32] So the clock has already started ticking for those systems that predate the regulations but continue after January 1st. The assessments must be completed by December 31st, 2027.
[31:45] And so the assessments themselves must be in writing,
[31:49] must be retained for five years,
[31:51] and must be reviewed and updated every three years.
[31:54] And then the last requirement is that businesses that meet the definition again of business and then have high risk significant risk processing activities,
[32:10] as I spelled out that they need to complete an attestation report and submit that to Cal privacy by April 1, 2028 for the assessments conducted in 26 and 27.
[32:24] So there is going to be paperwork that will be need to be submitted in two years and two months roughly.
[32:33] But the assessments should begin. Now.
[32:36] The way that we wrote these is that a lot of the assessment work that you may be doing for GDPR or for Colorado's is applicable as well. We didn't want people reinventing the wheel.
[32:48] So probably a lot of the requirements that you have for the assessments that you do in Europe or to meet Colorado's requirements are applicable here. Obviously you need to I can't speak to every assessment because I don't know what's going on internally.
[33:04] Now we will starting this year, you know, start working on documenting the process and the form and the submission. So we will provide businesses plenty of heads up about, you know, how you go about submitting these to the agencies.
[33:22] I can announce on your podcast that we have hired a chief privacy auditor and we have formed just a day or two ago and we have formed an audits division.
[33:35] Now that was in the press release. But what I'm telling you, Debbie, is that and your listeners is that the audits division will be the organization within CAL Privacy that will define and document the whole attestation process and be the entity within CAL Privacy that process these as well.
[33:56] And they will also be the entity that is responsible for the cybersecurity certifications as well.
[34:05] So we will document the process because there's a requirement for both private risk assessment attestations as well as cybersecurity certifications to be submitted to the agency based on the definitions I've set forth.
[34:18] Debbie Reynolds: And I didn't know if you wanted to cover at all the cybersecurity requirement sure.
[34:24] Tom Kemp: No, absolutely.
[34:25] So again, this was called for by the law that was passed by the voters. And I'm very proud of the fact that these represent the nation's most comprehensive set of cybersecurity audits.
[34:40] The only other state that has something comparable is New York, but that only applies to financial services organizations. And so this requires businesses, again, under California definition, that process personal information that pose a significant risk to consumer security.
[34:57] They must conduct an annual cybersecurity audit of their information security program.
[35:02] Okay.
[35:03] And those entities include entities that derive a substantial portion of the revenue from selling sharing information and those that meet CCPA revenue and data volume thresholds.
[35:15] So a independent and qualified auditor must come in that has cybersecurity knowledge and independence,
[35:22] and the business must provide the relevant information and not misrepresent facts.
[35:28] But one thing that we wanted to do is that we fully understand that the vast majority of businesses are already doing other audits for, I don't know, SOC2 for PCI, DSS for NIST,
[35:41] the whole, all these other cybersecurity audits that they may have to do for their industry,
[35:46] et cetera.
[35:47] And so we,
[35:49] as part of the regulations,
[35:51] to the extent that those other audit requirements cover what we require to, you can leverage those so you don't have to reinvent the wheel.
[36:00] And then you actually have to just simply send the certification in that the attesting that the audit was actually completed, it must be signed by a senior executive and indicate ongoing audit compliance.
[36:16] Furthermore, last thing I'll bring up on this topic is that we also understand that maybe for some businesses this would be new,
[36:23] maybe that there may be a rush bringing experts like yourself in.
[36:28] So what we wanted to do is stagger the deadlines for the audit certification based on revenue. So the first certification will only apply to businesses with over 100 million in annual revenue.
[36:40] That will also be April 1, 2028, then April 1, 2029 for 50 to 100, and April 1, 2030 for businesses under 50.
[36:50] Now,
[36:51] some small business that processes a lot of data may say, oh, I don't have to do this. No, we certainly encourage people to do cybersecurity audits right there. All we're simply saying is that the actual certifications don't have to be sent to the agency for businesses under 50,
[37:08] in that example, until April 1, 2030.
[37:11] So that's it. So again, we're very proud that it not only comprehensive, that adds value to Californians,
[37:19] but we also design this to enable businesses to operationalize and leverage existing audits that they have done. And that has been a big theme of what we're trying to accomplish with the regulations.
[37:32] Debbie Reynolds: That's tremendous.
[37:33] I think these types of things, I think a lot of us who work day in, day out with businesses, I think a lot of us,
[37:42] or try to articulate this in risk assessments,
[37:46] having it be something more formalized and also realizing that different types of businesses are already probably doing some, maybe not even all of this,
[37:55] I think is really helpful. But bringing it all together sounds amazing.
[37:59] Tom Kemp: Thank you. No, we think that again, California is kind of the leading the way here.
[38:04] And, you know, hopefully this will.
[38:08] The combination of risk assessments combined with the cybersecurity audits, combined with people using drop should hopefully have a meaningful difference in a few years in terms of reducing the number and the dollar amount associated with data breaches that are happening.
[38:29] And so we think that there could be significant value of having businesses that operate and meet the definition of what a business is in California under the ccpa, that this will actually have significant societal value in terms of reduction of identity theft,
[38:48] hacking, things of that nature.
[38:50] And that's our hope on this.
[38:52] Debbie Reynolds: It's excellent. What are your thoughts about enforcement trends or patterns? Anything that you'd like to chat about?
[39:00] Tom Kemp: Yeah, I mean,
[39:02] obviously as an enforcer I can't reveal too much here, but one thing I will say is that we try to be very transparent in terms of things that we are looking at, things that we care about.
[39:16] So we do announce investigatory sweeps that telegraph kind of areas of focus and interest of ours.
[39:24] We do come out with enforcement advisories that provide guidance to business on topics that we do care about.
[39:33] For example, we came with an enforcement advisory on data minimization.
[39:37] We came out with an enforcement advisory, data broker registration as it relates to subsidiaries and trade names, things of that nature.
[39:45] And then finally,
[39:47] we try very hard in our settlement agreements to clearly document and define exactly the issues that we discovered and so that they could act as lessons for other organizations in terms of what we care about and what we think are foundational things that businesses should be thinking about, should be responsible for,
[40:18] et cetera. So now clearly, I will say so that's kind of like our thought process of trying to be transparent,
[40:25] trying to like provide a clear roadmap. But we do care a lot about sensitive personal information,
[40:34] health information,
[40:35] as well as location information.
[40:37] Those are areas we certainly care a lot about vulnerable members of society, such as children. And so we did. We are participating with a worldwide basis with 30 other privacy related agencies,
[40:54] the data protection authorities and other countries regarding kids safety.
[40:58] And we are doing a joint investigatory sweep with the Attorney Generals of California, Colorado, Connecticut around support for global privacy control.
[41:09] Again, we're trying to project and telegraph portin. So if you read some of our recent enforcement actions, our recent enforcement advisories,
[41:18] I think that should give people a good understanding of what trends that we see that we want addressed.
[41:25] Debbie Reynolds: Absolutely. And you had mentioned a bit about location. And so location is something very interesting to me because as you know, I've been very interested in location as it relates to cars.
[41:38] But I've been very interested to see how location has come up and is being articulated in different ways, laws and regulations, in terms of being in the category of sensitive data, because many years ago it was not.
[41:53] But what is your thought about just location in general?
[41:57] Tom Kemp: Well, I can't reveal too much about what our enforcement is going to be in these areas. I will point out that the California Attorney General can also do their enforcement of the ccpa and they have brought up the fact that they are doing a enforcement sweep in that area.
[42:20] And I should also point out that as it relates to the drop system,
[42:25] that we do explicitly ask of Californians what their VIN number is.
[42:34] And also we ask what their mobile advertising ID and connected TV id. So those are some additional pieces of data beyond email, phone number, zip code that Californians can enter.
[42:46] And so the thought process is that if you enter that information into drop system,
[42:54] that will allow your mobile advertising id, your vin, et cetera, to be purged from potentially hundreds of data brokers. And then the final thing is that we do document, as a privacy tip,
[43:08] how to stop mobile tracking. And we do discuss how your location can be given to other entities based on settings with mobile apps, et cetera. So we try to raise privacy awareness and literacy in that area.
[43:26] So hopefully that gives you a good feel for what's happening in California with the Attorney General.
[43:32] What we've done as it relates to the drop system and our public education.
[43:36] But I can't really comment further about specific enforcement actions that we're doing.
[43:44] The only thing I can say is that our agency and we've been public about this is that we do have over 100 open investigations that we're currently pursuing right now.
[43:57] And so that kind of gives you a feel for the scale and scope of the net that we're casting here.
[44:02] Debbie Reynolds: I'm sure there'll be more to come, as I'm sure other states and other jurisdictions will look more closely at location for sure.
[44:10] So what does good privacy governance look like going forward in your view?
[44:16] Tom Kemp: Well, I think good privacy governance looks at obviously being aware of the regulations that we've come forth with and obviously understanding the statute, but also really looking and thinking about are we walking a mile in the consumer's shoes?
[44:35] And what we typically see is that a lot of businesses think that they've set up a privacy program,
[44:44] but they haven't really tested it or verified it or confirmed it from the end user or consumer perspective.
[44:52] And if you look at some of the more recent enforcement actions that it turns out that yes, you may have bought a privacy platform, but you haven't set it up properly or wasn't properly configured or, or that there was an outage for a long period of time and so months would go by and people's privacy requests went into a black hole.
[45:12] Or maybe your marketing organization did a lot of things that the privacy organization wasn't aware of.
[45:21] That, you know, raises flags out there. And so I think from a governance perspective is that yes, you should be technically knowledgeable about the laws, the regulations, et cetera,
[45:34] but there should be a focus of what is the end user experience.
[45:40] And you know,
[45:42] maybe taking stepping out of the office and being pretending that you're a mom or your grandmother or your uncle or whatever and trying to actually go to the website. Can you find the information?
[45:55] Can you exercise the privacy rights?
[45:58] Is the privacy setting clear on our website, in our mobile application?
[46:02] Do we support the global privacy control things of that nature? And so just really kind of think about it from the end user experience would be one big recommendation beyond just being knowledgeable about the requirements under the law and regulations.
[46:20] Debbie Reynolds: That's amazing. Thank you for that. Well, you know, well, this, I would just say the podcast, we've just reached over a billion downloads.
[46:29] Tom Kemp: Oh my God.
[46:30] Debbie Reynolds: We have listeners in over 158 countries. A lot of people will be very interested in what you have to say.
[46:36] What message do you want to leave just for the privacy folks in California, the US globally? What would you like to say?
[46:44] Tom Kemp: Yeah, I think a couple things.
[46:46] Thing one is that the regulations that we covered, they are now in effect.
[46:51] We will be doing educational sessions and creating fact sheets, et cetera.
[46:58] So definitely come to our website if you're a privacy practitioner and your business or your clients fall under California privacy laws.
[47:07] And so the first thing is that definitely become aware of the new regulations.
[47:13] The second thing is that California is really trying to raise the bar in terms of privacy literacy for consumers.
[47:21] And we're really trying to be not only the best website for consumers in California to get privacy tips, but more than happy to have people on a worldwide basis come to privacy.ca.gov and learn more from a consumer perspective,
[47:40] obviously,
[47:41] the drop system has been a big investment. If you are a resident of California,
[47:46] Definitely go to privacy.ca.gov, check it out. Encourage your family and friends to do the same.
[47:51] If you're a data broker,
[47:52] you should know that A, you should register and B,
[47:56] that the enforcement of this is significant in that the failure to delete is $200 per day per incident. And so if you're not deleting hundreds of thousands of people's. And again, we've already had over 215,000 people register.
[48:13] So just imagine the number by the end of the year of Californians and say maybe only 20% of those people are in your database. That's a massive number multiplied times 200 by every day that you're on the hook.
[48:25] So I definitely urge any entities that act and are data brokers under the law to absolutely, they should register. Just because you don't register doesn't mean you're off the hook for the fines.
[48:38] You are on the hook,
[48:40] register or not register for not processing deletions there as well. So I urge people. So those are some of the things that I would recommend to businesses as well as consumers to.
[48:52] Again, it's all about what we're trying to do is we're trying to make it operational for consumers, but we also want to operationalize it for businesses as well.
[49:00] Debbie Reynolds: Well, thank you so much, Tom.
[49:03] It's always a pleasure to talk with you, and I'm so proud of the work that you're doing, not just for California, but for all of us who are interested in this issue.
[49:12] Tom Kemp: Well, thank you so much. And I. I want to tip my hat to you as well. So just the leadership that you've shown as well as the platform that you've created is simply amazing.
[49:23] So, again,
[49:24] I'm very honored to have been on your show again,
[49:28] so thank you so much.
[49:29] Debbie Reynolds: Oh, my gosh, that's so sweet. That's so sweet. Well, I'm sure we'll talk more. We'll talk more soon. Absolutely.
[49:35] But thank you for giving us all these resources.
[49:38] This information is really valuable. I really appreciate it.
[49:41] Tom Kemp: Well, thank you so much.
[49:43] Debbie Reynolds: All right, talk to you soon.
