CPPA Director: 'Privacy Should Be Easy,' and the State Agency Will Make It So
SAN DIEGO – “Privacy should be easy” for businesses to implement and consumers to effectuate, said Tom Kemp, executive director of the California Privacy Protection Agency (CPPA), during the closing keynote at IAPP's privacy and security conference Friday. At a panel Thursday, other CPPA employees spoke about regulations aimed at making privacy and privacy rights easier.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“What good is privacy if it’s very difficult?” said Kemp, noting that “a big focus” of his is “not only enabling operationalization of privacy for consumers, but for businesses as well.”
As such, CPPA will focus on the California Opt Me Out Act, which “requires all browsers to add an opt-out preference signal” by Jan. 1, 2027; and the Delete Act, which has the agency building "an accessible deletion mechanism,” called the DROP system, which goes into effect in 2026. DROP stands for Deletion Request and Opt-Out Platform.
Much of the CPPA’s “mission can be boiled down to four primary functions” -- rulemaking, promoting public awareness, auditing and enforcement and policy and legislation -- but the “not-so-secret fifth function” is implementation and administration of the Delete Act, said Phillip Laird, CPPA general counsel.
Kemp said the agency’s current goal is to “significantly evangelize Californians to use the DROP system,” as well as enable the opt-out preferences signal. A web page for consumers was launched Oct. 24 previewing the platform (see 2510240053).
“As far as we're concerned,” the CCPA and the Delete Act are "tech agnostic,” Laird said. It “really doesn't matter in which format the personal information exists: the obligation is to delete.”
Several other states have considered similar legislation, noted Maureen Mahoney, the CPPA's deputy director of policy and legislation. While no other states have passed such legislation, their activities reveal "intense interest in this issue and the start of a trend,” she said.
For example, Connecticut state Sen. James Maroney (D) said recently that he is interested in pursuing a delete-style law next session, Mahoney added (see 2510220015).
“Everything we've heard from consumers so far in California is that they're very excited to start exercising their rights,” she said. “I wouldn't be surprised if other states felt the same way.”
The Delete Act and DROP functions aren't the CPPA's only future priorities. For example, Kemp said the agency is “going to be very active and aggressive in public affairs.” When an enforcement action is issued or a settlement is reached, CPPA and the AG will try to lay out publicly exactly what went wrong, to serve as a “roadmap” for other businesses, he said.
Also on the public affairs front, Kemp said the CPPA will “be very aggressive next year in educating Californians on how to use" DROP and the opt-out system, so they can have a “higher level of literacy when it comes to their privacy rights.” Kemp predicted that would lead to an increase in consumer complaints, though he said the agency already receives around 150 a week.
Concerning AI, Kemp said that while CPPA isn't an AI regulator, “one of the biggest use cases of artificial intelligence is automated decision-making,” or ADMT, which “oftentimes heavily utilizes personal information."
“Just because there's a new technology ... that's processing or collecting … personal information,” businesses don't get a “get-out-of-jail-free card” that allows them to disregard "the rules, the regulations, et cetera,” Kemp warned.
Since “we increasingly see personal information being utilized by artificial intelligence,” there are regulations related to ADMT and the option for consumers to understand what data is being used and the ability to delete data as well, as outlined in existing privacy laws (see 2509230036).
Alluding to other CPPA priorities, Kemp said businesses should “walk a mile in the shoes of consumers” to see where the agency might concentrate its energy.
CPPA attorney Elizabeth Allen said at Thursday’s panel that “from a consumer perspective,” data brokers are also “something we watch very closely as a regulatory body,” since brokers have “massive quantities of sensitive personal information [that] is held in one place.” The data is then sold to many other entities, so it's “pinging around the big, wide internet,” often without consumer knowledge, she added.
But the DROP system and Delete Act can help address this issue, Kemp said.