Both prongs of California's privacy regulatory regime demonstrated their enforcement chops at the IAPP's Privacy. Security. Risk. conference in San Diego last week.
The week started with the announcement by California Department of Justice Supervising Deputy Attorney General Stacey Schesser, CIPP/US, CIPM, that her agency secured a USD530,000 settlement with SlingTV for violations of the California Consumer Privacy Act. Schesser said SlingTV's mechanisms for consumers to opt-out of their personal information being sold were "confusing" for consumers. The enforcement action represents the fifth settlement secured under the CCPA. "We take privacy rights seriously and Sling TV was not providing consumers an easy way to opt-out of the sale of their personal data as required," California Attorney General Rob Bonta said in a subsequent statement.
In an interview with the IAPP, California Privacy Protection Agency Executive Director Tom Kemp said the DOJ's settlement with SlingTV represents the collaborative approach the two agencies are taking in how they coordinate their enforcement approach for the state’s privacy laws.
"We're very pleased by the aggressiveness that the California DOJ has shown, which is a great complement to what we do," Kemp said. "We're doing a good job coordinating with the DOJ to make sure we’re not stepping on each other's toes. It turns out there's just a lot of white space out there from an enforcement perspective, so there’s plenty of work to go around."
On the importance of consumer privacy rights
Kemp joined IAPP Research and Insights Director Joe Jones for a keynote conversation that dove into his career starting a cybersecurity company, working with state legislatures on crafting their own consumer privacy laws, playing an instrumental role in advocating for the ballot initiative, Proposition 24, and outlining the CPPA's key priorities in the near-term.
In 2020, Prop 24 became the California Privacy Rights Act and was passed as a complement to the CCPA, formally establishing CalPrivacy — its newly rebranded nickname — as an independent regulatory agency. Kemp said that once the law passed, it was clear much work was needed to help consumers learn how to exercise their rights through opaque processes at the time.
"Sometimes you hear people say, 'Well, consumers talk a big game about privacy, but they don't actually exercise their rights' — 9.3 million people voted for Prop 24, it passed overwhelmingly," Kemp said during the keynote. "People want privacy. But once the law was implemented, and the agency was stood up, it became apparent that it was very difficult for consumers to exercise their privacy rights."
Prior to joining the agency, Kemp set out to work with the California Legislature to pass other laws with the goal of streamlining consumers' ability to exercise their privacy rights. Kemp's advocacy helped produce legislation, such as the DELETE Act, which empowered CalPrivacy to develop a one-stop-shop portal where state residents can enter their information and request registered data brokers delete their personal data.
Kemp said his efforts to pass Prop 24 not only led him "on a journey working on legislation in California (but) eventually in different parts of the United States to try to make privacy fundamentally easier for consumers. The individual control model puts all these 'chores' on consumers. They have to go to every website and say don’t sell my information. They have to contact every data broker. I firmly believe that privacy should be easy, and in a world of AI, it should be scalable for consumers."
Looking ahead, Kemp said that CalPrivacy is "laser focused" on activating the agency's Delete Request and Opt-out Platform, or DROP system, in time for its projected launch 1 Jan. 2026., as well as conducting a wide-scale public education campaign so state residents can better understand how to exercise their rights.
"The DROP system is really going to be a game-changer, we're going to significantly evangelize Californians to use the DROP system," Kemp said. "We're going to be very aggressive in terms of educating Californians on what tips and metrics they should use to enable privacy."
Focus less on AI and more on how systems processes personal information
Kemp also touched upon CalPrivacy's finalized automated decision-making technology regulations, saying CalPrivacy is not necessarily positioning itself to become the state's AI regulator, though he noted that prior legislative proposals could have vested more AI regulatory power within the agency.
"One of the biggest use cases of artificial intelligence is automated decision-making, which heavily utilizes personal information, but just because there's a new technology out there that’s processing, collecting or performing recommendations based on personal information, that does not give businesses a get-out-of-jail free card so they don't have to follow the rules," Kemp said.
When thinking about future AI regulations related to privacy, Kemp said the "key is not to focus on the technology, but look at what is being processed under the hood. ... A year or two from now, there could be some variant or newer technology that people introduce. ... The core of what we’re focused on is if the personal information is utilized by any technology that's in our bailiwick to ensure that Californians' privacy rights are respected and that businesses meet their obligations."
New laws and regulations on the horizon?
Kemp also teased that new draft regulations and potential legislative recommendations would be presented to the CPPA Board during its upcoming meeting 7 Nov.
According to the meeting materials, the new regulations would enhance whistleblower protections under privacy laws, strengthen the right to delete to all personal data businesses collected via a third party and allow alternative methods for consumers to lodge privacy requests to ease the discrepancy in the law between online-only and brick-and-mortar businesses.
"There's going to be three bill proposals we’re going to put forth to the board," Kemp told the IAPP in his follow-up interview. "And we're also going to propose some enhanced and evolved regulations in four areas."
Alex LaCasse is a staff writer for the IAPP.
