A change in leadership at the California Privacy Protection Agency entering 2025 has not impeded the agency's workload. CPPA Executive Director Tom Kemp has acclimated himself to his new role overseeing the U.S.'s only dedicated privacy enforcer, which is steadily increasing its enforcement activities and drafting implementing regulations for the privacy statutes it oversees.
Kemp was appointed executive director 14 March and assumed his role 1 April following the January resignation of Ashkan Soltani, the CPPA's first executive director.
"It's great working with people who are really dedicated to the mission, and there's a lot of great stuff that I can build upon here, working in conjunction with the team and the board," Kemp told the IAPP in an exclusive interview.
Prior to joining the CPPA, Kemp helped shape California's privacy landscape as a volunteer policy advisor on the 2020 ballot initiative that spawned amendments to the California Consumer Privacy Act and then again on the state's data broker law, the Delete Act. He is also entrepreneur and investor, previously supporting multiple companies with data deletion services.
Kemp's endeavors in the privacy space will support aspirations to keep the CPPA's regulatory work on its current impactful trajectory. He will also focus on ensuring the agency is appropriately responsive to emerging issues for consumers and businesses alike, with the interplay between privacy and artificial intelligence a chief consideration.
'Walk a mile in the consumer's shoes'
The end of the CCPA's cure provision 1 Jan. 2023 marked the true beginning of the CPPA's shared enforcement remit with the California Department of Justice. The CPPA was given administrative enforcement duties upon its creation under the California Privacy Rights Act amendments to the CCPA.
After spending time grasping the landscape for potential violations through enforcement advisories and sweeps, the CPPA produced its first two public CCPA settlements this year. The Honda and Todd Snyder settlements both pertained to violations from 2023, which shows the agency now has its staffing and resources in a place to address a backlog of cases.
"Regarding the enforcement actions we've taken, we've really telegraphed ahead of time our areas of interest to people," Kemp said. "We’ve announced ahead of time that we're doing a sweep in these areas, or we've come out with enforcement advisories. We have given people the head-up."
He added the agency is providing documentation and details wherever it can on enforcement actions to offer businesses additional reference points for their own compliance work.
The CPPA's investigatory work is supported by consumer awareness. The agency is using a wave of consumer complaints to spur "a large number" of the its open investigations, according to Kemp.
"If there’s a gateway issue that has a cascading effect, we’re going to look at that. We're looking to walk a mile in the consumer's shoes,” Kemp said. "What do they see when they click 'Do not sell or share my information?' And then there's proper implementation of data subject requests and looking at whether a company is properly supporting Global Privacy Control.”
The next checkbox in the enforcement regime is building out the audit division. Kemp said the agency recently closed its public posting for a chief auditor and interviews to fill the position are slated to begin soon.
"This will kind of parallel what the (U.S. Federal Trade Commission) or the (Securities and Exchange Commission) do. In this case, the audit division will work with our enforcement division to ensure compliance," Kemp said. "When we get this person up and running, we may be reaching out to businesses and audit them in certain areas as part of broader interest in particular topics."
Approach to regulations
Kemp joined the CPPA in the middle of its latest rulemaking endeavor on automated decision-making technology, risk assessments and cybersecurity audits.
The CPPA Board and agency staff have gone back and forth on the proposed package since pre-rulemaking began in March 2024 and launched a public consultation on the latest iteration of the draft rules launched in May. The revisions being considered include the complete removal of AI from the text and other ADMT-related changes that remove compliance burdens.
"I think the consensus coming from a couple board meetings was there are certain areas that we want to better align with other regulatory regimes," Kemp said. "Better synchronization with the (EU General Data Protection Regulation) when it comes to risk assessments. Same thing with (the Colorado AI Act) as well."
One example of alignment in the new draft was reworking risk assessment requirements closer to Colorado's provisions. The current proposal also features a hypothetical example of how a business complying with Colorado law can ensure they meet California's proposed requirements.
Kemp admitted the rulemaking has been "kind of a long winding road" that is likely to see "additional little bends" before finalization. The CPPA Board will discuss next steps for the draft rulemaking at its 24 July meeting.
Part of the delay relates to board-level debate on whether rules for ADMT, which before this point included AI use and development, require separate legislation instead of CPPA-drafted rules. While Kemp believes the latest changes to the draft rules address the friction, he defended the CPPA's role and responsibilities for rulemaking on topics under its authority.
"The board has articulated that if California legislators come out with new rules and regulations that involve areas that we focus on, we will work very hard to ensure that our regulations complement and don't overlap," Kemp said. "The reality is that (the CPRA ballot initiative) says we have to write regulations. There is no carve out that we cannot do regulations on these topics."
Once the rules package is finalized, that does not mean the CPPA is done with them altogether. Kemp said this package — and any future package on other topics — will be a work in progress given the demands of modern technology.
"We always have the opportunity to come back and add on to it as well. You can’t look at this as something that is just done and over (when we finalize)," Kemp said. "We’re really working to set a standard, but I want to make sure people are aware … there’s an opportunity to take another bite at the apple once these are approved."
Data brokers in focus
The CPPA is working on separate regulations simultaneously. In addition to the current CCPA-related package, the agency is drafting the implementing regulations for the Delete Request and Opt-Out Platform under the Delete Act.
The DROP system, which is due to go live 1 Jan. 2026, provides additional data protections for consumers by requiring businesses to opt consumers' personal data out of sale and sharing when requested. Under the Delete Act, the DROP will be made available for broker installation by 1 Jan. 2026. Starting 1 Aug. 2026, brokers are required to honor opt-out requests and begin their 45-day deletion sweeps.
To this point, Delete Act enforcement has yielded five-figure nonregistration penalties. Noncompliance with consumer DROP requests could catch covered entities by surprise and make those fines much steeper, according to Kemp.
"The fact you did not register doesn't get you off the hook for the USD200 per-incident fine." Kemp said. "Let’s say one million or two million Californians are in a data broker’s database and they have not registered and/or done the deletion mechanism. Those USD200 fines will quickly add up, and will far outweigh what we’ve seen in terms of prior fines."
Kemp added a "strong recommendation" for covered entities to engage with the agency on DROP regulations, noting how conversations can bring clarity create "a much better situation" for interacting with the new system.
Joe Duball is the news editor for the IAPP.
