Calif. Privacy Agency Chief Predicts Increased Enforcement, Will 'Telegraph' Intentions

Kemp was named the agency’s executive director in March, replacing Ashkan Soltani. Previously, Kemp was an entrepreneur and tech policy adviser.

Now that the 4-year-old CPPA has staffed up and has rules in place, “you will see increased enforcement” compared with a year ago, said Kemp. “Californians are increasingly aware of our complaint system” and the agency has seen a “significant increase” in the number of complaints received as a result. “A lot of those consumer complaints feed into our enforcement.”

“Everything is now in stride. We've ramped up. And so that will lead to increased enforcement.”

At the same time, the agency is “trying very hard to … be transparent [about] where we’re going with our enforcement actions,” said Kemp: That’s why it releases advisories and went into a “great amount of detail” about violations in recent actions against Honda and menswear retailer Todd Snyder (see 2505050066). “We try to telegraph what we’re doing as it relates to enforcement.”

“We're walking a mile in the shoes of the consumers,” he added. “We're going through and testing and validating and verifying whether or not the consumer … can actually operationalize their privacy rights.”

Kemp noted that the “enforcement actions that we’ve done specific to the [California Consumer Privacy Act (CCPA)] would be things that would come up in other states as well,” said Kemp: “We’re even consistent with” Texas Attorney General Ken Paxton (R) in the way that both states enforce their respective data broker registration requirements.

Kemp wrote a book called Containing Big Tech, published in 2023, which is described on Kemp’s website as discussing “the threats of Big Tech and the path forward to rein in online surveillance, AI, and tech monopolies.” In a chapter on data breaches, Kemp wrote that critics believe the largest tech companies may be “too big to care” about penalties, and that past fines in the millions or billions of dollars against Amazon and Meta were “drops in the bucket compared to both companies’ profits and cash balance.” By way of comparison, the CPPA recently fined Honda much less: $632,500 (see 2503120037).

“I wrote a book because I’m passionate about it,” Kemp told us when asked about the above discrepancy. But at the CPPA, “I work for a board and I need to follow California law.” The executive director pledged to “follow the [CPPA] board for advice and strategy” and “make sure … that no personal biases are going into any of the decisions that are being made.”

Even so, Kemp indicated that future CPPA penalties could be costly. He noted that, once a data deletion mechanism required by the California Delete Act goes live, failure to comply will result in a fine of $200 per violation. “If we have millions of Californians that are registered as part of the [Delete Request and Opt-Out Platform (DROP)] system, and there's a data broker that … doesn't care to follow the will of the people and the law, then the fines can be significant.”

Kemp voiced optimism that California consumers will eventually jump at the chance to use the DROP mechanism, now under development at the agency (see 2503050020). “If you make privacy easy” to activate, “people will do it,” he said. “The issue is that, oftentimes, it’s hard for consumers to exercise the privacy choice.”

A ‘Mandate’ From Voters

Kemp said the California privacy agency has a “unique mandate” to act on behalf of the 9.3 million people, or 56%, who voted for the ballot initiative that produced the California Privacy Rights Act (CPRA), which is the amendment to the CCPA that established the agency.

He pointed out that more Californians voted for the CPRA than for past Democratic presidential candidates Kamala Harris, Hillary Clinton or Barack Obama. Therefore, Kemp said, when he talks to “people at the federal level,” he can “look them in the eye and say this 9.3 million people” include Democrats, Republicans and independents.

The CPPA has more privacy duties than attorneys general who enforce privacy laws in other states, said Kemp. In those places, “the primary focus is enforcement and regulation and ... a little smattering of some other stuff.”

However, California law additionally requires the CPPA to engage in public affairs. “We specifically have in our statute that we need to evangelize privacy to consumers,” while “at the same time telling businesses about their responsibility,” said Kemp: That means “I’m kind of like the chief marketing officer for privacy in the United States.”

The agency is also required to weigh in on policy and legislation. “We are tasked to work with other groups, not only within California, but across the United States [and] on an international basis.” This work has included establishing states' bipartisan Consortium of Privacy Regulators and signing agreements with global counterparts such as the French regulator CNIL (see 2406250044).

“We’re kind of the cheerleaders behind” states' privacy consortium, said the CPPA head. That group, which said it plans to convene regularly, met Wednesday, said Kemp. It's “bipartisan … and there are opportunities to grow,” considering it includes eight of 20 states with comprehensive privacy laws, he said. Lawyers from outside the government have speculated about what the group's formation may mean for enforcement and fines in the future (see 2506020004).

Meanwhile, the CPPA hasn’t hesitated to speak out against certain proposals in Congress, issuing statements opposing federal preemption in comprehensive privacy bills and more recently the House-passed 10-year moratorium on state AI regulation, part of the so-called “one big, beautiful bill.”

“A lot of entities and organizations are very concerned about what’s happening with the proposed moratorium,” said Kemp. Concerns from many state AGs and state legislators from both parties, and MAGA Republicans like U.S. Rep. Marjorie Taylor Greene, R-Fla. (see 2506040051), show that there’s “bipartisan consensus” against the moratorium, he said.

Kemp cautioned against imposing a moratorium or preempting “states’ ability to innovate” in an area where “in a short time there can be a very rapid consumer impact in a negative way.” One danger comes from the fact that all types of industries, such as transportation, are embracing AI, added Kemp. With a moratorium, states may soon not be able to “do any transportation-specific laws.”

When it comes to federal preemption, the CPPA believes a national privacy law should “set a high floor,” not a ceiling, for regulation. Kemp said one possible casualty of preemption would be California’s Delete Act, which requires that data brokers register with the state and enables consumers to request deletion of their personal data. If there were federal preemption, Texas could similarly lose a law requiring registration, he said.

The organizations that supported federal preemption focused on eliminating a state patchwork but neglected to mention what it would mean for regulating data brokers, Kemp noted. The Delete Act, which Kemp helped develop with state Sen. Josh Becker (D), was built on the CCPA, so federal preemption would mean Californians lose the ability to delete their data that those brokers hold, he said. “That would be a massive loss of consumer protection that we’re on the cusp of making available to Californians.”

One recent enforcement action under the Delete Act resulted in shuttering a data broker that failed to register with the state (see 2502270023). The company “was advertising that it could sell scary information about people,” he said. “That type of information can be weaponized against people.”

Clarifying AI Authority

Some business groups and state lawmakers have argued that AI isn't within the CPPA’s jurisdiction. The agency should stay away from AI regulation, these people argue (see 2502200025).

But Kemp countered that the voter-approved CPRA says the agency must write regulations for automated decision-making technology (ADMT), which is part of an ongoing rulemaking (see 2506030017). “We can’t ignore that.” Also, a state bill signed last year said personal information covered by the CCPA can be part of AI systems, he said. “So we do have the ability to enforce people's privacy rights no matter where that personal information is stored, which could include in artificial intelligence systems.”

That said, Kemp acknowledged concerns raised by some that the term “artificial intelligence” isn’t included in the privacy statute. “We’re trying to be very careful about this,” so the agency removed references to AI in the current ADMT rulemaking, he said. “I think what happened is … there was confusion, given the breadth and depth of what artificial intelligence means to various people,” he said. “And so this iteration, which could change based on … public comment” and what the board says, “aligns more closely with the language in the statute itself.”

“Where we're involved is if the artificial intelligence is … collecting and processing personal information,” said Kemp. “For the word[s] artificial intelligence, you could substitute website, algorithm [or] mobile app,” said Kemp: Consumers don’t lose their rights just because AI is using their personal information.

However, Kemp added that the CPPA board has “verbalized that if … subsequent laws come from the legislature that may overlap with regulations that we've done,” the agency will align “our regulations with what the legislature has done.”

Since joining the CPPA, Kemp said he has been impressed by agency staff, who have a mix of industry and government experience. They are committed to their work, he said. “There [are] no slouches here.”

“One of the things that I'm really trying to focus on here at the agency is operationalizing privacy,” he said. From the consumer perspective, that includes the CPPA’s work to implement the data-deletion mechanism for third-party data. For first-party data, “we're going to continue to evangelize opt-out preference signals,” including by supporting a bill to require browsers to support sending those signals (see 2506030035).

The agency wants to help businesses operationalize privacy, too. So, for example, it is focusing on allowing companies “to leverage existing cybersecurity frameworks and audits that they've done,” while “aligning our risk assessments with” regulations in Colorado and Europe.