Privacy Daily is a service of Warren Communications News.
Subscriber Login

California Always Building on Consumer Privacy Rights, Says Agency Head

August 5, 2025 by Adam Bender|States

The California Consumer Privacy Act (CCPA) is “like a big Lego block” to which state legislators “are constantly adding … Lego pieces,” said Tom Kemp, executive director of the California Privacy Protection Agency, during an IAPP webinar Tuesday. The California Privacy Rights Act, which amended the CCPA, prohibits reducing Californians’ privacy rights, he noted.

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

Start My Free Preview

“We want to always be pushing the ball forward on adding more privacy rights,” said Kemp.

One example is a mechanism in development at the agency that would allow consumers to exercise their right to delete personal information held by data brokers, he said. The agency plans to preview the Delete Request and Opt-Out Platform (DROP) at IAPP’s Oct. 30-31 conference in San Diego, he said. At the agency’s meeting last month, General Counsel Philip Laird said the CPPA expects to extensively test DROP to fix any kinks before data brokers start accessing it in August 2026 (see 2507250017). DROP is set to come online for consumers on Jan. 1.

The CPPA thinks about business compliance challenges, too, Kemp said. “California really wants to lead the nation -- if not the world -- in delivering privacy rights, but … in a way that that facilitates and fosters innovation.”

He said rules approved by the CPPA Board last month, related to automated decision-making tools, cybersecurity audits and risk assessments (see 2508050031), “hit the right sweet spot” in balancing California law’s regulatory requirements while “making sure that businesses can operationalize those [regulations] as well.”

Kemp is scheduled to give a keynote at the IAPP San Diego conference. In a June interview with Privacy Daily, Kemp said the agency plans to “telegraph” how it will apply the state’s privacy law as enforcement ramps up (see 2506050072).

Also Tuesday, the CPPA blogged about consumer rights to opt out of the sale and sharing of personal information and to limit businesses’ use and disclosure of sensitive information. “When you exercise these rights together, you exert greater control in protecting your personal data, which is important for your identity, safety, and financial health,” the agency said.