Lawfare Daily: CPPA’s Tom Kemp on Data Brokers, Privacy, and State Enforcement

I would say a pretty revolutionary in terms of kind of flipping the balance back to the consumers.

“It's the Law Fair podcast. I'm Justin Sherman, contributing editor at Law Fair and CEO of Global Cyber Strategies with Tom Kempe, Executive Director of the California Privacy Protection Agency or CPPA aka Cal Privacy.”

Yes, we can go after global entities because we regulate the collection and use the Californian data, all the obligations that are in our law around data minimization, honorary privacy rights, security and personal information applied to all businesses.

Today, we're talking about California's new drop system and the data broker industry, bringing technologists into public service and the future of state privacy enforcement.

So first, what are the California Privacy Protection Agency's main statutory and regulatory focus areas? And then second, are there any major differences that you see between the CPPA and the authorities and resources of other states as pertains to this issue set?

“Absolutely. And thanks, Justin, for having me on, the California Privacy Protection Agency, now known as Cal Privacy, was created via the voters here in California with the passage of Prop 24 in 2020.”

And the agency itself is responsible for implementing and forcing and raising awareness of the California Consumer Privacy Act or CCPA and the California Delete Act. And so if you look at what we do, our mission is really focused in six primary areas. First, rule making, second, promoting public awareness, i.e. raising privacy literacy for consumers and telling businesses about their obligations. We have an auditing function, we have an enforcement function, we also can do and we do do policy and legislation work and we're also finally responsible for the administration and implementation of the Delete Act, which is something that we'll probably talk a little bit more about later.

So, in effect, we are the nation's only independent agency focused on privacy and California is also the first state to have a comprehensive privacy law.

And now we're in a situation where there's about 20 other states that have a privacy law. In terms of kind of what's unique about our agency vis-a-vis say attorney generals that are responsible for enforcing their their states, comprehensive privacy laws.

“I think there's a few unique areas, one of which is the policy legislation that we can actually propose and sponsor legislation working with authors.”

I think the public affairs aspect that was written into the statute is pretty unique in terms of specifically being tasked with going out and evangelizing what consumers privacy rights are. The final thing is this delete act, the accessible deletion mechanism that consumers here in California can now access. We'll start perhaps in reverse order although we'll come back to the other elements you mentioned. So one of the most recent major developments in California in terms of privacy and consumer rights as you're referring to is the deployment of the Delete request and opt out platform or the drop system.

This is focused on data brokers. As many listeners know, a topic we'll say that's also some interest to myself. So talk to us first about the legal system in California. You just mentioned the Delete Act for data broker registration and deletion. How does that work? How has it changed in the past few years? Yeah, so clearly there historically has been a move of foot over the last eight ten years to give consumers more transparency into the data broker industry and data brokers, at least in California are defined as businesses that we do not have a direct relationship with.

In I think it was 2018 and then California adopted a similar law which was AB 1202 and 2019 and it went into effect in 2020 and it housed this data broker registry with the attorney general. So the the thought process was was that it would give consumers more awareness of who these entities are because oftentimes that they Because of the they don't have a direct relationship with you. They kind of operate in the shadows and it's as you've written extensively. It's a very significant industry oftentimes people refer to it as in the privacy world is third party data collection because of the lack of direct relationship.

“But the issue is is that it's very difficult for consumers to exercise their privacy rights even if you're given a list of say 500 entities that have your information.”

You still have to go out and contact each and every one of them and save that takes 20 to 30 minutes of interaction of filling out a forum or sending an email and then they respond and you kind of go back and forest like volleyball or ping pong. And then you multiply that 20 30 minutes times 500 entities that may have your information that may take 10 full days of your time to be able to tell these businesses that again you don't have a direct relationship with. In fact, you are you and your data is the product they don't sell anything to you and you can kind of see that just the the raw scale of trying to enable your privacy rights to say op me out and or delete my information is basically next to impossible for the average consumer.

“And so what I did in a personal capacity is see that there was various proposals at the federal level like the federal delete act proposed by Senator Cassidy and us off.”

I mean hack even Tim Cook in 2019 who is the CEO of Apple wrote an editorial and time magazine saying that there should be a data broker clearing house where people can make request.

And so what I did is I proposed to my state senator state senator backer I live in California here and we worked together and he was the author of SB362 the delete act which did a few things a a a a transferred the data broker registry from the attorney general to this dedicated independent.

“Agency Cal Privacy or the California Privacy Protection Agency that I described before so this was a net new add of responsibility for the agency with with this bill.”

Importantly it also task the agency with creating this accessible deletion mechanism or what we now call the drop system the delete request and opt out platform.

And if you want I can drill down a little bit more on the drop system itself and what's going on, but that's kind of what's happened here in California at a very high level. So if you drill down I mean both into what it does as you noted but also you know curious to hear more of your thoughts on you mentioned the time saving but other ways that.

Drop sort of changes fundamentally what's possible for consumers in terms of effectuating their their rights.

I mean drop is a very unique system in that it's kind of a living breathing system in that consumers effective January 1st of this year. I'm going to go into a portal a website in which they confirm their residency here in California and they put some basic personal information and they have the flexibility is putting just simply their. And there's a code or they can put their email address and phone number they can also put their mobile advertising ID or other device IDs that uniquely identify them so they can put in is a little or as much information to facilitate matching.

And then they hit submit and we find that most consumers this whole process takes maybe six seven minutes in totality so that's that's the investment of time that a consumer will have to make as opposed to.

And then starting August 1st the registered data brokers and we have over 580 data brokers that are now registered with a state and what the data brokers will do starting August 1st 2026 is that they will access the various list that map to the data that they may have so they may download the hashed list of. of phone numbers or email addresses there's another list with the device IDs that consumers put in and then they then take their data in their databases use the same hashing algorithm and then determine if there's any matches so if there isn't a match they don't know who actually submitted the information so if a hashed phone number.

But there's doesn't match one of the hashed phone numbers in our system then then there's no match but if there is a match then they're responsible for actually permanently deleting the information but at the same time they actually have to maintain a suppression list so if down the road if they do get the consumers email address or phone number or whatnot then they have to check it against the totality of all the the drop submissions. And then from there if they do have a match or if they don't have a match they have to report back that there was no match associated with it so the consumers can actually starting in August go back and see the status of their deletion request.

“And furthermore the consumers if they get a new email address or phone number or they remember that they were in a prior zip code they can enter that information so when I say it's a living breathing system.”

It means that consumers can enhance and update their personal information again we just asked for the minimal amount of information to do the matching. They can check the statuses and then meanwhile data brokers are on every 45 day basis starting August 1st are going in getting the list and continuously building the suppression list continuously doing the deletion.

And continuously feeding back updates into the system as well so it is a very unique.

“No one else in the whole world is doing something like this and so it's definitely first of its kind but really at the end of the day what it's really focused on is enabling privacy rights at a scale.”

That's not possible in the current notice and choice framework that we have here in the United States so it is pretty. I would say pretty revolutionary in terms of kind of flipping the balance back to the consumers as opposed to as Professor Salaf describes it as consumers you know having a never ending set of chores to be able to exercise their privacy rights.

This really fully enables the exercise of privacy rights at scale by having a one stop literally a one click mechanism to say please delete my information and also opt me out moving forward as well.

So incredibly powerful and just the overwhelming support that we've had here in California has been amazing that since we've launched it with the full understanding by consumers that the deletions want to occur so we kind of expect the adoption will be more back and loaded as we get closer to August 1st. We've had over 256,000 Californians already signing up for it. Yeah, that's tremendous numbers the privacy chores quote is great.

“I'll also say and and you can respond to this or not but just as a as a fine point for folks who are less familiar with this ecosystem I think part of potentially while you're highlighting also the cost pieces is all add that.”

There are a number of private companies that will offer a report to offer the ability to submit opt out on people's behalf as we have to pay for them.

So it certainly is notable as you said the California is doing so for free at no cost to the consumer to affectuate their rights. Do you envision in the coming months any particular challenges for expanding it as well as opportunities for ways to whether it's just brought in access and awareness of the system or to update it technically in any way?

It's right there on the homepage and you can click on it and then again it only takes you six eight minutes to you know have this huge advantage of being able to take control over your personal information.

“And then in terms of what's happening moving forward the delete act was actually amended last year with SB 361 which was a bill also done by Senator Becker and then prior to taking this position.”

I've been at Cal Privacy as the executive director for a year I also recommended this to him as well and this increased disclosure requirements for data brokers moving forward and so before the registry asked some basic information of the data brokers and it asked for. Basically three bits of information that the data brokers have to provide whether or not they collect the data of children whether or not they collect reproductive health and whether or not they collect geolocation information. Basically added another 12 to 15 additional data points which the data brokers have to provide which includes immigration citizenship status union membership whether or not they sell the data to the federal government as well as law enforcement and whether or not they collect specific government identifiers.

The piece of information we asked for was what additional unique identifiers that you you the data brokers use to track consumers and so now that the registry has actually the registration period has concluded and we begin processing and getting the data broker registry ready for publication and the publication of the new data broker registry will happen.

“March 26 that with this additional information I think this that we've gotten from data brokers as well as the increase in the number of data brokers that have registered.”

That at the end of calendar year 2025 we were at 540 or so data brokers and I can tell your listeners that will be at over 580 that couple things we found some really unique information and that may lead us to do additional research based on the information that's provided and one of which as I mentioned before is. We'll have a better feel for what identifiers that data brokers utilize to identify consumers and that may instruct us to moving forward to add those identifiers that we ask of consumers so that there can be a better or chance of matching that occurs.

“So we're going to kind of take this updated information of knowing how data brokers what they key off of from a identifier perspective we may turn around and update the actual platform to facilitate more matching.”

But really interesting statistics from the actual registry itself it turns out that there's actually of the 580 that there's 110 data brokers collect precise geolocation and so what that tells us is that we probably not probably but we will continue and expand our evangelism and education with consumers. How they can actually provide their mobile advertising ID how they can make the decision to turn off tracking as well so it seems like there's a very large as you're probably aware of industry of data brokers that specifically collect precise geolocation.

And so this number has grown year over year as we compare for last year based on these results it has told us that we as an agency need to do more to educate Californians and how to get their made put it into the drop system and then just overall raise awareness.

So mother interesting metrics coming from the data broker registry we found that there was 68 data brokers that collect information about gender identity and expression.

And so maybe there's a lot of civil society groups such as the LGBT community and civil society groups there that may want to be aware of that and they may want to educate and evangelize.

We also have found that there are 52 data brokers that share and/or sell data to the federal government.

“So we're talking a little bit less than 10% and there are 31 data brokers that share and sell to GNI developers.”

And so this type of data, you know, we definitely plan to raise awareness for consumers that this is the kind of how your data is being used, which should make it even more.

Of interest for Californians to use the drop system because maybe in the end they do not want their data being sold to the foreign government.

We found that there were 33 data brokers that sell to what what's defined in law as foreign actors.

“I talked about the precise geolocation, the gender identity expression, etc.”

So it turns out and no surprise to you just and there's a lot of people's sensitive personal information going to places they may not want it to or ever think it would go to. And so, you know, we're going to continue to raise awareness, you know, how the state is being collected and sold and what people can do, at least in California, to effectuate the rights to take control over their sensitive personal information. Very good. And as many of us know, as you just said, there's a tremendous degree of opacity in this industry as well, so any data is useful, the federal government sale as well as is salient.

There was a discussion as some may have seen of that in some recent congressional testimony, so this is a great segue because one thing I wanted to talk to about in particular. Is bringing technologists into public service, but in particular into privacy and cyber security rights and enforcement, and, you know, and I'll just editorialize, I'll say, you know, I think you and the team and California writ large over several years has done quite a good job in this area, bringing technologists into the agency.

Having folks who are, you know, not just tech fluent attorneys, but perhaps computer scientists or other, you know, sorts of deep technologists working on this staff. And we're now seeing, uh, we had a law fair podcast on this several months ago, other states basically looking to do more of this as well, higher technologists, either to build tools internally, to help with cases to do both, so. I'll just say, how do you think building a system like drop would have gone or would have been possible without having those kinds of technologists and that expertise in house and then.

Can you talk in general about the delta between having a privacy and tech regulatory agency with and then without the technologists on staff writ large and again, I'm not saying that. You know, a state without a computer scientist or something doesn't know how to do enforcement, but in terms of, you know, what does having that kind of background on the team enable. Absolutely, having technologies on staff from product managers to software developers certainly helped a small agency like ours design and deliver a modern user friendly platform and drop.

We also partnered with the California Department of Technology to help build this, which I'm going to refer to as CDT, which is the California Department of Technology. CDT had built a identity gateway, which facilitates the ability for Californians to verify the residency and so actually the front door of the drop system is this identity gateway. It was not only us partnering with CDT, our technical people partnering with CDT to help build this, but we're actually leveraging some additional infrastructure that they provide to facilitate that only Californians can use this service.

“But more broadly, yeah, it's been very important for us to bring on technologists. So we have a couple of technologists, for example, in our enforcement division, who are actually PhDs.”

We're right now building our audit division, and we've hired our chief privacy auditor, Sabrina Ross, and her first hires are technologist as well.

And by bringing more technologists on staff, it increases the chance of us being able to determine if there actually either been compliance issues and/or violations as well.

It allows us to translate statutory requirements into, you know, actual audits, actual enforcement actions, et cetera, as opposed to us relying on vendors to interpret the law to, you know, that oftentimes, you know, what will ask and they'll come back, but what will ask a business as part of an enforcement action to provide us information, but we can actually vet and verify ourselves.

“And it also gives us the flexibility to just go out and do our own research and see what's going on as well.”

So yes, that has been a big focus of our agency to bring in technical people not only to help us build this drop system, but to help facilitate historically our enforcement and now the audit function that focuses on whether or not businesses are in compliance, as opposed to enforcement focusing on whether or not businesses are violating the law.

It's a good point that you have kind of that spectrum of activity, as well as some of the risks it eliminates to not have to do procurement dependence on third parties and so forth.

There are any lessons in particular, you want to imagine some in there, but any other lessons you might want to share with other states in terms of how to best bring technologists into their agencies and that and I'm thinking everything from actual recruitment all the way through to retention and you know talent development. Yeah, what we're definitely finding is because of the changes that have occurred at the federal level, both with the FDC and the CFPB that there are a lot of very strong technologists that are on the market and that these entities and agencies at the federal level, at least in the past, you know, have done kind of comparable types of research as well.

“So, at the state level, there's certainly opportunities to have people that have done this type of auditing and enforcement research.”

You know, furthermore, that because of the job market, you know, that with AI, that there isn't as strong demand for, you know, entry level developers or PhDs and computer science.

And so what we're finding is that there's some incredibly strong people that are graduating with PhDs and computer science that have done a lot of privacy research. They're actually out there and available and that they would be perfect, you know, people for us as well. So, to be candid, just the, you know, having come from the private sector and always having PhDs on staff that are, you know, literally rocket scientists in some cases, you know, to do software development as well as software architecture and all that stuff.

And that I'm in the public sector and as part of a regulator and force or I'm just amazed at the quality that's available out there. And so it's nice that as an agency that we, we won't, if we can actually verify what, what, when we're going through enforcement actions, what businesses are telling us, because we, we have just a smart people from a technology side on our side of the fence.

“As, as they do as well. So I think that, that's great, you know, for us and I certainly encourage.”

And we started seeing and actually other state regulators and agencies in the area privacy have been calling us up and picking our brain about, you know, how we've gone about bringing technologists on staff. I should also point out that one thing that I think that we've taken a really big lead on is trying to work nicely and well with and collaborate with other states. And so we've really, we're kind of the driving force and behind this concept, which we call the consortium of privacy regulators and it's now grown to 10 states, including here in California, not only us, the Cal Privacy Agency, but the California Attorney General.

So we have both Democrats and Republicans, and that's a way that we share expertise and resources. We truly value this collaboration and one area is in which we've been collaborating with is with our technologist, with their growing set of technologists that they're bringing on. And so that enables us to do, for example, enforcement sweeps with other states that are on technical topics, specifically, we are, and I can't provide too much detail, but at high level, we have a joint enforcement sweep with the Attorney General of California, Connecticut and Colorado, regarding the support of the global privacy control, which is just like the drop system.

The enables exercise the privacy rights at scale for third party data, the GPC enables privacy at scale for do not sell and shares, and so we are collectively working with these other attorney generals to do an investigatory sweep to determine compliance with GPC.

“And again, that does take potentially technologists taking a look at whether or not signals are being received and whether or not they're really following through businesses are following through on the opt outs that are being sent.”

And so that's a lot of like hands on technologist and checking things out and we're doing that in conjunction with other attorney generals in other states. I was going to say I'm sure you're getting these calls and having these conversations are ready. So in the vein of new developments and new efforts by the time this podcast airs California will have debuted a new registry system for data brokers. So you already gave us a rundown of the current as of this taping registry system, but what is this new registry and how does it differ from the list of third party data brokers that the California has historically published.

“Yeah, there's a number of differences, you know, difference number one is that SB361 asked for additional information from the data broker registries and so as I alluded to before.”

You can now and obviously the registry is accessible to anyone in the world, including academics, journalists, just everyday Americans or anyone else. When this registry post, which will happen March 26. Anyone will be able to quickly filter and see who are actually are the data brokers that collect precise geolocation sell the JNI developers sell our data to foreign actors who are the data brokers that share and sell our data to the federal government, etc.

“And so these additional data points, you know, really are kind of reflect some of the harms that legislators and consumers perceive that are associated with the collection and sale of data in these areas.”

So that's very new in terms of the additional amount of information that's available to consumers to be able to filter to get a better feel for it.

Second is the fact that as I mentioned before, that there's a larger number of data brokers that are out there and we have internally focused on really trying to drive registrations. We put together a data broker strike force within our forcement division to ensure that as many data brokers that that should be registered are registered. So we have a greater number when I joined the agency a year ago last April, I think it was privacy rights clearinghouse wrote a report saying that there were approximately, you know, 450 data brokers registered that that actually has been a priority of the agency to make sure this again is many are registered.

So we were able to build that number up at the end of the calendar year to over 540, now we're at over 580.

And then the other nice thing is is that when you pair it with the drop system that inside the drop system, even after you submit your request as a consumer, you'll be able to see starting an August, which of the data brokers specifically deleted your information or said that there wasn't a match.

Within the system you can actually file a complaint and we'll take a look at that, please don't file complaints now because data brokers that are not required until the starting August and then have 45 days after words to actually process and send the updates as well. What's happening with the drop system and the data broker registry is that also at the end of the month we are making the what we call a sandbox or API available to the 580 plus data brokers so they can begin testing the whole process of doing the matching as well as submitting the updated status is once they've processed the request as well.

“And that was the time behind the scenes that the data brokers should be actually going out and testing the system and making sure that they're ready as well.”

A lot of stuff happening behind the scenes, but those are some of the things that that have happened in our happening in the near term, so it's not just about building the actual drop system for consumers, the website, the single click portal. I'm sure that as many data brokers are registered, it's about providing the transparency, it's providing the system that allows for California to see the status and the data brokers report back the statuses of the matches, etc.

“It's not a work happening right now and a very proud of the amazing progress in terms of the record number of consumer signups as well as the record number of actual data brokers that are registered.”

As I say all the time, people should not have to pay to effectuate their privacy rights, so that's that's all great.

I think that's a good place to start zooming back out and looking more forward. We've been talking a lot about data brokers, but as you mentioned at the outset, California's privacy laws provide a pretty wide range of action on a variety of different privacy issues that go beyond the sale of people's data.

“As you look ahead to 2026 or maybe even think about 2027, what are your top enforcement priorities and for whatever you want to call out, can you say more about what motivates your thinking and California's focus on those subjects?”

Absolutely. So we've clearly made it a priority to bring a broad spectrum of enforcement actions across a broad spectrum of industries, and we've recently announced just the other week enforcement actions against companies like for motor company. We previously did enforcement action against Honda, so we're talking about, for example, large automobile manufacturers. We've also looked at retail companies like a company called tractor supply company Todd Snyder, so at the retail level. We've also had enforcement action against a company that primarily targeted students, and so what we've focused very much on in the initial set of enforcement actions is making sure that there is not friction being placed in enabling consumers to be able to exercise their privacy rights.

So the settlement agreements have not only included fines, and we've had a couple of a million dollar plus fines, but also to change business practices.

What we're trying to do is in these settlements that we actually spell out like how the businesses have allegedly did not meet the mark and did not allow consumers to effectuate their privacy rights.

And so we want to use these settlement agreements as kind of clear messages that were sending the broader community out there of things that we really care about.

And as I mentioned before, people actually had to change their business practices. For example, one of the settlement agreements was that one of the entities actually had a higher UX designer and actually kind of fixed the user interface that they have for consumers to be able to exercise their privacy rights.

They agreed to do that as part of the settlement. We had another data broker that was advertising that they sell scary information about people, you know, which clearly made it clear that, you know, that they were potentially looking for or promoting the idea that you could maybe use this information to make people's lives.

“So that's kind of the range of what we've been doing from an enforcement perspective in which we've we find companies or change had them change their business practices either in a moral minor way or more significant way as well.”

You'll continue to see our enforcement division dig deep into how businesses are implementing California's rights. We also have put forth a number of enforcement advisories that also kind of telegraph kind of areas of concern. The very first enforcement advisories we put forth involved data minimization. We've also had enforcement advisory about dark patterns and then finally we've also done some joint and now some joint investigation sweeps, as well as talking about our strike force when it comes to data broker.

So I previously talked about the investigation sweep that we're doing with Attorney General's a California Colorado Connecticut around GPC, but we're also involved in enforcement sweep with over 30 data protection and privacy authorities around the world in examining websites and mobile apps commonly used by children. So kind of the combination of the enforcement actions and the great levels of detail in the settlement agreements that articulate what the issues that we found and also combine that with the enforcement advisory and the investigation sweeps that we announced should give businesses a good feel for things that are of interest to us that we really deeply care about.

“The final thing I'll or the final two things I'll say is because we have a very robust complaint system.”

We actually get over 150 complaints per week and that number is growing from consumers and there have been a lot of of our enforcement actions have been based on actual consumer complaints.

So Californians have a means and mechanism to complain of what's going on with our agency and then the final kind of data point that I will provide is that we do have over 100 open investigations going on right now.

“So we've really ramped up the team and so I think what you'll see is you know some more enforcement actions being announced and at the same time as I alluded to before.”

We're not the sole enforcer here in California the attorney general and they've been doing some great work as well and we continue to collaborate with them around enforcement. So you actually have two enforcers here associated with the California Consumer Privacy Act to enforce the laws here in California. Right and as you said that's not the case in plenty of states where it's really the AG's office that is the the enforcer. In our last several minutes here I want to ask you about you mentioned earlier the question of certain data broker selling to foreign actors and I want to ask you more about that but with technology.

Use cases and privacy issues writ large which is that we've seen a few other states such as Texas or Florida file lawsuits against apps like Tiktok or Timo or others where the allegations in those matters focus not on privacy issues that are agnostic to. And what's the risk in those cases that the Chinese government could acquire the data is California thinking it all about those foreign adversary nexus questions vis-a-vis your state privacy regime including of course you have the.

The country if not the world in California is that lower down on the priority list and and you know how do you see those kinds of debates in relation to your other enforcement activities.

You know had us take basically take look at this and in this case it's more of a transparency but I think in the end the privacy protections we have in place in California.

Guard against the misuse of data not only nationally and internationally so yes we can go after global entities because we regulate the collection and use the Californian state you know like like you said you know California obviously is an enormous state it's the fourth largest economy in the world.

“And so all the obligations that are in our law around data minimization honoring privacy rights security personal information applied to all businesses and these businesses can be based.”

Outside our jurisdiction because again the definition of a business is not something entity that's domiciled here but it's it's based on the collection of Californians personal information. So we can reach out there and we do have looked at you know international companies as part of our investigations and I'll just kind of leave it at that so you know it's not just a situation where the business has to be. You know we have to look at the sidequartered here in California or based on the U.S. we do look at you know global companies or entities that are overseas that may be collecting significant amounts of California information as well.

So you know obviously we're going to follow what the statute said but but the statute does give us the ability to to look globally because at the end of the day it's Californians information and we're responsible for ensuring all businesses meet the obligations from from a privacy and security perspective.

All right last but certainly not least I want to sort of continue with the looking forward framing are there one or two tech industry trends or privacy practices that.

You and you could be the agency or you personally Tom but that you see is the biggest near term or over the horizon risks to consumers. Yeah I mean we're definitely keeping our eyes on tech industry trends and I don't want to suggest that we're looking in some areas more than others because you know clearly the landscape is broad and our enforcement team is always looking into a wide range of ongoing issues and upcoming trends.

“But I can share one that is very broad I think wearables present a risk that they collect so much sensitive personal information.”

And some of the sensitive personal information goes beyond your daily jogging or route includes consumer biometric and our neural data.

And I think that trend wearables collecting this information will only increase and so I think that's kind of a you know gives a good example of kind of. You know looking at you know IOT and these type of devices. Again it's it's it's not simply us being concerned about websites. You know it's no matter what type of system or application that collects a lot of sensitive personal information we're very much interested in. The other area where we actually passed and got approved some robust regulations is in the use of automated decision making.

Technologies and our regulations kick in on January 1st, 2027 that will give consumers the ability to opt out based on the the criteria of what the ADMT does as it relates to making a critical decision without any human.

“The intervention in making that critical decision in a number of key industries as well.”

So consumers will have a right to know that ADMT is being used as well as a right to opt out as well as a right to object to the usage if they're so inclined. And so starting in 2027 you know we'll start to look to enforce you know more significantly the use of ADMT technologies as well. So those kind of give a couple examples of kind of trends or areas of interest or focus for us. That's all the time we have Tom thanks very much for joining us. It's been great and thanks Justin.

The Law Fair podcast is produced by the Law Fair Institute. If you want to support the show and listen ad free you can become a law fair material supporter at law fairmedia.org/support.

Please rate and review us wherever you get your podcasts.

“Look out for our other podcasts including rational security, allies, the aftermath and escalation.”

Our latest law fair presents podcast series about the war in Ukraine.

Check out our written work at law fairmedia.org.

“The podcast is edited by Jen Patia and our audio engineer this episode was goat rodeo.”

Our theme song is from alibi music.

As always thank you for listening.