Building the most powerful consumer privacy control in the world, with CalPrivacy's Tom Kemp

California just built a system that lets consumers delete their data from hundreds of data brokers at once. Known as DROP (Delete Request and Opt-out Platform), it’s a major step toward operationalizing privacy rights. In my conversation with Tom Kemp, Executive Director of the California Privacy Protection Agency (CalPrivacy), we unpack how it works and what businesses need to know.

Tom Kemp isn't a career regulator. He's a Silicon Valley veteran, a former founder and CEO who built a cybersecurity company to over 500 people, and that background comes through in every part of how he runs CalPrivacy. Before leading the nation's largest privacy agency, Kemp was going through GDPR compliance himself. That matters.

"I've actually kind of walked the walk," he told me. "I've walked a mile in the shoes of businesses in terms of how you go through meeting the regulatory compliance requirements that laws such as GDPR or CCPA mandate."

It's a rare thing to sit across from a regulator who has personally felt the weight of the rules they now enforce.

How 9.3 million votes changed everything

Before Kemp became Executive Director, he was essentially CalPrivacy's first marketer. When Proposition 24, the California Privacy Rights Act, came up for a vote in 2020, Kemp volunteered and served as the campaign's chief marketing officer.

The result? 9.3 million Californians voted yes.

"9.3 million is more people than 10 or 15 states in the United States," Kemp pointed out. "In 2020, the 9.3 million votes were more than Kamala Harris got here in California, a native Californian, in 2024."

That number matters beyond the headline. It's Kemp’s north star for why this work is urgent. People do care about privacy. They just need tools that make it possible to act on that care.

The privacy paradox and why DROP exists

One of the most clarifying moments in our conversation was when Kemp broke down what he calls the privacy paradox: the gap between what people say they want and what they actually do.

"People will say that consumers talk the talk about privacy... but then they do actions that are counter to that," he explained. "And so therefore people will conclude that people really don't care about their privacy."

His counterargument is simple and compelling. It's not that people don't care, it's that privacy is too hard.

Think about it: there are now over 500 data brokers registered with the state of California. At 20–30 minutes per deletion request, exercising your right to delete from all of them would take roughly ten days of work, and then you'd have to do it again months later as data gets repopulated.

DROP solves this. Californians go to privacy.ca.gov, verify their residency, submit basic information (name, email, phone, date of birth, zip code, and optionally a mobile advertising ID or VIN). The system handles the rest. Data brokers are required to match their records and process deletions at scale.

"It enables the exercise of privacy rights at scale," Kemp said. "It allows people, for the first time, to really operationalize their desire to take control over their personal information."

A right to delete that actually means what it says

One of the things Kemp explained that I think a lot of people, even privacy pros, may not fully appreciate, is how DROP upgrades the underlying right to delete.

Under the current CCPA framework, the right to delete only applies to data collected from the consumer. But data brokers often acquire data about you indirectly. That created a loophole: a broker could receive your deletion request and technically respond that, since they didn't collect data from you, they're keeping everything.

DROP closes that gap. Deletion under the Delete Act covers data collected about a consumer, not just from them. And CalPrivacy is currently working with Senator Becker on SB 923, the Expanding Privacy Rights Act, to harmonize this standard across CCPA deletion requests broadly.

"That is an actual step up," Kemp said plainly.

Who counts as a data broker, the answer might surprise you

This is where the conversation got really practical for businesses. Kemp walked through a nuance in the regulations that I think a lot of companies are underestimating.

Even if you have a first-party relationship with a consumer, you can still be classified as a data broker. The example he gave: if a business collects a consumer's email address directly, then purchases additional third-party data on that person, packages it up, and sells it to other entities, that business is a data broker under the regulations.

Kemp’s advice for companies trying to figure out their exposure: read the DROP regulations (which went into effect January 1st), read SB 362, and make the determination carefully. The regulations now define what a "direct relationship" is, and the bar may be higher than you think.

Enforcement signals, what Tom could tell us

I'll be honest: I came in hoping Kemp would give privacy pros a clear look at CalPrivacy's enforcement agenda. He kept his cards close, understandably so.

But he gave us real signals. Three, specifically:

1. Consumer complaints drive enforcement. CalPrivacy has received more than 10,000 complaints since inception, and at least one recent enforcement action came directly from one. Trends and egregious violations get attention.
2. Their tech team is actively testing. CalPrivacy has hired PhDs and technologists who are out there testing mobile apps, examining data flows, and looking for real privacy harms, not waiting for companies to self-report.
3. Read everything they publish. Enforcement advisories, joint investigatory sweep announcements, and settlement agreements are all signals. "If we come out with an enforcement advisory, just assume that's probably a little bit important to us," Kemp said. Recent advisories have covered data broker registration, data minimization, and the Global Privacy Control.

On data brokers specifically, CalPrivacy has already stood up a dedicated strike force to ensure entities are registering, and has taken over ten enforcement actions against non-registering data brokers in the past year alone.

"We're telegraphing or signaling through advisories, through investigatory sweeps, through settlement agreements what we care about," Kemp said.

Final thoughts

What I appreciate most about this conversation is that CalPrivacy isn’t trying to make privacy hard for businesses. It’s trying to make it real for consumers. And Kemp genuinely believes those goals are compatible.

"We want to make sure that businesses can operationalize their requirements as well," he told me at the close of our conversation. "That's why we're talking to folks like yourself."

If you work in privacy, compliance, or data governance, and especially if you touch the data broker ecosystem in any way, this episode is required watching.

You can also watch the interview directly on YouTube