The Weekly Breach Breakdown Podcast: DROP It – CalPrivacy Discusses New Tool to Protect Your Data - S7E13

Show Transcript

Below is a full transcript of our podcast with our special guest, Tom Kemp, Executive Director of CalPrivacy

James:

Tom, long-time followers know that CalPrivacy is unique among state governments, and in fact, the federal government, for that matter, thanks to the privacy laws that the legislature and the voters passed in California.

You were instrumental in the development and passage of California's laws and some of those other state laws.

Tell us about CalPrivacy?

Tom:

Yeah, absolutely. Thanks for having me on, and for those who aren't familiar with the California Privacy Protection Agency, or CalPrivacy, here's a really brief history.

Back in November of 2020, the voters of California approved Proposition 24, which was the California Privacy Rights Act, that amended and expanded the comprehensive privacy law called the CCPA, the California Consumer Privacy Act back in 2018.

That was signed by Governor Brown. And what the voters did in approving this is that it set us up as an independent agency here in California, and we're responsible for implementing and enforcing the privacy laws under our purview and raising awareness of privacy protection.

So, we focus on the CCPA, which is our California Consumer Privacy Act, but also the DELETE Act.

The legislature gave us responsibility for that. And so, at the end of the day, we're trying to strengthen California privacy rights, we're trying to raise privacy literacy.

We vigorously enforce our privacy laws, and we fined companies for not doing that.

And we're trying to deliver the DROP system, the Delete Request and Opt-out Platform that's called for by the DELETE Act.

James:

Oklahoma and Alabama just became the 21st and 22nd states to pass the state privacy law that has some, but not all, of the consumer rights Californians enjoy and CalPrivacy enforces.

When you hear from California residents, what parts of the privacy laws do they really enjoy, and are there parts that they think that's not quite as good for them?

Tom:

Well, I'd like to first say to Alabama and Oklahoma, to quote Bruce Willis in Die Hard, “Welcome to the party.” We're glad that you're joining California.

Look, the overall notice and choice system that we have in the United States puts a lot of burden on consumers to have to constantly exercise their privacy. And so, one professor said it's a never-ending set of chores that people have to do. 

They have to go to the bottom of every website and say, “Do not sell or share my data.” They may have to go out and contact dozens of data brokers and say, “Please delete my information.” And we fully understand that consumers will say, “Who has time for that?”

It's just too easy for people just to simply kind of accept the defaults and have their data collected. And one of the things that we're really trying to focus on.

Here in California, CalPrivacy is not only here to protect consumers' privacy rights, but try to make it easy for them to exercise.

And what… really what consumers want are quick and easy-to-use tools that they can set and forget it. How we're delivering that is in a couple of ways.

First, our law supports the opt-out preference signal, which is the ability to add an extension to the browser that, as you surf the web, you send the signal “do not sell or share my personal information.”

That's oftentimes referred to as the global privacy control.

We sponsored legislation last year that actually requires all browsers to have this starting January 1st, 2027, as a built-in feature.

The second thing that we did is we implemented this DROP platform, the Delete Request and Opt-out Platform that launched on January 1st, that gives consumers a single-click mechanism to tell data brokers to delete their information.

So, you're right. Oftentimes, it can be difficult, but we're trying to build tools and support capabilities for people to exercise privacy rights at scale.

James:

Well, that really leads to the reason we're talking today, which is the DELETE Act and DROP. What drove the passage of the DELETE Act, and how does DROP address those issues?

Tom:

The DELETE Act here in California was SB 362, authored by State Senator Josh Becker back in 2023 and signed by Governor Newsom.

It was passed because increasingly people didn't know who was collecting and selling their information with these businesses called “data brokers” that you don't have a direct relationship with.

There was a lot of headline news about data breaches or how this data was being weaponized against people. And so there was just a lot of just concerns out there.

You know, once your information is floating out there - and your organization is doing an amazing job in helping people - it can lead to identity theft, or it can lead to nuisances such as unwanted emails and phone calls.

So, the idea was that this would create an automated deletion mechanism, so that consumers could go to this platform, which we call the DROP system - the Delete Request and Opt-out Platform.

Instead of having to contact each and every data broker, you could do a single deletion request and basically, at scale, enable deletions. In our case in California, we have over 500 data brokers in our data broker registry.

Consumers today can go to www.privacy.ca.gov and sign up. What this will allow when the deletions start happening in August…it basically takes you 4 or 5 minutes to do something that if you try to do manually would take multiple days or hundreds of hours.

So it really provides a way to enable consumers to really take control of their personal information at scale.

James

When we talk about these kind of issues around personal information, there's good uses of personal information, and there's bad uses; there are data good brokers and there are bad data brokers.

One of the things that we have always been concerned about is how do we make sure that the people who have stolen information from data breaches don't turn around and try to game a system like DROP by trying to delete stolen information so it never makes it into the anti-fraud tools that are powered by personal data.

How does DROP protect us from something like that?

Tom:

As a former cybersecurity executive that built a company focused on cybersecurity and doing that for close to 15 years, I do have a great appreciation for people's concern.

Now, the drop system itself uses strong encryption and secure data handling practices.

It's actually hosted by the California Department of Technology, and there are a whole host of cloud security technologies that are used to secure the platform. So, it's a very secure platform, and it's constantly being monitored for misuse.

But to the heart of your question, to enable the deletion request, you first have to verify your residency, and that's processed through the California Identity Gateway, which is California's digital identity platform.

One way that a consumer verifies their identity through the identity gateway is via login.gov. So, a hacker would not only have to steal the consumer's login.gov account, but also their phone and their passcode to the phone to access the multi-factor authentication.

And then the hacker would have also stolen the consumer's driver's license that needs to be uploaded to validate that they're the actual resident.

So it's a pretty high bar…a hacker would have to have all that information, including the person's driver's license as well as their phone, their passcode, etc.

But say that's the case, I also want to assure your listeners that, actually, once the residency is verified, that it's simply a yes-no pass to the drop system.

So the drop system itself doesn't know about the actual driver's license or the verification. It simply gets a “yes” or “no” that the consumer is a California resident.

And then once into the system, none of this information is sold or utilized.

The point is: A; the bar is very high for a hacker to even get into the drop system.

And B, once in the drop system, the data is unreadable to an unauthorized party.

But the other thing I do want to point out is that it actually once you put your basic personal information into facilitate the matching, data brokers have 45 days to delete the consumer's data.

Given that hackers don't typically wait for 45 days, and typically want to strike fast, I think it's unlikely that they're going to break into and put a drop request in and then wait 45 days.

Of course, a consumer can always check the drop system and see if a request was made on their behalf as well.

And then, finally, data brokers that have a direct relationship with a consumer but collect and sell third-party data about the consumer only have to delete that third-party data via the drop system.

So, if a consumer has a direct relationship with a fraud detection service, the data the consumer gave directly to that service will not be deleted, just the peripheral data as well.

James: 

That should give people some confidence that their information is going to be secure if they take advantage of this system.

I know that a lot of the regulatory actions that have been taken under the California privacy laws have to do with businesses not acting on the requests that they received from consumers.

Why do you think, though, we're well past the origination dates of these laws, but businesses are still struggling with actually following the requirements of the law?

Tom:

Yeah, well, there's a lot of ways to answer that question.

Specific to the drop system and the Delete Act, the fines are very significant. Starting in August, if a data broker doesn't delete your data, it's $200 per day per record, and we've already had as of mid-April, over 275,000 Californians sign up for the system.

So you can just do the math, math of 275,000 times 200 per day.

The motivation will be there for people to actually delete the information.

The other thing is, you're right, that we've had these laws on the books since 2018. Our agency was created by the voters in November 2020. It really wasn't up and running until 2022, and we've been building out the enforcement team, and in the last year or so, we've really had some record-setting enforcement actions, including fines and injunctive relief against companies like Tractor Supply, Todd Snyder, American Honda, Ford, Play On Sports.

And then we've also looked at data brokers, and we either shut down or penalize data brokers like Background Alert and Accurate Append. So, the enforcement is kicking in, as well as the fact that the DELETE Act is also kicking in.

We spent a lot of time working with other regulators across states. We've built this consortium of privacy regulators to work with other state attorney generals, the California Attorney General, and our agency, so there's a lot more partnership and collaboration.

And then the final thing is, we are spending a lot of time talking to businesses and kind of educating them and providing guidance as well. And also, looking at ways that we can make it easier for them to fulfill consumers' requests.

There's obviously sticks in terms of fine and enforcement, but there's also carrots, which is education, raising awareness, etc.

What I now see happening, especially with the drop system coming into play, that there is increased awareness for businesses to respect Californian's privacy rights.

But look, anyone in California, if you think your online privacy is not being respected, you can file a complaint with us. Over the last 2 or 3 years, we've had 12,000 complaints, and we follow up with those as well, and some of those complaints have actually led to enforcement action.

James:

I want to give you one last chance to build on that as we wrap up. If someone has a concern, how would you want them to interact with CalPrivacy?

Tom:

We do want people to do that. We want people to go to www.privacy.ca.gov. It's an excellent resource for consumers to learn how to take advantage of their privacy rights. We provide a lot of practical tips that people can use.

We also have the DROP system that's hosted on the site as well that is a one-stop, single-click mechanism to initiate deletion requests for hundreds of data brokers.

And then there's also the ability to submit complaints from that website as well. So we try to give everyone a single site, privacy.Ca.gov, to utilize the tools such as DROP, to get privacy tips, and to file complaints.

James:

Thank you, Tom, for joining us today. You are welcome back anytime you want to talk about privacy.

Tom:

Well, thank you very much, and thanks again to you and your organization for the great work that you guys do as well.

Contact the ITRC

Thanks to Tom Kemp for joining us. If you are a California resident and want to learn more about your data privacy rights and how to protect your data, visit cppa.ca.gov. 

If you want to know more about how to protect your business or personal information or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT Monday-Friday). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. 

The regular podcast crew will return next week with another episode of the Weekly Breach Breakdown. Until then, thanks for listening.