California’s privacy agency is mapping out a survival plan.
Facing the federal government’s threats to override state data protection, AI, and privacy laws and strip its enforcement powers, the California Privacy Protection Agency is dispatching key personnel to lobby members of Congress and coordinating with like-minded states. Recently unveiled federal privacy bills bring renewed preemption possibilities against state laws, including the California Consumer Privacy Act and Delete Act, and risk stifling the agency right as it aims to grow, add rulemaking, and ramp up enforcement.
The agency’s executive director Tom Kemp will travel to Washington this month to press lawmakers—including key Republicans—to ditch preemption provisions and strengthen the bill’s privacy protections to more closely mirror California’s approach. Outside of the Federal Trade Commission, California has more technical experts looking at privacy issues than any other state—and the federal government needs to let it use that experience, Kemp argued.
“You need that when you are looking at the data capture, collection, flows associated with trillion dollar companies,” he said in an interview. “It’s critical to allow flexibility for the states to decide how they want to supplement, complement the enforcement of the privacy law.”
California’s privacy agency, the only one of its kind in the country, has brought more than a dozen enforcement actions totaling millions of dollars in fines against companies including
But the latest federal privacy bill, dubbed the SECURE Data Act, raised the stakes by threatening to restrict California’s ability to enforce its own rules.
CalPrivacy laid out its opposition in a letter to members of Congress ahead of Kemp’s trip, warning the bill would strip away the privacy rights of tens of millions of people. Agency officials are also sharing their concerns with other states and California’s attorney general.
While the bill could change during negotiations, its initial form has been largely embraced by companies saying it would ease compliance, save them billions of dollars, and support challenges to state enforcement actions and lawsuits. Democrats and consumer advocates have criticized the legislation for lacking strong privacy protections.
“Interpreted broadly, the preemption provision could wipe out hundreds of laws in California alone, and thousands across the country,” Daniel Solove, director of the Privacy & Technology Law program at George Washington University Law School, said in an email. “It would be an enormous mass slaughtering of laws.”
Finding Allies
CalPrivacy staff drove those concerns home at an agency meeting in Sacramento last week, warning board members the current version of the bill would have a “catastrophic effect” on the state.
The board’s chair, Jennifer Urban, stressed the agency’s position.
“I will once again repeat that we cannot support any law that has a broad preemption provision in it,” she said. “We believe that all Americans should have privacy rights. It is unfortunate that this particular bill is so, very weak.”
Kemp said he hopes to rally lawmakers who previously opposed preemption in AI legislation or pushed for stronger privacy protections in their own states to curtail the bill’s approach.
“We are taking this very seriously,” the agency head said in the interview. “There is always the possibility that this could go through on a partisan vote. So that is why we just want to raise awareness with the Republicans that are from California, as well as just major leaders in this.”
Many lawmakers don’t know about the privacy rights CalPrivacy created through tools like the opt-out preference signal, which lets users broadcast “do not sell” signals across websites they visit, or its DROP platform, which allows consumers to get all data brokers registered in the state to delete their personal data with one button, he said.
“I think if I have an opportunity to talk to people about that, then at the very least, maybe they’ll look to raise the ceiling a bit with the legislation,” Kemp said. “But we still would have a problem that it’s a ceiling versus a floor.”
California’s privacy agency is part of a consortium of ten privacy regulators with attorneys general from California, Colorado, Connecticut, Indiana, and Oregon, who regularly collaborate on privacy enforcement.
Not Just Privacy
Federal legislative efforts beyond the SECURE Data Act would also threaten California laws.
Proposed amendments to a federal law regulating financial institutions’ information-sharing practices, known as the Gramm-Leach-Bliley Act, also put the state’s privacy protections at risk. CalPrivacy criticized those plans, which would largely override state laws with data privacy and security requirements for financial institutions, in a letter shared with Bloomberg Law.
“By seeking to preempt the states, this proposal could significantly weaken privacy protections Californians currently enjoy under the CCPA and the CFIPA and would prevent states from responding to emerging threats and concerns,” Maureen Mahoney, the agency’s deputy director of policy and legislation, said in the March letter to members of the House Financial Services Committee.
Mahoney said in last week’s meeting the agency plans to reiterate its opposition to Congress soon.
The Trump administration’s push to preempt state AI laws has also put heat on the state’s regulations on automated decision-making technology and restrictions on AI’s use of personal information, Kemp said.
“We’re looking at what’s happening in DC not only from a privacy perspective, but obviously AI,” he said.
How far the legislation will get—and how bills might change—remains to be seen, giving the agency some wiggle room to advocate to keep its remit, especially around the SECURE Data Act.
“It might even be that language could be slightly modified too before passage to enable CalPrivacy to remain,” said Cobun Zweifel-Keegan, managing director for Washington, D.C., at IAPP, a privacy professional group. “And that’s something that’s always worth mentioning, that this framework as introduced is definitely a negotiating position.”
To contact the reporter on this story:
To contact the editors responsible for this story: