The Privacy Partnership Podcast with Robert Bateman

CalPrivacy Director Tom Kemp on how businesses should approach California's robust privacy regulation

28 min · 9. juli 2026
episode CalPrivacy Director Tom Kemp on how businesses should approach California's robust privacy regulation cover

Beskrivelse

What happens when a Silicon Valley cybersecurity founder takes the reins at one of the world's most powerful privacy regulators? In this special edition of the Privacy Partnership Podcast, Robert Bateman is joined by Tom Kemp, Executive Director of CalPrivacy (the California Privacy Protection Agency). They dive deep into California’s aggressive new enforcement strategies and the technical tools the state is building to make privacy rights frictionless for the average consumer. From massive potential fines for data brokers to mandated browser-level opt-outs and algorithmic risk assessments, Tom breaks down exactly what businesses need to know—and why simply relying on your GDPR compliance won’t be enough to keep you safe in the Golden State. In this episode, we cover: From Founder to Enforcer: How Tom's background in tech shaped his belief that privacy rights need to be scalable, not a "never-ending set of chores" for consumers. The DROP System: California's new Delete Request and Opt-Out Platform that allows users to delete their data from roughly 600 data brokers with a single click. $40 Million-a-Day Fines: The terrifying math behind California’s enforcement against data brokers. (Hint: the $200 fine is per incident, not per day). Data Minimisation in the US: Lessons from the recent General Motors enforcement action and Cal Privacy's focus on eliminating "dark patterns" and consumer friction. The Rise of OOPS: Why California is moving away from cookie banners and mandating that all web browsers natively support Opt-Out Preference Signals by 2027. The EU-to-California Pipeline: Actionable advice for UK and European businesses on configuring third-party tools, preparing for incoming cybersecurity audits, and handling Automated Decision-Making Technology (ADMT) regulations. Timestamps: [00:00] Intro: Welcome Tom Kemp, Executive Director of Cal Privacy. [01:09] Changing perspectives: Moving from building cybersecurity tech to regulating privacy. [04:30] Solving the data broker problem: How the new DROP system actually works. [09:34] Enforcement with teeth: Breaking down the massive fines awaiting non-compliant data brokers in August. [12:41] Common themes in Cal Privacy enforcement actions: Data minimisation, the GM case, and reducing friction. [18:06] Putting privacy "in the box": Mandating browser-level Opt-Out Preference Signals (OOPS) by 2027. [22:56] Practical advice for EU/UK companies navigating CCPA, risk assessments, and ADMT.

Kommentarer

0

Vær den første til at kommentere

Tilmeld dig nu og bliv en del af The Privacy Partnership Podcast with Robert Bateman-fællesskabet!

Kom i gang

1 måned kun 9 kr.

Derefter 99 kr. / måned · Opsig når som helst.

  • Podcasts kun på Podimo
  • 20 lydbogstimer pr. måned
  • Gratis podcasts

Alle episoder

49 episoder

episode Rob rambles about Trump v Slaughter from a European perspective cover

Rob rambles about Trump v Slaughter from a European perspective

A longer edition of the podcast because Rob gets unreasonably animated about EU-US data transfers. On 29 June 2026 the US Supreme Court ruled that the Federal Trade Commission's protection from presidential removal is unconstitutional, overruling ninety years of precedent on independent agencies.  The ruling says nothing about data protection, but the EU-US Data Privacy Framework is built on the premise that the FTC is an independent supervisory authority, and campaigners are already demanding that the European Commission repeal the adequacy decision. In this 20-minute briefing, Rob Bateman of Privacy Partnership explains what has happened on the American side and what it means for anyone moving personal data across the Atlantic. Covered in this episode A timeline from the adequacy decision in 2023 to the Supreme Court's ruling and noyb's demand for repeal  The US machinery behind the DPF: Executive Order 14086, the FTC, the PCLOB and the Data Protection Review Court  What the Supreme Court actually decided, explained without assuming any US constitutional law  The four routes by which the adequacy decision could be invalidated, and their very different timescales  Whether the ruling's logic spreads to the DPRC, and why that question matters more than the DPF headline  The two scenarios for SCCs, including why standard contractual clauses could be a stronger fallback than they were after Schrems II The DPF remains in force and transfers under it remain lawful today. Nothing in this episode is legal advice for your specific situation.

15. juli 202619 min
episode CalPrivacy Director Tom Kemp on how businesses should approach California's robust privacy regulation cover

CalPrivacy Director Tom Kemp on how businesses should approach California's robust privacy regulation

What happens when a Silicon Valley cybersecurity founder takes the reins at one of the world's most powerful privacy regulators? In this special edition of the Privacy Partnership Podcast, Robert Bateman is joined by Tom Kemp, Executive Director of CalPrivacy (the California Privacy Protection Agency). They dive deep into California’s aggressive new enforcement strategies and the technical tools the state is building to make privacy rights frictionless for the average consumer. From massive potential fines for data brokers to mandated browser-level opt-outs and algorithmic risk assessments, Tom breaks down exactly what businesses need to know—and why simply relying on your GDPR compliance won’t be enough to keep you safe in the Golden State. In this episode, we cover: From Founder to Enforcer: How Tom's background in tech shaped his belief that privacy rights need to be scalable, not a "never-ending set of chores" for consumers. The DROP System: California's new Delete Request and Opt-Out Platform that allows users to delete their data from roughly 600 data brokers with a single click. $40 Million-a-Day Fines: The terrifying math behind California’s enforcement against data brokers. (Hint: the $200 fine is per incident, not per day). Data Minimisation in the US: Lessons from the recent General Motors enforcement action and Cal Privacy's focus on eliminating "dark patterns" and consumer friction. The Rise of OOPS: Why California is moving away from cookie banners and mandating that all web browsers natively support Opt-Out Preference Signals by 2027. The EU-to-California Pipeline: Actionable advice for UK and European businesses on configuring third-party tools, preparing for incoming cybersecurity audits, and handling Automated Decision-Making Technology (ADMT) regulations. Timestamps: [00:00] Intro: Welcome Tom Kemp, Executive Director of Cal Privacy. [01:09] Changing perspectives: Moving from building cybersecurity tech to regulating privacy. [04:30] Solving the data broker problem: How the new DROP system actually works. [09:34] Enforcement with teeth: Breaking down the massive fines awaiting non-compliant data brokers in August. [12:41] Common themes in Cal Privacy enforcement actions: Data minimisation, the GM case, and reducing friction. [18:06] Putting privacy "in the box": Mandating browser-level Opt-Out Preference Signals (OOPS) by 2027. [22:56] Practical advice for EU/UK companies navigating CCPA, risk assessments, and ADMT.

9. juli 202628 min
episode The death of the EU-US DPF? Trump v Slaughter and the future of transatlantic data flows cover

The death of the EU-US DPF? Trump v Slaughter and the future of transatlantic data flows

Did the US Supreme Court just sign the death warrant for the EU-US Data Privacy Framework (DPF)? In this explosive episode of the Privacy Partnership Podcast, Robert Bateman breaks down yesterday's monumental 6-3 SCOTUS decision in Trump v. Slaughter, which fundamentally rewrites the rules of the American administrative state. By confirming the President's authority to fire FTC Commissioners at will, the Court has stripped the FTC of its structural independence—a core pillar of the European Commission’s DPF adequacy decision. Robert explores the immediate fallout, the threat to US surveillance safeguards, and why Max Schrems and noyb are already demanding an "orderly exit" to prevent a catastrophic "Schrems III" compliance cliff. In this episode, we cover: The fall of Humphrey's Executor: How Trump v. Slaughter dismantled a 1935 precedent and placed the FTC under the direct control of the White House. The DPF's structural flaw: Why the European Commission's reliance on FTC independence (Recital 60) is now a historical artifact. Surveillance safeguards at risk: How the ruling threatens the independence of the Privacy and Civil Liberties Oversight Board (PCLOB) and the newly minted Data Protection Review Court (DPRC). A constitutional clash of laws: noyb's immediate letter to the European Commission, arguing that the US Constitution now prohibits the independent supervisory authority required by EU treaty law. What's next at the CJEU: Could the ongoing legal challenge by French MP Philippe Latombe sweep up these new constitutional issues? The UK Angle: Why the UK's adequacy regulations and the UK Extension to the DPF might survive (for now), but face serious legal complications ahead. Resources & References: The European Commission’s Implementing Decision (EU-US Data Privacy Framework) noyb’s open letter to the European Commission regarding the Slaughter ruling Background on French MP Philippe Latombe's ongoing CJEU challenge against the DPF Get in Touch: With the DPF on shaky legal ground, is it time to dust off those Standard Contractual Clauses (SCCs)? If you need help navigating this transatlantic uncertainty, the team at Privacy Partnership is here to help.

30. juni 20265 min
episode Data transfers at the Irish courts: A partial win for TikTok cover

Data transfers at the Irish courts: A partial win for TikTok

The Irish High Court has just delivered a massive judgment in TikTok’s appeal against the Data Protection Commission (DPC). The court upheld a staggering €530 million fine—but surprisingly tore up the regulator’s order to suspend TikTok's data transfers to China. Who actually won this case, and what does it mean for the future of international data flows? In this episode of the Privacy Partnership Podcast, Robert Bateman unpacks Mr Justice Rory Mulcahy’s highly technical ruling. We dive into the mechanics of remote access, the absolute floor for GDPR negligence, why catch-all phrases in privacy policies are no longer acceptable, and what happens when a regulator fails to "show its working" when assessing complex technical mitigations like TikTok's Project Clover. In this episode, we cover: The Mechanics of Remote Access: Why TikTok’s data localisation defence failed, and how data temporarily loaded into the RAM of an engineer's laptop in Beijing constitutes processing in China. Article 46 and Accountability: How TikTok’s failure to assess the specific technical risks of local caching in its Transfer Impact Assessments (TIAs) led to a massive infringement. Transparency and Article 13: Why the DPC fined TikTok €45 million simply for failing to explicitly name China in its 2021 privacy policy. The New Standard for Negligence: Why relying on expensive external counsel doesn't shield you from liability, and why the GDPR negligence threshold is currently "sitting on the floor." Fair Procedures and Project Clover: Why the High Court vacated the DPC’s suspension order, ruling that the regulator unlawfully ignored late expert evidence and failed to adequately explain why TikTok's new secure European data enclave was technically ineffective. Key Takeaways for Privacy Professionals: TIAs must reflect technical reality: Regulators are looking past server locations and examining endpoint devices. Your transfer assessments must account for temporary local processing, including RAM and CPU caching. Name names in your privacy notices: Boilerplate language about "third countries" or relying on SCCs/adequacy without specifying the actual destination countries is a major compliance risk. Regulators must justify technical rejections: While courts will defer to a regulator's technical expertise, Data Protection Authorities must provide detailed reasoning when rejecting a controller's supplementary measures.

25. juni 20265 min
episode John Edwards resigns! A look back at his time at the ICO cover

John Edwards resigns! A look back at his time at the ICO

John Edwards has abruptly resigned as the UK Information Commissioner via a LinkedIn post, leaving behind a rather complicated legacy. In this episode, Robert Bateman looks back at Edwards’ four-and-a-half-year tenure. We unpack an era defined by massive platform fines, jurisdictional ping-pong, a highly convenient alignment with Home Office surveillance goals, and a surprisingly lenient approach to public sector data blunders. Was the Edwards-era ICO truly "innovation-friendly," or just inconsistently interventionist? Key Takeaways & Highlights: The LinkedIn Departure: Breaking down Edwards’ sudden exit amid an HR investigation and what it means for the regulator’s stability. The Hits and the Misses: Giving credit for strong enforcement in cases like Easylife's predatory marketing and Serco's employee biometric tracking, while examining the drawn-out, costly legal headache of the Clearview AI saga. The FaceWatch Controversy: How the ICO’s tough talk on biometric data seemed to quietly evaporate when it came to private retail surveillance that conveniently aligned with Home Office policing priorities. The Two-Tier Fining System: A look at the ICO's revised public-sector approach. Why do private platforms like TikTok and Reddit get £12m+ fines, while publicly funded bodies like the PSNI and the Post Office walk away with heavy discounts or mere reprimands for catastrophic failings? A Headless Regulator: What the Data (Use and Access) Act (DUAA) means for the future of the ICO as it transitions from a single Commissioner to a statutory board—exactly when it lacks permanent leadership.

19. juni 20265 min