Privacy in Practice
Inside the Mind of Tom Kemp, California's Privacy Regulator
July 14, 2026
In this episode of Privacy in Practice, Kellie du Preez and Danie Strachan speak with Tom Kemp, Executive Director of the California Privacy Protection Agency (CalPrivacy), about California’s approach to consumer privacy rights and business compliance. They discuss what regulators expect businesses to get right in practice, including functioning opt-out mechanisms, Global Privacy Control (GPC) signals, third-party vendor tools, California risk assessments, good faith compliance, and CalPrivacy’s work to make privacy rights easier for Californians to exercise at scale.
In this episode of Privacy in Practice, Kellie du Preez and Danie Strachan, speak with Tom Kemp, Executive Director of the California Privacy Protection Agency (CalPrivacy) about how California is approaching consumer privacy rights in practice. The discussion focuses on what businesses need to understand about opt-out mechanisms, Global Privacy Control (GPC) signals, vendor tools, risk assessments, cybersecurity audits, good faith compliance efforts, and California’s new DROP system for data broker deletion requests. 

Before joining CalPrivacy, Tom Kemp was a Silicon Valley-based technology entrepreneur and the founder and CEO of Centrify, a cybersecurity company focused on access governance and privileged accounts. In the episode, he explains how building and scaling a company, going through GDPR compliance firsthand, and later working in privacy, cybersecurity, and AI policy shaped his view of practical regulation: privacy rights need to be meaningful and accessible for consumers, while businesses need obligations they can operationalize and test in the real world.

What this episode covers:


Tom Kemp is the Executive Director of the California Privacy Protection Agency, also known as CalPrivacy, where he helps lead the state’s work to protect consumer privacy rights under California privacy laws, including the California Consumer Privacy Act, the California Delete Act, and the California Opt Me Out Act. He has a background in cybersecurity entrepreneurship, privacy and AI policy, and public advocacy, and is also the author of Containing Big Tech, which examines online surveillance, tech monopolies, and civil rights in the digital economy.

Connect with Tom Kemp here: LinkedIn
Connect with Kellie du Preez here: LinkedIn
Connect with Danie Strachan here: LinkedIn
Follow VeraSafe here: LinkedIn


If you enjoyed this episode, make sure to subscribe, rate, and review it.


Episode Highlights:

Businesses must honor user choices through interfaces that remain clear and highly accessible. Regulatory actions against major brands like GM, Ford, and Honda prove that California actively pursues companies using dark patterns. Compliance means honoring opt-out signals, avoiding confusing interfaces or dark patterns, and ensuring consumers can exercise their rights in a meaningful, frictionless way.

Buying a standard consent management tool does not automatically make your company compliant. If you have not tested your opt-out mechanisms end-to-end from a consumer’s perspective, you may miss broken or incomplete implementations.. Small cookie or pixel misconfigurations can mean a business continues sharing data even after a customer opts out.

Organizations with mature GDPR data protection impact assessment (DPIA) processes may be well-positioned to approach California risk assessments. However, this is never a simple copy-and-paste exercise. California does not prescribe a single template, and businesses can leverage existing compliance programs, internal infrastructure, and GDPR DPIAs if they supplement them to meet CCPA-specific requirements.


The agency looks for businesses that are forthcoming, credible, and communicative when working with regulators. Businesses that engage constructively tend to have better outcomes. Testing systems, addressing gaps, correcting misconfigurations, and communicating proactively can build credibility with the agency. Good faith may be considered, but it does not exempt businesses from core legal requirements such as honoring GPC and providing functioning opt-out mechanisms.

The California DROP system gives Californians a free way to request deletion of their data across multiple registered data brokers. Over 300,000 Californians have signed up, even though deletions do not begin until August by statute. Tom also notes Connecticut's delete-act bill has passed the legislature and awaits the governor's signature, with seven more states considering similar proposals.


Episode Resources:


Privacy in Practice is handcrafted by our friends over at: fame.so.

Connect with us at podcast@verasafe.com

This podcast is brought to you by VeraSafe.