CalPrivacy Chairperson: Federal Government 'Not a Good Partner'
California Privacy Protection Agency legislative staff is closely watching potential preemption efforts on Capitol Hill while developing possible bills to tighten the California Consumer Privacy Act in its home state’s legislature, said an agency official during the CalPrivacy Board’s meeting Friday. The proposed bills would add whistleblower protections, require alternative methods for submitting consumer privacy requests and expand California’s deletion right to cover all personal information collected about a consumer.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
During the meeting, CalPrivacy Chairperson Jennifer Urban turned a critical eye to the Trump administration while cheering her agency for its work and collaboration with other states and internationally. “We have a federal government that is not a good partner, and that, I believe, is putting it mildly,” said Urban, an appointee of Gov. Gavin Newsom (D). “The activities of the federal government with regard to the personal data of Americans and the decisions that it has been making constitute a situation which means that states and their ability to step up and to cooperate are even more crucially important than they would have been anyway.”
On the subject of a possible national privacy law, Maureen Mahoney, CalPrivacy deputy director of policy and legislation, told the board she’s heard the U.S. House Commerce privacy working group will have “something released by the end of this year." A lawyer at the Association of National Advertisers ad law conference said earlier that week that the House group’s work on a national privacy bill has continued even during a government shutdown (see 2511050007).
Also, said Mahoney, there’s "a high likelihood that legislation similar to” the proposed 10-year moratorium on state AI legislation, which, at one point, was part of the so-called One Big, Beautiful Bill Act, “will resurface at some point in another vehicle."
Mahoney said she and CalPrivacy Executive Director Tom Kemp will go to Washington later this month for meetings on Capitol Hill. The California officials plan to talk about “why the agency opposes efforts to preempt state laws and why it's so important to have a federal privacy law that sets a floor and allows states to adopt stronger protections,” she said.
In addition, Kemp and Mahoney plan to discuss CalPrivacy’s new automated decision-making technology rules and the upcoming Delete Request and Opt-Out Platform (DROP), which will allow California consumers to ask data brokers to delete their data. Kemp talked about those and other subjects at the IAPP privacy and security conference last week in San Diego (see 2510310032).
California Bills for 2026
The CalPrivacy Board voted 4-0 Friday to give Mahoney’s staff approval to pursue three proposals for California legislation in 2026. Board member Brandie Nonnecke was absent from the meeting.
Modeled on the SEC’s whistleblower program, the first bill aims to make it easier for employees to raise privacy issues, said Mahoney. As incentive, the proposal would include awards for whistleblowers and a special designation program allowing CalPrivacy enforcers to work with whistleblowers' attorneys and allow them to share proceeds from administrative fines. Also, it would contain anti-retaliation protections.
Mahoney noted that the proposed approach is different from a private right of action. “It would allow whistleblowers to share in awards and receive attorney fees, but without the right to pursue violations on their own.”
Board member Jill Hamer asked if CalPrivacy has the “extra bandwidth” to take on whistleblower complaints in addition to about 150 consumer complaints the agency receives every week (see 2509260039).
Yes, answered Michael Macko, CalPrivacy’s enforcement head. He noted that the volume of whistleblower claims “should be a lot lower than the number of consumer complaints,” and that a whistleblower charge is "more than just an allegation.” It’s an “evidentiary submission to the agency, prepared by an attorney," and the whistleblower must be the original source of that information, he said.
CalPrivacy’s second proposed bill for 2026 would extend the CCPA’s right to delete “to cover all personal information collected about a consumer,” said Mahoney. “A lot of people probably think that's already in the CCPA,” but currently it “only requires a business to delete personal information that's collected from the consumer, which means that it does not have to delete personal information collected from a third party.” Other states already have the more expansive requirement, she added.
The third proposed bill would mean that online-only businesses would have to provide more than an email address for consumers to exercise their CCPA rights, said Mahoney: Alternatives like web forms could be more user-friendly.
CalPrivacy Board Chair Jennifer Urban supported the idea, though she noted “it's an interesting question as to what the alternative methods would be.” With emails, consumers may not know how to formulate their request, which also can make it difficult for a business to process if the consumer didn’t provide all the necessary information or clearly say what they were seeking, said Urban: That’s neither “efficient for the company,” nor will it "vindicate the consumer's rights."
Hamer asked what other ideas staff might have rejected for 2026 bills. Mahoney said one idea was to expand the CCPA to cover nonprofits, but after talking to state legislators and the AG office, staff decided to give the proposal more thought and further explore stakeholders' positions.
In public comments taken remotely, Consumer Reports and Electronic Privacy Information Center advocates supported the proposed bills. However, Robert Boykin, TechNet executive director for California, asked the agency to “proceed carefully.”
Boykin noted that California already has broad whistleblower laws. He added that an AI state law (SB-53) with whistleblower protections enacted this year (see 2509290064) has a "narrow focus on extraordinary risk, such as mass casualties and weapons of mass destruction.” That’s “very different from CCPA violations, which, while serious, don't pose a catastrophic risk,” he said. Meanwhile, on the proposal about alternative requests, the tech industry official warned against requiring a “one-size-fits-all” approach.
CalPrivacy Board member Alastair Mactaggart, appearing virtually at the hybrid meeting, asked Mahoney if any other states are talking about copying California’s AB-566, a law enacted this year that requires all web browsers to support universal opt-out preference signals (see 2510080036). None have such bills pending, replied Mahoney, but the Connecticut attorney general’s office has signaled interest.
Also, Mactaggart asked how the CCPA is holding up against other state’s privacy laws in terms of its strength. Mactaggart drove the push for the California Privacy Rights Act, the 2020 ballot initiative that amended CCPA and created CalPrivacy. Mahoney highlighted the Maryland Online Data Privacy Act as having “a lot of features that California may want to take a look at, for example a prohibition on the sale of sensitive information.” She added, "We've been the lead in so many areas, but there are … always additional areas to consider."