California Privacy Leader’s Goal: More Fines, Corporate Scrutiny

The enforcement head of California’s privacy agency doesn’t like to lay out its priorities publicly—he wants everyone on high alert.

The agency, known as CalPrivacy, has spent the last three years bringing cases and millions in fines against retail giants like Ford Motor Co., American Honda Motor Co., and Todd Snyder Inc., as well as less well-known data brokers and brands.

Michael Macko, the agency’s deputy director of enforcement, said CalPrivacy is just getting started. Armed with a bolstered staff, new data broker registry requirements, and a first-of-its-kind privacy auditing function, the agency aims to ramp its enforcement actions—and increase the fines that come with them.

In an interview with Bloomberg Law, Macko warned a new federal privacy proposal recently floated by House Republicans could get in the agency’s way. Still, he advised all industries that target a range of consumers, from Alzheimer patients to drivers to high school students, in the state to pay attention to CalPrivacy’s agenda.

This interview has been edited for length and clarity.

How do your compliance goals drive the types of enforcement actions you bring—and the size of fines you seek?

I don’t want to see California Consumer Protection Act fines become a cost of doing business and something that can be absorbed and ignored. As we grow as an agency and as we mature, it’s going to be really important for us to seek fines that are appropriate.

There’s tension between quantity and complexity. If we are going to pursue a broad number of cases and try to hit different areas of the law, it might mean that fines are not as high as if we focused on just one area of the law and one large company. There’s a trade-off there, and as we grow, that trade-off will be less apparent. But it’s important for us to bring a mix of cases and to not give businesses a free pass just because violations don’t meet a certain magnitude.

How does this federal privacy bill draft, which would preempt California’s law, impact how you think about enforcement and what’s ahead for CalPrivacy?

Since building our enforcement team, we have held businesses accountable for violating privacy rights—not only through monetary fines, but by requiring businesses to change their practices and make things better. The latest federal bill would take us back in time. It would roll back privacy rights that Californians enjoy today.

What role do you see California’s data broker registry playing in enforcement?

We have subpoena power and in the course of any investigations, we’re going to be engaging with businesses that will not be on lists of any kind. Our goal in investigations is often to create new potential targets that are operating in the dark or violating the law in ways that are not obvious. So the data broker registry is one source of transparency, but the scope of our investigations is much broader.

The registry includes some well-known brands. Do you see these companies as outliers, or did they disclose data practices common in their industries?

We’ve known that the data broker ecosystem is broad and rich. The data broker registry is giving the public more of that transparency so that it can draw its own conclusions about the industry’s scope. You’re right that you’ll see companies operating as data brokers that you wouldn’t have expected or that you didn’t know about. And that’s the point.

You’ve brought two actions against Ford and Honda as part of a probe into connected cars—Neither had much to do with the vehicles or that ecosystem. How do you think about enforcement?

There’s a part of the Honda order that talks about the lack of contracts between Honda and certain vendors. That involved where data went after it left Honda. Really, you’re asking why are we focusing on those issues instead of the data flows. The reason is that the privacy rights mechanisms are the gateway issue and the goal of our law is to give consumers more control over their personal information. That means regardless of where the data is going, we are giving consumers an ability to say stop.

What is it about opt outs and how companies approach them that makes it such an important issue?

Because we aren’t an opt-in regime, it needs to be meaningful. It needs to be easy to do. That was the compromise. So the reason we keep coming back to that in a number of enforcement actions is that we need to make sure businesses are living up to that bargain.