I’m Alan Chapell. Over the past 20+ years, I’ve been outside privacy counsel to hundreds of digital media companies and write a monthly syndicated report called The Chapell Regulatory Insider. I’m also a regulatory analyst for The Monopoly Report.

This week’s Monopoly Report podcast features a discussion with Tom Kemp, Executive Director of CalPrivacy. We talk about the launch of the DROP deletion mechanism in California - and I ask questions seeking to understand the effectiveness of California’s stated policy goals. 

California: Next stop on the Big Tech Regulatory Flywheel?

A few months ago, I wrote an article speculating on the remedies that Judge Brinkema may impose in the DOJ antitrust case against Google. As you might know, I’m not super optimistic about the prospects of a divestiture ruling. In fact, I believe there’s a growing sense within competition circles that U.S. antitrust law is less likely to rein in the practices of big tech in the near term.

I’ve described my frustration with antitrust law’s failure to reign in Big Tech as part of what I refer to as the Big Tech Regulatory Flywheel, which goes as follows:

1. If antitrust courts are unwilling / unable to enforce the law, U.S. Congress must step in and break up Big Tech...

2. Congress is inept at creating law to break up Big Tech, so we turn to the judiciary....

3. The U.S. system is captured by industry... so it’s up to the EU to reign in Big Tech…

4. [Take big swig of tequila…]

5. Rinse / repeat.

But maybe there’s another stop on the flywheel—one that can be more effective. Perhaps California will be able to rein in Big Tech via CCPA, the DELETE Act, etc.

But here’s the question: Is the ruleset in California currently designed to contain Big Tech?

What does CalPrivacy view as the problem it wants to solve?

Last week, I interviewed Tom Kemp, the head of CalPrivacy, on the podcast. Tom is an accomplished entrepreneur and investor. Prior to coming on board as executive director of CalPrivacy in March 2025, Tom was very active as CMO and policy advisor of the group advocating for the California Ballot Initiative that ultimately brought us the CPRA.

In 2023, Tom wrote “Containing Big Tech,” a book that is right up there with other fantastic reads such as “Enshittification” by Cory Doctorow and “The Age of Extraction” by Tim Wu in terms of chronicling and analyzing the myriad ways that Big Tech impacts our lives. Tom’s book methodically walks through a number of the issues raised by Big Tech from the perspective of antitrust, misinformation, threats to democracy, data breaches, and of course, privacy. I started reading the book after speaking with Tom last week.

Tom’s book goes into great detail on how Google did this, how Amazon failed to do that, and how Meta and X are harming the other thing. It outlines a set of problems where the solution is so clear that it’s even stated in the title: “Containing Big Tech.” For the record, I found myself in agreement with many of the issues Tom raised in the book.

Tom’s book doesn’t just outline the problems. It offers solutions—many of which mirror the policy solutions offered by California policymakers since 2019 when it comes to privacy.

What Problem(s) Does the CCPA Address?

So with all the talk about the issues caused by Big Tech, I wondered how the CCPA and similar rules were actually containing Big Tech.

A few things jumped out at me:

1. Data Broker Registry: I couldn’t find a single Big Tech company listed on the California Data Broker registry. I didn’t see Palantir on the list either. I’m not passing judgment on whether any of those companies are violating the law. Rather, I’m saying that addressing the practices of those companies (or not) is a policy choice.

2.  Enforcement: I couldn’t find much in the way of CCPA enforcements against Big Tech. Yes, there was a 2023 settlement between Google and the California AG’s office, but it didn’t directly involve CCPA.

3. Sensitive Data: The CCPA ruleset doesn’t treat sensitive personal information (e.g., ethnicity, precise location, sensitive health) much differently that it does pseudonymous personal data.

I am absolutely not attempting to downplay the great work that CalPrivacy is doing. However, I think it’s worth asking whether CalPrivacy is drawing a straight line between the problems it has identified (i.e., Big Tech and misuse of sensitive data) and the policy solutions it is currently offering.

I hope that changes. Tom and his colleagues have created something that has the potential to make the world significantly better.

How I’d like to see the ads space evolve

Before I talk about what I think CalPrivacy should do, I want to mention what I think my industry should do. For years, I’ve been pushing companies operating in the ads space to do the following:

1. Stay away from identifiable personal data.

2. Avoid sensitive personal data such as health, known children, and precise location.

3. Adopt data minimization as a core principle.

Most companies in the ads space have for a long time honored the first suggestion. Many have generally honored the second. The third? Well, let’s just say that’s still a work in progress—particularly in the AI era.

How I’d like to see CalPrivacy adapt

CalPrivacy has been granted a great deal of authority by the California Legislature to issue additional regulations, and it regularly uses its voice to push for particular policies. I’d like to see it use that power toward the following ends:

1. Clearly identify the problems you’re attempting to solve and tailor solutions: There’s a good deal of innuendo being used. Entire books are being written to document the various problems, and all roads seem to lead to Big Tech and sensitive data. If CalPrivacy truly believes that Big Tech and sensitive data are at the root of most of these problems, then let’s make that clear. But also, let’s make sure that the solutions being offered are aligned to address those core problems. This isn’t unique to California; I see similar situations occurring a lot in the privacy world.

2. Adopt more of a risk-based approach to rule creation: I certainly understand how consumers want to get a better sense of the sensitive data being collected about them, in part so they can control it. There are no shortage of harms being perpetuated using sensitive personal information. Can you say the same thing about mobile ad IDs and other pseudonymous personal information? I’m not so sure. In that light, it doesn’t make much sense to treat all personal data as effectively the same.

3. Make sure that opt-out choice is implemented fairly: Starting in 2027, browsers will be required by California law to support the GPC signal. We need CalPrivacy to require that the signal is presented fairly (i.e., no ATT-style scare screens) and that the browser doesn’t use these GPC signals to preference their internal advertising programs over the ad solutions of their competitors. We’re in a very different era—one where browsers are often owned by Big Tech companies—and the others are increasingly under monetization pressures. I’m hopeful that CalPrivacy can broker an honest discussion about a clear conflict of interest.

To his credit, Tom told me that the browser issue (and a similar one I raised on the pod re: authorized agents) are on the CalPrivacy agenda for discussion. My advice to the rest of the ads space is this: Make sure your voice gets heard during CalPrivacy’s comment periods to help ensure that these competition issues aren’t swept under the rug.

Is there a reason for hope?

Absolutely. I don’t want it to get lost that there’s a lot of things that CalPrivacy is getting right. Enforcement over there to date has been measured and practical. And CalPrivacy’s work in setting up baseline rules around transparency and choice are super valuable. In my view, the solution being offered just needs to be more closely tethered to the identified problems.

If Tom Kemp and his colleagues at CalPrivacy can do that, California might be the latest (and perhaps final) stop on the big tech regulatory flywheel.

EVENTS

Marketecture Live III

Where the Industry Gets Honest About What’s Next

Join us March 10–11 at The Glasshouse in NYC for a limited-seat event built for leaders looking for what’s next in advertising.

• Brand and marketing leaders looking to stay ahead of consumer shifts and growth channels in 2026 can apply for a complimentary pass.

• Agency executives and strategy and media teams exploring what’s next in planning and creative effectiveness can apply for a complimentary pass.

• Publishers & groups of (3) or more navigating AI disruption and retail media realities receive special rates.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want to tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.