The new head of enforcement for the California Privacy Protection Agency was mostly recently a top lawyer for Amazon who defended the monopoly against data privacy enforcement. But you wouldn’t know that from the introduction he gave the public recently or from his official agency bio.
On July 14, Michael Macko, who is the deputy director of enforcement for the CPPA, listed off his sterling resume, including the U.S Attorney’s Office and the U.S. Securities and Exchange Commission. But he didn’t mention that he was most recently a lawyer for Amazon, where he defended the monopoly against the very actions he is now prosecuting. Amazon, for example, sucks up huge amounts of data from people and other parties regarding searches, purchases, location and how you spend your time. It lists 75 companies that it shares data with, including Meta. It’s obsessed with data. Of course revolving doors between government and corporations have long been a problematic thing, so it’s worth keeping an eye out for how Macko will approach powerful companies who aren’t complying with the law.
Despite a judge’s recent ruling that regulations implementing part of the California Consumer Privacy Act (CCPA) cannot be enforced until next year, much of the law that gives people more control over their personal data being sold online is in effect right now. And Macko says the enforcement branch is ready to hit the ground running.
“Businesses do not have a free pass from all enforcement,” said Macko during the agency’s July 14 meeting. He hopes to hire 10 positions for the enforcement division.
“When we find violations we will take aggressive action to protect the public,” said Macko, who is now sharing enforcement duties with the Attorney General’s Office.
So what is the agency’s plan?
Macko said the agency will be looking at company privacy notices and policies to see if they are doing what they say they are doing. For example, the right to know, opt out of, or delete personal information has been on the books since 2018. The agency will see how businesses are complying with such consumer requests. Are they making it easy for consumers to exercise that opt out, or are they making it annoying and putting up roadblocks (so-called “dark patterns”) so that you’ll give up and not opt out of data collection?
In deciding which of the over 50,000 businesses to regulate, the agency will look at the severity of the harm and the size of a business, with a focus on protecting vulnerable groups, according to Macko. Board members showed interest in reproductive rights and those with language barriers as being an enforcement priority. An action by the agency can be brought up to five years from the date of violation.
The agency will also hope to spur compliance with the law through a robust public education campaign. It recently soft-launched a complaint system.