Privacy Law
Spotlight on Michael Macko, Head of Enforcement, California Privacy Protection Agency
By Jennifer L. Mitchell
Politico described Michael Macko, head of enforcement at the California Privacy Protection Agency (CPPA), as “one of the most powerful privacy enforcers in the U.S.”[1] It’s easy to see why. Between launching investigative sweeps into the practices of the connected vehicle and data broker industries, managing open privacy investigations in the “double digits and growing,” bringing multiple enforcement actions, and publishing Enforcement Advisories, the CPPA’s Enforcement Division has been busy. The CPPA is building its reputation as one of the most formidable privacy regulators in the nation, or perhaps the world.
I had a chance to catch up with Mike to discuss his illustrious career path, the Division’s priorities, and the future of privacy. Mike came to the CPPA with nearly two decades of litigation and investigative experience, including as in-house counsel handling government and regulatory litigation in the tech industry, and as Assistant U.S. Attorney and Trial Attorney at the U.S. Department of Justice and U.S. Securities and Exchange Commission. A former adjunct professor of law, he started his career as a litigator at a large law firm and clerked for judges on the U.S. Court of Appeals and U.S. District Court.
MITCHELL: Could you please share more about your career background prior to joining the CPPA?
MACKO: Of course, and it’s a pleasure to talk with you. I’ve spent most of my career leading government investigations. I started out as a litigator at a large law firm, and then I spent a decade prosecuting cases and handling civil litigation for the U.S. Department of Justice, mostly as an Assistant U.S. Attorney. The False Claims Act was my specialty, but I also brought cases under the Controlled Substances Act, the civil rights laws, and various white-collar fraud and healthcare fraud laws. Anything involving federal money, misuse of funds, or federal regulation.
I moved to the Securities and Exchange Commission’s Enforcement Division as a Trial Attorney. I used the same types of tools to pursue violations of the securities laws, mostly insider trading cases, breach of fiduciary duty, and corporate disclosure violations. It was fun to use my investigative techniques in a new way and in such a sophisticated industry.
I left government to join Amazon.com, Inc., as in-house counsel handling government litigation and investigations worldwide. Let’s face it, all tech companies face regulatory scrutiny. It comes with the territory when you’re innovating. I enjoyed helping folks navigate those issues and learned a lot advising businesses. I managed a wide variety of matters at Amazon involving consumer protection, advertising, tax, content moderation, cloud computing, and financial regulation. And, of course, aspects of data privacy.
I’ve been lucky to learn from talented colleagues each step of the way. Now I’m back on the government side again. I have to admit, it’s been helpful to sit on both sides of the fence.
MITCHELL: How did you make the decision to pivot to privacy?
MACKO: It wasn’t a pivot so much as an opportunity to build something again. At the U.S. Attorney’s Office in Philadelphia, I was part of an enforcement Strike Force where I created novel theories and built pipelines of enforcement actions. I focused on financial fraud, but we pursued all sorts of investigations. It was rewarding to use our usual tools as prosecutors to build something new and different.
The CPPA was a chance to do something similar. As you know, California did something remarkable with its privacy law. It passed the cutting-edge California Consumer Privacy Act in 2018. And then California strengthened the law in 2020 through a voter initiative that created the CPPA, the only dedicated data protection authority in the United States. That was Proposition 24. The voters wanted stronger protections over their privacy, and it’s our job to make that happen.
I could see the challenge of building an Enforcement Division from scratch. And I could see how we could do it. I like building teams, running complex investigations, getting results. I knew I’d get to work with Ashkan Soltani, one of the world’s leading experts in tracking technology. So, that’s why I made the decision. I couldn’t be happier about it.
MITCHELL: Can you explain the origin of the CPPA Enforcement Division and the Division’s goals?
MACKO: The original CCPA vested enforcement authority solely with the California Attorney General, similar to other state laws. But as part of Prop 24’s strengthening of the law, the voters created the CPPA as a new agency and gave it enforcement authority with the Attorney General, so both can enforce the law but in different ways. The Attorney General brings the actions directly in court, while our Enforcement Division brings the actions before administrative law judges with judicial review later. The remedies are powerful regardless of the forum. Our enforcement authority became effective in July 2023. I joined as head of the Enforcement Division around the same time.
I’m so proud of the team we’ve built over the past year. We have the former chief privacy officer and in-house privacy counsel for major tech companies, attorneys from some of the world’s largest and best law firms, and government litigators with decades of trial experience. And that’s just the attorneys. We have support staff with years of experience in Legal Aid and elsewhere, and a worldclass technologist team.
Our mandate is to enforce the law vigorously. We’ve publicly announced several initiatives, including our ongoing investigations into connected vehicles and data broker registration. But most of our work relates to other things and takes place behind the scenes. The number of our open investigations is easily in the double digits and growing.
MITCHELL: How has your background as an in-house lawyer and at the SEC influenced your views and your vision for the CPPA Enforcement Division?
MACKO: I stepped out of a world of U.S. law enforcement—fraud cases, securities cases, consumer protection cases, you name it—and into a world of privacy law that grew out of Europe. Many businesses have evaluated their risk with a European framework in mind, or it’s at least influenced them. Often this means looking at consumer privacy from the perspective of an individual consumer. Individual rights are at stake. Fundamental rights.
In many ways that’s true here too, but when I’ve brought cases as a federal prosecutor, I’ve asked myself how I can benefit the largest number of people. Which cases can I bring to make the biggest impact? California law provides a monetary fine on a “per violation” basis, just like the federal False Claims Act and other laws I’ve enforced, so I’m looking at the totals. I’m looking at the aggregate.
Privacy professionals understand how quickly the exposure can add up, but the industry in the U.S., at the C-suite level, doesn’t always make the same risk calculation. If they did, in-house privacy professionals would see more resources at their disposal. We’d see cleaner, better, and more innovative implementation of privacy protections on the tech side. Those things take resources. They require investment. I brought some of my strongest cases against businesses that made the wrong calculation, they got the allocation wrong and paid a price for it. I know it’s hard to quantify regulatory risk. But my job is to move the needle toward incentivizing businesses to invest more in compliance. I’d like to level the playing field for the businesses that did invest in honoring consumers’ privacy rights. That means that privacy scofflaws should pay the price for their violations, and we need to make enforcement more likely. That’s how we change the calculus.
MITCHELL: How does the role of the Enforcement Division differ from the role of the CPPA Audit team?
MACKO: Securities lawyers might see a parallel here with the SEC, which has a Division of Enforcement and a Division of Examinations. Some examinations result in enforcement, but the majority result in examination findings and corrective action short of enforcement.
The difference boils down to the purpose. The Enforcement Division investigates potential violations, while the Audits Division evaluates compliance. When the Enforcement Division identifies violations, we bring enforcement actions. The Audits Division makes findings that might or might not result in a referral to the Enforcement Division, just like at the SEC. It depends on the circumstances.
MITCHELL: How does it differ from the role of the CA AG’s office when it comes to CPPA enforcement?
MACKO: I wouldn’t want to speak for the California AG’s office or draw distinctions, but the AG’s office has a strong and committed team. They’re real trailblazers, and we share their passion for enforcing the law. I credit Stacey Schesser from the AG’s office for inspiring me to follow her path out here. Stacey and I met back in Philadelphia when we both clerked together in the Third Circuit, and we’ve been friends for years. Suffice it to say that we work well together in our enforcement roles, and we’re very much a unified front.
MITCHELL: How do potential violations come to the attention of your team?
MACKO: For years as a prosecutor, some of my best evidence came from the inside. I relied on whistleblowers to tell me about violations. I still receive information from whistleblowers, but consumers are telling us the most. Shortly after we received our enforcement authority, we set up an online complaint system where anyone can tell us about violations, even anonymously.
Consumers heard our call and have been responding to it. Since launching the system, we’ve received thousands of complaints. We use those complaints to identify trends, specific violations, and evidence. It’s a great resource for our team, and we review every single complaint.
But we also hear about violations from media articles, other regulators, and our own experiences engaging with businesses as consumers. On top of that, our technologists are conducting proactive research and we rely on their insights.
MITCHELL: Could you tell us about the process for investigating potential violations of the CCPA?
MACKO: I’m happy to tell you about the business-facing part. It starts with communication from us, often informal. We might share a consumer complaint and ask a business to respond. Or we might send a letter asking a business for documents or information. Sometimes we seek this information in a subpoena. If you’re hearing from us, we had a reason, and I wouldn’t focus too much on the form of our communication.
From there, our process is thorough. We try to determine as efficiently as possible whether a violation has occurred. We frequently meet with businesses, review multiple rounds of documents and interrogatory answers, take any necessary testimony, and take stock of what the evidence shows.
Our investigative playbook is like the one I used at the DOJ and SEC but, candidly, I’m always learning new things from state Attorneys General and our federal partners. We try to borrow the best practices of other agencies.
MITCHELL: How do you expect businesses to engage with the CPPA in an investigation?
MACKO: Direct answers are a start, even when the answers are uncomfortable. This means admitting unhelpful facts when it’s appropriate. I know how hard it can be to do that, but it builds credibility. You have to remember that we’ve already consulted our research technologists by the time you hear from us, and we’re often able to establish certain facts early on. I also expect to see timely responses to our team’s communications and timely, full productions of documents.
MITCHELL: Is it the Agency’s practice to issue closure letters, as is the practice with other agencies? Why or why not?
MACKO: It’s rare for investigative agencies to send closure letters, and for good reason: investigations are organic. You might close an investigation one day, receive new evidence the next, and open it back up again. Or you might change your priorities or find yourself with unexpected time, and you turn back to a “closed” matter.
It works the same way for us. Sending a closure letter wouldn’t give a business reassurance or actual closure given the ongoing and evolving nature of our investigations. So, it’s not our practice.
MITCHELL: What are the Enforcement Division’s top priorities now and what do you forecast for 2025?
MACKO: Our team has been prioritizing investigations involving privacy notices, the right to delete, and the implementation of consumer requests. By that, I mean we’ve been looking under the hood to see whether businesses are doing what they say when it comes to privacy rights.
For 2025, we’ll be continuing those investigations but with additional nuance. For example, we’ll be looking closely at businesses that honor consumer opt-out requests only if consumers verify their identity. The law is clear on that point. Businesses aren’t allowed to require consumers to verify their identity to make a request to opt-out of the sale or sharing of their personal information, or to limit the use and disclosure of their sensitive personal information. The law says that businesses can ask for information necessary to complete the request, yes. But they can’t go beyond that. We addressed this issue in our first Enforcement Advisory.
We’ll also be looking at businesses that use dark patterns, often called deceptive design, to prevent consumers from asserting their rights. Let me pause there because this is important. “Dark pattern” isn’t some nebulous buzzword. California law defines the term and gives concrete examples. Our second Enforcement Advisory dealt with an application of dark patterns.
MITCHELL: Are there particular industries or populations that the Enforcement Division is focused on?
MACKO: You’re right to ask about certain populations because we’re working to identify the communities most vulnerable to violations. Some of them are obvious. We know, for example, that kids don’t always understand the technology or what’s being asked of them. The same can be said of older citizens.
This is something close to my heart. I spent years serving on the Elder Justice Task Force for the U.S. Department of Justice, and I brought some of the most significant healthcare fraud cases that targeted older Americans in nursing homes. We’re absolutely going to consider who’s most vulnerable.
And it’s not just age. Data brokers are categorizing groups of people in increasingly creepy ways. Are you a gun owner? A church member? A gender or sexual minority? A patient at a reproductive health clinic? You can be sure that data brokers are categorizing these groups and plenty more.
Geolocation data makes the effects even scarier. Don’t take my word for it, take a look at the FTC’s recent complaint against Kochava. Changes in technology can make certain groups vulnerable overnight, even if they weren’t vulnerable the day before. We’ve got to stay ahead of it.
MITCHELL: You mentioned data brokers, and you recently announced an investigative sweep into whether data brokers are registered with the Agency. Can you share any details about that effort?
MACKO: Data brokers operate in a multi-billion-dollar industry. The participants aren’t always careful about who they sell to. They don’t always have the best security practices. Even small shops can have an outsize impact in harming consumers. We know this from recent data breaches like National Public Data’s, which reportedly consisted of billions of records from 170 million Americans.
California law requires data brokers to register with the agency and pay an annual fee. The point of registration is to give consumers visibility, give them transparency to an industry that can operate in the shadows.
In October, we announced a crackdown on data brokers who failed to register. The next month, we announced that we’d reached settlements with two data brokers. Our board voted unanimously to approve those settlements. Additional investigations are ongoing, so you can expect to see more enforcement action here.
Data brokers are just one slice of our investigative efforts. We’re working on dozens of investigations under the CCPA unrelated to data brokers. These investigations are more complex and can take longer, but we’re pursuing them with the same intensity.
MITCHELL: How are Enforcement Advisories intended to be used by the Agency and how should they be viewed by businesses?
MACKO: When I handled healthcare fraud cases, I’d sometimes see agencies issue special fraud alerts to caution the industry about certain conduct. I saw similar risk alerts when I litigated securities fraud cases. These alerts told the industry something about what regulators were seeing, what they were concerned about. These alerts inspired me.
I wanted us to issue Enforcement Advisories because part of our agency’s mission is to educate the public, and I’d like to maximize compliance any way I can. Advisories are a middle ground, a way for the Enforcement Division to speak without charging a business with violations. In that sense, the advisories are purely an enforcement voice. The CPPA’s board might hold a different view, and our board serves as the ultimate decision-maker in the cases we prosecute.
You’ll probably see the advisories give you a preview of future enforcement actions. When we show up with an investigative request touching upon the same issues in an advisory, you can’t say we didn’t warn you.
MITCHELL: Do the Enforcement Advisories signal a move away from enforcement actions?
MACKO: It’s the opposite. When we’ve issued an advisory and we still see violations, there’s really no excuse. Stronger medicine will be in order.
MITCHELL: Can you tell us about the Enforcement Division’s view on cross-state coordination?
MACKO: We’re committed to consistency and harmony, and that’s why we spend so much time coordinating with our partners in other states. In fact, you’re not going to find an example where California enforced its privacy law in a way that created an inconsistency with another state. It hasn’t happened.
This collaboration is baked into the CCPA. The law tells us to cooperate with other states to ensure consistent application of privacy protections, and we take that mandate seriously. Earlier this year we launched the Consortium of Privacy Regulators, a network of states that have their own comprehensive privacy laws, and I’m on the phone every week, sometimes every day, with my colleagues in other states to keep ourselves on the same page.
MITCHELL: Why has the Agency chosen to partner with the CNIL?
MACKO: We’ve partnered with multiple state, federal, and international data protection authorities, including the CNIL in France. We’re living in a global economy, and privacy rights are a commercial reality. It’s important to see international collaboration, not just the state-wide collaboration that’s central to our mandate. That’s why we’re also members of the Asia Pacific Privacy Authorities, the Global Privacy Enforcement Network, and the Global Privacy Assembly, to name a few. You can expect to see more international collaboration in the coming year.
MITCHELL: What is your view on the future of privacy in the U.S.?
MACKO: Privacy is an issue that crosses party lines. I see states continuing to collaborate and work closely together to harmonize our enforcement approaches and promote consistency. You’re already seeing state privacy laws share many of the same fundamental concepts, and I expect enforcement to reflect the same consistency. We’re lucky that states can experiment like this and respond to changing technologies in such nimble ways. For example, California and Colorado have recently adopted new privacy protections for neural data. We’ve seen the states bolster existing protections with thoughtful ideas. No doubt that will continue.
I predict we’re going to continue seeing states value their citizens’ privacy. We’re going to see ongoing interest at the federal level, too. Over time, we’re going to see businesses take privacy violations even more seriously. When I used to show up at the door as a federal prosecutor or as an SEC attorney, businesses knew that liability could be an existential threat. We need businesses to have that reaction to privacy violations too, and vigorous enforcement is the only way to do it.
MITCHELL: What advice would you give to practitioners who are interested in a career in privacy?
MACKO: I came to the privacy bar mostly as an outsider. I’ve specialized in large-scale fraud investigations, securities cases, consumer protection investigations. And I found the privacy community to be remarkably welcoming and close-knit. Frankly, it shocked me, and I’m still not used to it. For anyone interested in privacy law, I’d encourage you to approach people you admire, leaders in the industry, and ask them for their advice about next steps. You’ll be surprised by how helpful they’ll be.
Endnotes
Jennifer L. Mitchell is a Partner in the Los Angeles office of BakerHostetler, where she leads the Los Angeles, San Francisco and Orange County Digital Assets and Data Management practice. Jennifer has served on the Executive Committee of the Privacy Law Section of the California Lawyers Association since 2022. She focuses her practice on privacy compliance and advisory services. Learn more about Jennifer’s background here: https://www.bakerlaw.com/professionals/jennifer-l-mitchell/
[1] Mark Scott, I have a plan to fix social media, Digital Bridge, POLITICO (July 6, 2023, 1:30pm), https://www.politico.eu/newsletter/digital-bridge/i-have-a-plan-to-fix-social-media/.