Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Pay Attention To The Delete Act (Even If You Don’t Think You’re A Data Broker)


Attention, data brokers: If you operated in California last year, you must register with the California Privacy Protection Agency (CPPA) by the end of this month.

Otherwise, you could get a nastygram from the CPPA and possibly a $200 fine for each day you fail to register, California Expungement Actwhich entered into force on 1 January 2024.

From now on, data processors are required to re-register annually, no later than 31 January.

(The law also gives California consumers the right to delete all of their personal information from a broker’s database with a single requestbut that’s a topic for a future newsletter.)

If you’re thinking, “That sounds intense, but I’m fine because I’m not a data broker” – I’d take a break. Because under the CPPA, you might be one of them.

Know yourself?

The term “data broker” is usually associated with credit reporting agencies (such as Experian, TransUnion, and Equifax) and data providers (such as Acxiom or Dun & Bradstreet) that collect and sell consumer data.

But the Delete Act “casts a much wider net,” says Daniel Goldberg, partner at Frankfurt Kurnit Klein & Selz and chair of the firm’s data strategy, privacy and security group.

The law defines a data broker as any company that collects and sells personal information about consumers without having a direct relationship with them.

AND The CPPA goes even further in its regulationssays Goldberg, broadening the word “sell” to include activities such as using data for targeted advertising. Under the CPPA, a “direct relationship” only applies to first-party data.

That means companies using third-party data for targeted advertising may qualify as data brokers under California law, Goldberg says, “even if they’re not viewed in that light.”

Subscribe

AdExchanger daily

Get our editors’ roundup delivered to your inbox every weekday.

And California isn’t the only state with a comprehensive data broker law. Texas and Oregon each has its own – both entered into force on January 1, 2024 – a Vermont since 2019, it has a law on the mediation of data.

Meanwhile, a number of other states have enacted state privacy laws that include obligations for data brokers. And the fact that the company does not identify itself as a data intermediary does not mean that the regulator will perceive it as such.

“Buying and selling personal data in any capacity could bring companies within the scope of data broker registry requirements,” says Cobun Zweifel-Keegan, executive director of the International Association of Privacy Professionals.

Expect more enforcement

The problem, says Zweifel-Keegan, is that “many companies don’t pay enough attention to this,” even though controlling data brokers is “one of the biggest trends in recent privacy policies.”

Which is no bueno because the regulators they are look out.

The CPPA already announced financial settlements with four companies late last year for failing to register as data processors: sales tech startup Growbots, B2B lead gen platform UpLead, Ad tech company Infillion and data solutions provider The Data Group.

A comic showing lab techs as stand-ins for lawmakers experimenting with the privacy provisions of US state laws.Meanwhile, the Texas attorney general’s office has sent more than 100 infringement notices to alleged unregistered data brokers, and Goldberg says he’s also aware of warning letters sent by regulators in other jurisdictions, as well as ongoing closed investigations.

“Expect more enforcement in 2025,” he says.

So why are businesses in no hurry to register? It’s not like they don’t know the regulators are interfering.

The problem is that many simply still “don’t realize they might fall under the definition,” Goldberg says.

Ghost vs

And “we didn’t realize” is not a defense.

Of course, the smart move is to consult with a privacy lawyer to review your obligations. But it is also worth recognizing the spirit of the law and not just the letter.

“The point of this regulation is transparency,” said Dimitri Sirota, CEO and co-founder of privacy technology company BigID.

In addition to registering as a data processor, the Deletion Act also requires covered companies to provide the CPPA with information about the types of personal data they collect, how they use it and with whom they share it. Data processors must also inform consumers why they want to collect data and which third parties are involved.

“By improving transparency,” Sirota said, “the Delete Act aims to build trust between consumers and organizations while ensuring that data practices are fair and accountable.”

🙏 Thanks for reading! And am I crazy (don’t answer that) or yes of this incredible sea creature do you look like a cat?? Anyway, as always, feel free to drop me a line [email protected] with any comments or feedback.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *