0

CalPrivacy’s Data Broker Enforcement Strike Force: updates and enforcement actions

Adtech, California, Data / Web Scraping, Data Brokers
On November 26, 2025, CalPrivacy (previously the CPPA) issued a decision requiring ROR Partners LLC to pay $56,600 for failure to register as a data broker under California’s Delete Act. According to the decision, the company used “billions of data points” from over 262 million Americans to create consumer profiles and audience lists, which ROR’s clients could then use for targeted advertising. This action was brought as part of CalPrivacy’s Data Broker Enforcement Strike Force, designed to investigate privacy violations by the data broker industry. As part of this effort, CalPrivacy recently issued an Enforcement Advisory highlighting data broker registration requirements related to trade names, websites and parent/subsidiary entities of data brokers. What is a data broker? By law, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with limited exceptions for certain entities covered under other sector-specific laws. In short, they are companies that collect and sell a consumer’s personal information without directly interacting with that consumer. Data brokers commonly collect information such as email, phone number, browsing history, or location data from places like public records, commercial data, and other sources. Data brokers often then analyze, bundle and sell these profiles about consumers to other businesses. According to CalPrivacy’s DROP website, “[t]his information can be used to influence you – to buy certain products, to feel certain emotions, or even take certain actions. It can put you at greater risk of identity theft, fraud, or AI impersonations. It can also increase the chances your data is leaked or hacked.” What is the Data Broker Enforcement Strike Force? On November 19, one week prior to the ROR decision, CalPrivacy announced its creation of the Data Broker Enforcement Strike Force within its Enforcement Division. According to the announcement, “[t]he Enforcement Division will be reviewing the [data broker] industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA).” This is not the first time the California regulator has targeted data brokers. In 2024, the Enforcement Division conducted a public investigative sweep of data broker registration with a similar goal of verifying compliance with the Delete Act and the CCPA. What is the Delete Act? The Delete Act is a law that applies to data brokers and requires them to register with CalPrivacy and pay an annual fee. Additionally, data brokers must also disclose:
  • The number of consumer deletion requests they have received, as well as their average response time;
  • Whether the data broker collects certain types of sensitive information or the personal information of minors; and,
  • A link on their website informing customers of their rights under the CCPA.
Entities covered under the Act must register by January 31 if they operated as a data broker in the previous year, and they face a $200 penalty per day for failure to register. As of 2024, the data broker registry is maintained by CalPrivacy. The annual fee funds the registry, along with the new mechanism for allowing deletion of personal information from data brokers, called “DROP.” What is DROP? The first-of-its-kind deletion mechanism, the Data Broker Requests and Opt-Out Platform (DROP) will allow consumers to file a single request, which directs all registered data brokers to delete the consumers’ personal information immediately, and continuously every 45 days. According to the DROP website, the data that is subject to DROP may include:
  • Basic identifiers, including name, phone number, or email.
  • Behavioral data, including social media or browsing history, likes and dislikes.
  • Financial-related data, including payment history or spending habits.
  • Health-related data, including your usage of health-related apps, wearables, trackers or websites.
  • Location data, including where you go and how often you visit certain places.
  • Relationships, including your family and friends and how often you interact with them.
  • Inferences, including those about your lifestyle, hobbies, incomes, or even religious or philosophical beliefs, which can include history of the videos you watch, articles you read, or topics you search for.
However, the law has certain exemptions for information that is not required to be deleted. This includes information that the government makes public (property records, court filings, etc.) or information controlled by other state or federal laws, such as certain financial or health information. The intent behind the mechanism is to give consumers more control over their personal information and helps protect their privacy. DROP is expected to be available to consumers on January 1, 2026. What’s next? With the release of DROP and the establishment of the Data Broker Enforcement Strike Force, California is positioned to take data broker enforcement seriously. The decision against ROR Partners LLC was finalized one week after the Strike Force was announced, and all signs say this is the first of many enforcement efforts under this regulatory push. If your company or organization may be acting as a data broker, it is important that you understand your obligations under laws like the California Delete Act, but also other state laws. These laws may have requirements like registering as a data broker, publishing a clear privacy notice, providing specific opt-outs, and reporting certain disclosures.
0
Photo of a judges gavel and block next to each other.

CCPA Board Meeting: Key Takeaways from November 8, 2024

Adtech, AI & Algorithms, California, CCPA, Cybersecurity, State Privacy Laws, United States , , , , , , , , , , , , , , , , ,

In a vote of 4-1, the California Privacy Protection Agency (CPPA) has decided to move forward with rulemaking of its draft regulations concerning AI, cyber audits, profiling and risk assessments, despite complaints of regulatory overreach.

 

On Friday, November 8, the CCPA held a public meeting to discuss proposed updates to the California Consumer Privacy Act (CCPA) regulations. The hybrid meeting included public comments from a broad range of stakeholders – nearly 45 public comments were heard from business representatives, privacy advocates, and industry experts. While the passing vote would have typically triggered a 45-day public comment period on the draft regulations, Chairperson Urban requested flexibility, considering the upcoming holidays.

 

Legal Challenges

During the meeting, the CPPA stated that it was sued for failing to promulgate regulations, specifically on opt-out rights of information processed by automated decisionmaking tools (ADMTs). At the same time, commentators argued that the breadth of the proposed rules overstepped the intent of the CCPA.

 

Board Member Alastair Mactaggart–who helped draft the CCPA–voiced concerns about the regulations, arguing that the current proposed regulation is excessively broad to the point of being unworkable. He pointed out that these regulations, as written, apply to nearly all businesses that use any kind of software to generate any type of output–whether it’s AI-powered or not. For example, a simple tool like a spreadsheet or a school admission application could fall under these rules, forcing a large swath of low-risk businesses to conduct risk assessments. Mactaggart referred to this as statutory overreach and claimed that regulations should be focused on issues that genuinely impact privacy or security.

 

Economic Forecasts

The CPPA also issued a Standardized Regulatory Impact Assessment (SRIA) which was discussed during the meeting. In this assessment, the CPPA estimates the total cost of this regulatory initiative to be around $3.5 billion for the first year of implementation, with an average of $1 billion each subsequent year for the first ten years. The CPPA justifies this cost, asserting that the direct benefits to California businesses will be $1.5 billion in 2027, and $66.3 billion in 2036.

 

However, the California Chamber of Commerce states that “[b]usinesses, consumers and governments in California will suffer net losses from the proposed rules pending before the [CPPA] this week.” This statement stems from a report prepared for the Chamber of Commerce by Capitol Matrix Consulting, which concludes that the regulations are likely to “result in a substantial net losses to businesses, consumers, and governments in this state, both in the near and long term.”

 

Industry groups including TechNet, the Civil Justice Association of California, and the Interactive Advertising Bureau voiced concern about the heavy compliance burden that regulations place on businesses–especially small businesses that may not have the recourses to implement the required risk assessments or redesign their services to accommodate opt-out provisions.

 

Behavioral Advertising & Opt-Out Provisions

Another key point of contention during the meeting was the opt-out provision for consumers related to decisions made by AI systems.

 

The draft regulations govern a large range of AI. Under the draft, AI is defined as a “machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments.” Additionally, the draft defines ADMTs as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.”

 

Together, these definitions are more expansive than the definition of the high-risk automated processing addressed in Article 22 of the EU’s GDPR, the source of the original opt-out language. Under Article 22, a consumer has the right to opt out of decisions made by solely automated systems. The intent of this provision is to give consumers the ability to opt out of decisions that may be made on solely automated processes, such as targeted advertising.

 

However, critics argue that including the opt-out language in the draft in combination with an expansive definition of AI and ADMTs could have unintended consequences, especially for small businesses. Mactaggart, for instance, is concerned that applying this opt-out rule too broadly could lead to a breakdown of essential services. For example, online booking services for airlines and automated reservation software for hotels may rely on software that would be categorized as “AI” under this definition. Allowing users to opt out of using AI when asking for these services may be untenable, which could cause friction in these industries and ultimately could cause harm to consumers by limiting access to these services or increasing costs.

 

Risk Assessments

A central component of the draft regulation is for businesses who use AI, as defined above, to conduct risk assessments. While the goal of this requirement is to ensure that businesses are aware of and mitigate any potential privacy risks that arise from these technologies, critics believe the regulations go too far by applying the requirement to low risk, everyday activities.

 

For example, a representative from the California Grocery Association expressed concerns about how the opt-out provision would impact a chain of small rural grocery stores with whom she conducts business. While these AI tools could be used to help consumers save money, the cost of compliance to integrate these tools might not be within reach, especially given the thin profit margins within the grocery industry.

 

Again, Mactaggart questioned the scope of the draft. He and other advocates called for a narrower focus for risk assessments that centers on significant decisions–such as those that deny individuals access to essential goods and services. This could include the denial of a loan application, exclusion from an online platform, or an adverse employment decision. One commenter stated that there have been no public comments against regulating high-risk systems, and by focusing on these issues, the CPPA could better mitigate potential harms. At the same time, this would free low-risk systems from potential overregulation.

 

Additionally, a commentor suggested that risk assessments should be streamlined and aligned with other state standards to reduce compliance costs.  Mactaggart notes that accepting risk standards from other US jurisdictions could help businesses avoid duplicative efforts, cut compliance costs, and reduce the overall regulatory burden.

 

AI Training

The ability to opt out of training for AI datasets was of lesser concern but was still addressed by a number of commentors. For example, a representative from the Software and Data Industry Association argued that requiring an opt-out from consumers from AI dataset training could create a substantial burden on small businesses who already have trouble accumulating representative training data. Other commentors shares concerns that these opt-outs could compromise the quality and effectiveness for AI systems.

 

Ultimately, California faces a delicate balance in regulating AI and ADMT. On one hand, the state must work toward protecting consumers from privacy risks, potential discrimination, and other adverse impacts of AI. At the same time, the CPPA must ensure that rulemaking does not stifle innovation, create excessive compliance costs, or diminish competition between businesses that rely on AI.

 

As formal rulemaking moves forward, it will be crucial for the CPPA to consider feedback from the public comment period and to refine the regulations to ensure that they strike a balance between privacy concerns and costs to consumers and businesses alike.

0

California Invasion of Privacy Act (CIPA) – The Latest Privacy Litigation Trend

Adtech, California, State Privacy Laws, United States

As more U.S. states enact comprehensive consumer privacy legislation, plaintiffs are turning to laws from the 1960s to pursue claims against companies that use website tracking technologies. Most notably, there has been a significant uptick in privacy litigation claiming that the use of website technology, such as session replay, chatbots, tracking pixels, and other analytics software, violates the California Invasion of Privacy Act (“CIPA”).

How We Got Here

Since 2022, a wave of class action lawsuits has been filed regarding Meta’s pixel, a tracking tool often used by companies for targeted advertising by tracking user activity. Many of these cases allege a violation of the Video Privacy Protection Act of 1988 (“VPPA”), a federal law prohibiting videotape service providers from knowingly disclosing personally identifiable information concerning their consumers. These lawsuits allege that companies which stream online video content on their websites while using the Meta pixel violated the VPPA by transmitting personally identifiable information about a website user to Meta. While many courts dismissed the VPPA Meta pixel cases, some of these cases (such as Ambrose v. Boston Globe Media Partners LLC[1]) have survived the motion to dismiss stage, leading the parties to settle instead.

Lawsuits involving the Meta pixel, along with similar technology, are also being filed under alleged violations of strong state wiretapping laws, such as the CIPA. The CIPA, which was enacted in 1961, intended to protect California residents from then-new technologies used for different kinds of wiretapping. In these modern-day cases, plaintiffs claim that the use of many web analytics tools amount to a violation of CIPA’s wiretapping and eavesdropping provisions.

Relying on a Ninth Circuit court decision which held that CIPA also applies to “internet communications”[2], plaintiffs’ firms circulated hundreds of demand letters threatening CIPA class action litigation under CIPA’s Section 631(a) – which prohibits third-party wiretapping – and Section 632.7 – which prohibits the interception or receipt and recording of certain wireless communications without consent. The statutory penalty is $5,000 per violation, making it an attractive avenue for plaintiffs’ firms.

Where We Are Now (Thanks to Greenley v. Kochava[3])

An even more recent decision from the United States District Court for the Southern District of California has prompted plaintiffs’ firms to turn to yet another theory and to file suits under alleged violations of CIPA Section 638.51. Section 638.51 prohibits the installation or use of a “pen register” or a “trap and trace device” without first obtaining a court order. A “pen register” is defined as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.

The plaintiff in Greenley v. Kochava claimed that the defendant’s software that was installed in third-party mobile applications constituted an illegally installed pen register by tracking a user’s “geolocation, search terms, click choices, purchase decisions, and/or payment methods,” collecting this tracked information, and then selling it to third-party advertisers. Deciding on a motion to dismiss, the Greenley court stated that while CIPA’s definition of a pen register was specific as to the type of data a pen register collects, it was “vague and inclusive as to the form of the collection tool – ‘a device or process.’” With this in mind, the Greenley court held that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.” Accordingly, the court denied the defendant’s motion to dismiss.

Following the Greenley court’s decision, over 50 new cases have already been filed in California state and federal courts under the CIPA pen register provision.

Where to Go from Here

Accordingly, businesses should evaluate their use of tracking software and technology, along with the disclosures in their privacy policy and potential consent mechanisms. The CIPA pen register provision allows a provider of electronic or wire communication services to use such a pen register if the consent of the user has been obtained. Although California courts have not yet interpreted consent in the context of the CIPA’s pen register provision, courts have found a user’s affirmative consent to be a successful defense in other CIPA claims.

 

[1] Ambrose v. Boston Globe Media Partners LLC, No. 1:22-cv-10195-RGS.

[2] Javier v. Assurance IQ LLC et al., 2022 WL 1744107, *1 (9th Cir. 2022).

[3] Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466 (S.D. Cal. July 27, 2023).