0

CalPrivacy’s Data Broker Enforcement Strike Force: updates and enforcement actions

Adtech, California, Data / Web Scraping, Data Brokers
On November 26, 2025, CalPrivacy (previously the CPPA) issued a decision requiring ROR Partners LLC to pay $56,600 for failure to register as a data broker under California’s Delete Act. According to the decision, the company used “billions of data points” from over 262 million Americans to create consumer profiles and audience lists, which ROR’s clients could then use for targeted advertising. This action was brought as part of CalPrivacy’s Data Broker Enforcement Strike Force, designed to investigate privacy violations by the data broker industry. As part of this effort, CalPrivacy recently issued an Enforcement Advisory highlighting data broker registration requirements related to trade names, websites and parent/subsidiary entities of data brokers. What is a data broker? By law, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with limited exceptions for certain entities covered under other sector-specific laws. In short, they are companies that collect and sell a consumer’s personal information without directly interacting with that consumer. Data brokers commonly collect information such as email, phone number, browsing history, or location data from places like public records, commercial data, and other sources. Data brokers often then analyze, bundle and sell these profiles about consumers to other businesses. According to CalPrivacy’s DROP website, “[t]his information can be used to influence you – to buy certain products, to feel certain emotions, or even take certain actions. It can put you at greater risk of identity theft, fraud, or AI impersonations. It can also increase the chances your data is leaked or hacked.” What is the Data Broker Enforcement Strike Force? On November 19, one week prior to the ROR decision, CalPrivacy announced its creation of the Data Broker Enforcement Strike Force within its Enforcement Division. According to the announcement, “[t]he Enforcement Division will be reviewing the [data broker] industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA).” This is not the first time the California regulator has targeted data brokers. In 2024, the Enforcement Division conducted a public investigative sweep of data broker registration with a similar goal of verifying compliance with the Delete Act and the CCPA. What is the Delete Act? The Delete Act is a law that applies to data brokers and requires them to register with CalPrivacy and pay an annual fee. Additionally, data brokers must also disclose:
  • The number of consumer deletion requests they have received, as well as their average response time;
  • Whether the data broker collects certain types of sensitive information or the personal information of minors; and,
  • A link on their website informing customers of their rights under the CCPA.
Entities covered under the Act must register by January 31 if they operated as a data broker in the previous year, and they face a $200 penalty per day for failure to register. As of 2024, the data broker registry is maintained by CalPrivacy. The annual fee funds the registry, along with the new mechanism for allowing deletion of personal information from data brokers, called “DROP.” What is DROP? The first-of-its-kind deletion mechanism, the Data Broker Requests and Opt-Out Platform (DROP) will allow consumers to file a single request, which directs all registered data brokers to delete the consumers’ personal information immediately, and continuously every 45 days. According to the DROP website, the data that is subject to DROP may include:
  • Basic identifiers, including name, phone number, or email.
  • Behavioral data, including social media or browsing history, likes and dislikes.
  • Financial-related data, including payment history or spending habits.
  • Health-related data, including your usage of health-related apps, wearables, trackers or websites.
  • Location data, including where you go and how often you visit certain places.
  • Relationships, including your family and friends and how often you interact with them.
  • Inferences, including those about your lifestyle, hobbies, incomes, or even religious or philosophical beliefs, which can include history of the videos you watch, articles you read, or topics you search for.
However, the law has certain exemptions for information that is not required to be deleted. This includes information that the government makes public (property records, court filings, etc.) or information controlled by other state or federal laws, such as certain financial or health information. The intent behind the mechanism is to give consumers more control over their personal information and helps protect their privacy. DROP is expected to be available to consumers on January 1, 2026. What’s next? With the release of DROP and the establishment of the Data Broker Enforcement Strike Force, California is positioned to take data broker enforcement seriously. The decision against ROR Partners LLC was finalized one week after the Strike Force was announced, and all signs say this is the first of many enforcement efforts under this regulatory push. If your company or organization may be acting as a data broker, it is important that you understand your obligations under laws like the California Delete Act, but also other state laws. These laws may have requirements like registering as a data broker, publishing a clear privacy notice, providing specific opt-outs, and reporting certain disclosures.
0
Chicago Grand Central Looking Up

DOJ Issues Final Rule on US Bulk Sensitive Data

Data Brokers, Data Transfers, United States , , , ,
The International Emergency Economic Powers Act (IEEPA) vests the President with authority to deal with extraordinary threats to national security and foreign policy that have their source in part or in whole outside of the United States. Acting pursuant to the IEEPA, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data By Countries of Concern” (the EO). The EO directed the Department of Justice (DOJ or Department) to establish and implement regulations addressing threats from certain countries of concern attempting to access and exploit bulk amounts of US sensitive data, including personal and government data. On December 27, 2024, the DOJ issued the Final Rule, which went into effect on April 8, 2025. Additional compliance provisions for certain transactions take effect on October 6, 2025. The Final Rule prohibits or restricts a range of transactions involving categories of bulk sensitive personal data or government-related data between the US and countries of concern or covered persons. In assisting businesses to adapt to this comprehensive update, the DOJ provided a Fact Sheet, a Compliance Guide, and over 100 FAQs on the Final Rule, along with an Implementation and Enforcement Policy. Below are five main takeaways that US entities may want to consider in light of these regulations.
  1. Enforcement May Be More Lenient Until July 8, 2025 
The DOJ’s Implementation and Enforcement Policy, states that the Department will “target its enforcement efforts during the first 90 days to allow US persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the [Final Rule].” The Department’s civil enforcement actions for violations of the Final Rule will not be a priority “so long as the person is engaging in good faith efforts to comply with or come into compliance with the [Final Rule] during that time.” However, the Department makes clear that it will “pursue penalties and other enforcement actions as appropriate for egregious, willful violations” during the delayed enforcement period.
  1. DOJ Will Consider Good Faith Efforts to Comply
While the Implementation and Enforcement Policy reflects that civil actions for violations of the Final Rule will not be a priority, this depends on the entity’s good faith effort to comply. According to this Policy, examples of evidence of good faith efforts may include, but are not limited to:
  • Conducting internal reviews of access to sensitive data.
  • Conducting internal reviews to determine whether transactions involving access to such data flows constitute data brokerage.
  • Reviewing internal datasets and datatypes to determine if they are subject to the Final Rule.
  • Conducting due diligence on potential new vendors.
  • Renegotiating vendor agreements or negotiating contracts with or transferring products or services to new vendors.
  • Adjusting employee work locations, roles or responsibilities.
  • Evaluating investments from countries of concern or covered persons.
  • Implementing the CISA Security Requirements.
  1. “Good Faith” May Include Satisfying CISA Security Requirements 
A good-faith effort to comply may be demonstrated, in part, by implementing the CISA Security Requirements, which were developed concurrently with the Final Rule pursuant to the EO. The security requirements are intended to address threats that arise when conducting restricted transactions, as detailed below. These security requirements are divided into two sections: i) organizational- and covered system-level requirements; and ii) data-level requirements.
  1. Before October 6, 2025, Determine if Your Company is Conducting Restricted Transactions
US entities engaged in restricted transactions under the Final Rule have affirmative data compliance program and audit obligations, among other obligations. In addition, the Final Rule provides that data brokerage transactions are prohibited with any foreign entity unless the US person contractually binds the foreign entity from subsequent transactions of that data with a country of concern or covered person. They must also report any known or suspected violation of this requirement.
  1. An Iterative Review Plan May be Needed for Covered Transactions 
With the Final Rule coming into effect and enforcement nearing, US companies that engage in certain data transactions or share information with third parties that may be covered persons or countries of concern should evaluate their transactions and data practices. After a thorough review of the types of information collected, who that information is shared with, and who is involved in the processing of that data, it may be helpful to adopt a compliance policy to ensure transactions are being handled appropriately in light of the Final Rule.
0
Image depicting the flag of Texas, which is blue, white, and red, with a lone white star.

Texas sues Allstate, continuing Lone Star’s focus on vehicle data regulation

Data / Web Scraping, Data Brokers, United States, Vehicle Data , ,
Update: On Jan. 29, 2025, it was reported that on Jan. 12, 2025, Texas sent Kia America, Inc., a notice of their alleged violations of the Texas Data Privacy and Security Act. Kia has 30 days to cure the alleged violations. Everything is bigger in Texas, including data privacy enforcement. On January 13, 2025, Texas continued its recent regulatory focus on vehicular and geolocation data by initiating a lawsuit against Allstate and its subsidiary, Arity, alleging the companies violated numerous consumer protection and data privacy laws by unlawfully collecting, using, and selling personal, vehicular, and location data without consumers’ knowledge or consent. What led to this lawsuit? For more than half a year, Texas has been leading the regulatory enforcement of vehicular and geolocation data practices. On June 6, 2024, Texas Attorney General Ken Paxton announced that his office had opened an investigation into various car manufacturers “after widespread reporting” that those manufacturers had been secretly collecting mass amounts of data about drivers and selling that data to third parties. The “widespread reporting” cited by Paxton as the seed for the investigation was most likely a nod toward the Mozilla Foundation’s “Privacy Not Included” report published in September of 2023. The report expressly declared that modern vehicles are a “privacy nightmare” and that all 25 car brands researched for the report were labeled as having the worst privacy ever reviewed by the Foundation. The investigation initiated by Paxton in June of 2024 eventually led to a lawsuit against General Motors, filed on August 13, 2024, alleging the company engaged in false, deceptive, and misleading business practices related to its unlawful collection and sale of driving data to insurance companies without the consumers’ knowledge or consent. Following this suit, Paxton’s office sent a notice in November of 2024 to Arity, LLC, a data analytics company founded in 2016 by Allstate, alleging that Arity was in violation of Texas’s recently enacted state privacy law, the Texas Data Privacy and Security Act (the “TDPSA”). The notice identified specific provisions of the TDPSA that Arity was allegedly violating and requested that Arity cure the violations within 30 days, in accordance with the TDPSA’s cure period. But according to Texas’s petition against Allstate and Arity filed on January 13, 2025, Arity failed to cure the alleged TDPSA violations within the 30-day cure period, thereby allowing Texas to include these alleged violations in the lawsuit. What did Allstate and Arity allegedly do? According to Texas’s petition, defendants Allstate and Arity developed and integrated software into third-party apps so that when consumers downloaded the third-party app, they also “unwittingly” downloaded the defendants’ software. The defendants presented the software as “providing a necessary function,” but Texas claims the software does little more than scrape data from the third-party app. Once downloaded, the defendants’ software, through the third-party apps, monitored the consumer’s location and movement “in real-time” and collected trillions of miles of consumer driving data, including geolocation data, accelerometer data, gyroscopic data, and more. The defendants then sold that data to third parties or used it for Allstate’s insurance underwriting. To encourage third parties to integrate the defendants’ software, the defendants paid app developers and offered an incentive program that provided “generous bonus incentives” if developers increased the size of their dataset. All the while, according to Texas, consumers did not consent to, nor were they made aware of, the full extent of defendants’ collection and sale of data. Instead, defendants entered into agreements with the third-party app developers to mandate, to some degree, that certain privacy disclosures and consent language were presented by the third-party apps to consumers, but those third-party disclosures and consent, according to Texas, never mentioned the existence of the defendants, “let alone any of Defendants’ data collection or sales.” Nor did the defendants provide consumers with any of their own notices regarding their data collection practices, and even if consumers did happen to take the extra step to investigate defendants’ policies, those policies contained “untrue and contradictory statements that do not reflect Defendants’ practices.” For example, the policies expressly stated that the defendants do not sell personal data for monetary value, which Texas alleges is untrue, and the policies do not provide consumers with the ability to request that defendants stop selling their data. Taken together, Texas claims these alleged facts establish the basis for numerous legal violations, including violations of the TDPSA, the Texas Data Broker Law, and the Texas Insurance Code. Key takeaways?
  1. Texas is – and will likely remain – focused on regulating vehicular data practices. As the saying goes, once is a coincidence, twice is a pattern, and thrice is a regulatory enforcement focus. Within the short span of half a year, Texas opened an investigation, submitted a notice to cure under the TDPSA, and initiated two lawsuits, all targeting vehicular data practices. Given the rapidity in which Texas is bringing these actions, Texas will likely continue making this an enforcement priority for the near future.
  2. Relying on third-parties to provide notices and collect consent on your behalf may not be enough. The facts allege that the defendants had entered into agreements that, to some degree, obligated the third-party apps to provide notices and collect consumer consent for the collection and sharing of data with the defendants. Yet, according to Texas’s petition, these third-party disclosures and consent collection mechanisms failed to sufficiently inform consumers about the defendants’ data practices.
  3. SDKs remain an area of risk. In recent years, there has been a string of federal and state enforcement action over the use of software development kits (SDKs) to collect and share data. The Federal Trade Commission entered a settlement agreement with InMarket and others; California entered a stipulated judgment of $500,000 with Tilting Point Media; and now a core fact of Texas’s petition is that the defendants developed and integrated SDKs into third-party apps to scrape data.
  4. Carefully consider whether data is being “sold.” Under the TDPSA, a “sale” occurs when personal data is shared, disclosed, or transferred for monetary or other valuable consideration, and Texas alleges that Allstate and Arity “sold” personal data when they sold “data-based products and services for monetary value that linked a specific [consumer] to their alleged driving behavior.” Often, the language of “selling” something conjures to mind ideas of direct financial transactions – exchanging personal data expressly for money or other benefits – but regulators, including those in Texas and California, interpret “selling” personal data more broadly. Thus, companies should carefully review whether their data disclosure and access practices may constitute “selling” personal data, and if so, whether they satisfy the relevant obligations when data is being “sold.”
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California Delete Act allows consumers to easily delete data from all data brokers in California

California, CCPA, Data Brokers
On October 10, 2023, California Governor Gavin Newsom announced that he had signed into law Senate Bill 362, which is otherwise known as the Delete Act.[1] The full text of the Delete Act can be found here. The Delete Act is a landmark law seeking to provide consumers with a one-stop-shop mechanism for deleting the consumer’s personal information from all data brokers covered by the law.[2] Under current provisions, consumers must submit individual deletion requests to each data broker, but the Delete Act intends to provide a universal opt-out mechanism that allows consumers to send a single deletion request to all data brokers. To do this, the law charges the California Privacy Protection Agency with developing the one-stop-shop mechanism by January 1, 2026. While the technical and operational specifics of the mechanism are unknown, the law provides broad guidelines for what the mechanism must achieve, which expressly includes allowing consumers to make a single request that “every data broker that maintains any personal information delete any personal information related to the consumer held by the data broker or associated service provider or contractor.”[3] In addition, the law shifts data broker registration in California from the California Department of Justice to the California Privacy Protection Agency – presumably to provide the Agency with a database for the purposes of facilitating the consumer’s deletion request.[4] Previously, failure to register as a data broker amounted to $100 penalty for each day the data broker failed to register; however, the Delete Act doubles the fine to $200 per day. The law also imposes new disclosure obligations on covered data brokers, requiring them to disclose to consumers whether the data broker collects consumers’ precise geolocation, reproductive health care data, or information of minors. Starting in 2029, the data broker must disclose whether it has undergone an audit pursuant to the law. At this time, it remains unclear how the Agency will satisfy the creation of a one-stop-shop deletion mechanism, but data brokers in California should be prepared to adapt to a new government-imposed deletion mechanism. We will continue monitoring the Agency’s progress as the deadline approaches.
[1] https://www.gov.ca.gov/2023/10/10/governor-newsom-signs-legislation-10-10-23/ [2] Sec. 1798.99.86(a). [3] Sec. 1798.99.86(a)(2). [4] Section 1798.99.82 of the Civil Code is amended to read: 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.