The California Privacy Protection Agency (CalPrivacy) Board issued two new decisions (and a fine) to two different data providers for failure to register as a data broker. To quickly recap, the CalPrivacy Board created a Data Broker Enforcement Strike Force to investigate privacy violations by the data broker industry. Additionally, the Delete Act was created to provide a single mechanism for Californians to request their data be deleted from multiple brokers’ databases. The Delete Act requires data brokers to register and pay an annual fee which helps fund the development of the Delete Request and Opt-Out Platform (Drop). Failure to register as required leads to investigations (and fines) by the Strike Force and that is exactly what happened here.
A Texas limited liability company Rickenbacher Data LLC d/b/a/ Datamasters was fined $45,000 for failing to register as a data broker in violation of the Delete Act. Datamasters bought and resold the names, addresses, phone numbers and other personal information of millions of people with Alzheimer’s disease, drug addiction and other health problems for targeted advertising. Additionally, as explained in the decision, Datamasters bought and resold lists of people based on age and race as evidenced by them offering “Senior Lists” and “Hispanic Lists,” as well as lists based on political views, grocery store purchases, health-related purchases and other identifiable means. This was all done while they failed to register with the California Data Broker Registry. The Agency found that while Datamasters tried to comply with California’s privacy laws at various points, those attempts were imperfect and “lacked sufficient written policies and procedures to ensure compliance with the Delete Act….”
For failing to register as required by the Delete Act and complying with applicable privacy laws, the Agency fined Datamasters $42,000.00. The Agency reasoned that not only was this fine warranted because of the failure to register but the head of enforcement at CalPrivacy said that “reselling list of people battling Alzheimer’s disease is a recipe for trouble…in the wrong hands, these lists could be used to target people for more than just advertising and the same risks apply to selling lists of seniors…people who identify as conservative or liberal….” Not only was the fine warranted for not registering as required but given that such personal and intimate information of the most vulnerable members of society was being sold, ensuring that there was accountability was paramount for the Agency.
The second decision required a New York based provider of data and technology known as S&P Global, Inc. to pay a $62,000.00 fine for failing to register as a data broker. From the decision, the Agency found that S&P Global failed to register because of an administrative error as evidenced in the decision that read in part “S&P Global intended to register the company as a data broker for its 2024 activities and S&P Global believed that the registration had been completed….” An investigation was opened as to why S&P Global was not registered and after the company learned that they were being investigated, they quickly acted to complete the registration. However, because they were unregistered for 313 days, the Agency found that the fine was warranted and issued new terms to the company to ensure such oversight does not happen again (to which S&P Global agreed to). Those terms were adopting written policies and procedures to ensure timely registration as a data broker in compliance with the Delete Act and reviewing its procedures for auditing data broker registration status and update those audit procedures as the company deems appropriate to identify missing or incomplete registration.
While the second circumstance seems to be a good faith error as opposed to the first decision, both orders underscore the importance of adhering to the requirements posed by the Delete Act. California has taken a much more active approach in how they oversee the handling of people’s personal information and will look to hold data brokers accountable for any missteps regardless of the reason. These preventative measures are enacted to ensure that the most intimate details of people’s lives stay private unless they consent to disclose such information. California seeks to empower consumers with greater control over their personal data and ensuring compliance of requirements set forth in the Delete Act by the data brokers is a crucial component in empowering the public. These orders serve as a reminder to the companies that acquire and sell data that it is up to them to ensure that they are diligent in adhering to all the requirements.
I will be sure to keep my eyes open for any new updates here. Talk to you soon CIPAWorld!
CIPAWorld 