CalPrivacy Charges Ahead on Data Broker Enforcement, Lawyers Say

Enforcements against Datamasters and S&P Global showed the California Privacy Protection Agency (CalPrivacy) applying penalties to small and large data brokers -- without leniency for inadvertent errors, lawyers said in interviews with Privacy Daily this week. The Datamasters action also highlighted the agency’s interest in protecting vulnerable groups' data, said Womble Bond’s Tyler Bridegan.

Meanwhile, the Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC) applauded the two CalPrivacy actions announced earlier this month (see 2601080027).

Many data brokers are “mom-and-pop” operations and often lack counsel, so they "just sort of wing it," according to attorney Ben Isaacson of In-House Privacy. It appears from the Datamasters enforcement that the small company tried to comply by avoiding business in California. But “what’s very clear is that it’s incredibly difficult to comply with a geo-fencing strategy for California when you’re a national provider of data services,” Isaacson added.

But it didn’t surprise him that a company as large as S&P Global could mistakenly fail to register as a data broker in the state. “It’s actually quite normal” for big companies to have gaps in basic compliance operations, with staff turnover a common reason for errors, he said.

In addition, “data privacy has been sort of a tangential part of the legal department” at many big companies, he said. Legal teams wouldn't forget to renew their Delaware incorporated registration, but privacy issues “used to ... be a limited function," now it's "part of the core business legal operations.”

Jordan Fischer, a privacy attorney for businesses, said the enforcement shows that even S&P, “a large company that presumably has a number of resources" tasked with complying with the California Consumer Privacy Act "can make mistakes.” CalPrivacy signaled that "every business needs to understand ... it will be held accountable for mistakes, regardless of intent." As such, they must have "double checks" for "compliance and registration requirements" to confirm they are "complying with the letter of the law.”

In addition, the S&P Global action shows that CalPrivacy won’t tolerate administrative errors, said Fischer. “Even if a company is doing, or trying to do, the right thing, [CalPrivacy] appears to be taking a hard line stance on fines, and a company will be fined regardless,” she said. “It will be important for businesses to recognize that there appears to be no leniency, even for inadvertent mistakes.”

Bridegan of Womble Bond agreed. “While the allegations and violation are relatively straightforward,” what’s more notable is that CalPrivacy "chose to hold S&P Global’s feet to the fire -- to the tune of $62,000 -- for a relatively mundane or potentially excusable violation,” he said. CalPrivacy sent a clear message that it “expects full compliance and anything short of that warrants enforcement,” added Bridegan, a former director of privacy and tech enforcement at the Texas attorney general’s office.

Isaacson agreed. CalPrivacy’s enforcement actions have followed “the same playbook” in that the regulator sticks to the statutory penalties without deviation, Isaacson said. That’s going to hurt much more when new Delete Act requirements take effect this fall, he added. Isaacson and others on a panel last month predicted that fines could rise from tens of thousands of dollars to tens of millions of dollars due to statutory fines associated with the new deletion requirements (see 2512100040).

Also, Bridegan said the Datamasters decision shows the privacy agency's "concern with the personal data of potentially vulnerable groups," in this case, individuals with Alzheimer’s. Datamasters “should also be a reminder to companies that, when attempting to comply with privacy laws ... consider the types of data they are collecting." A "de-contextualized approach" to compliance is "unlikely to pass regulatory scrutiny.”

In addition, Isaacson said the decision underscores how working with regulators “requires a layer of respect and decorum,” as well as “due diligence on the accuracy of your responses.” In the order, CalPrivacy described how regulators raised questions about information provided by the data broker. “If there's any potential that you are disingenuous about what your actual operations are, you could run into exacerbated damages.”

EFF, EPIC Cheer Taming of Brokers

EFF and EPIC lauded CalPrivacy’s latest actions against data brokers, saying the sector has been operating freely, gathering and selling the public's most sensitive data.

“For too long, companies like Datamasters and S&P Global have operated without any significant guardrails ... running roughshod over our privacy rights,” Bill Budington, EFF senior staff technologist, said in an email to us.

“An investigation last year by Privacy Rights Clearinghouse and EFF reported hundreds of data brokers failing to register as required in state law,” he added. “Unfortunately," only California, Oregon, Texas, and Vermont require registration, and "most Americans lack the basic protections that prevent the massive hoovering and sale of their most revealing information.”

Similarly, EPIC Senior Counsel Sara Geoghegan said, “It's very encouraging" to see CalPrivacy enforcing laws "to protect consumers.” Geoghegan said she hopes to see more.

The S&P Global fine is “important” given that “registering as a data broker is a relatively low threshold in California,” Geoghegan added. As such, companies should conduct “an internal assessment of their business practices” in addition to following the law.

Meanwhile, the Datamasters enforcement dove into substantive requirements of the Delete Act, as the company was brokering consumers’ "most sensitive health information,” including lists of elderly people who were likely to have Alzheimer’s, she said.

“There are obvious reasons why entities who buy those lists could harm consumers, and that's not new,” said Geoghegan, citing the DOJ investigation of a data broker a few years ago for selling lists of people who were considered “more vulnerable to scams.” But the fine was “a really big step forward to sort of kneecap some of the most harmful practices that data brokers engage in,” she said. “It's encouraging to see the agency use its authorities to take swings to protect Californians.”

“The law is clear that if you are engaging in the practices of brokering data in California, you must register,” the EPIC official continued. These enforcements show that “companies doing business as normal … no longer will fly, and they need to start following the law, or they will get fined.”

Budington agreed. “Even if these companies didn't themselves do anything with that data, collecting and storing peoples' private information creates a salient target for hackers and extortionists.”

Data breaches are no longer "a theoretical threat," Buddington added. "The number of people affected ... is reaching staggering heights,” he said, citing an EFF report.

Still, Buddington stressed that data brokers aren't sitting on data, they're selling it "to anyone willing to pony up the cash,” and “exposing us all to dangers including political manipulation, targeted harassment, or physical danger.” Accordingly, enforcement action "punishes some of the actors most out of compliance with laws which protect the public from these dangers.”

Data brokers' activities can cause harm because they work in "black boxes,” Geoghegan said. “One of the most nefarious parts about data brokers is just the opacity of the entire industry and how little we know about them, and how generally little regulation there is over these really invasive companies.” Brokers "have amassed so much information about us, including sensitive health information, and they're selling it to "the highest bidder.”