The California Privacy Protection Agency (CPPA) today said that it’s doing a compliance sweep of data brokers, who under the state’s Delete Act must disclose certain types of data they collect, links to exercising privacy rights, and the number of requests received.
Per the law, a company is a data broker in the state of California if it, “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
There are technically around 500 data brokers operating in California. Those who don’t register as data brokers face fines of $200 per day.
Why Now?
The CPPA’s enforcement division is now built out, and enforcement is up 80% in 2023-24 compared to the previous fiscal year, said Michael Macko, the agency’s head of enforcement, over the summer. It’s received over 2,000 consumer complaints, some of which have resulted in official investigations. Over half of those complaints have been related to the right to delete personal data, according to the agency.
Over the summer, data brokers were obligated for the first time to publicly disclose the number of requests to delete, correct, access, limit and opt out of collected data. Among the things Consumer Watchdog found was that that prior to the law, less than 1 percent of Californians exercised their rights in 2023 with major data brokers such as Acxiom, which collects data on almost 70 percent of the California population and makes millions in profit.
Read our report here.
The Delete Act also has been in effect for less than a year, so this could be the agency’s reminder that the law exists and that they want to see how companies are complying.
CPPA Executive Director Ashkan Soltani said in a statement that, “It’s crucial for data brokers to register with our agency, so the public can be informed and empowered to exercise their rights.”
Hopefully the amount of Californians exercising their rights will increase with the Delete Act coming into force. The CPPA is currently working on a mechanism called DROP, or the Data Broker Requests and Opt-Out Platform, which will allow a consumer to direct all data brokers to delete their personal information in one request. In addition, they will be required to continuously delete the consumer’s personal information every 45 days, according to the agency. In the meantime, consumers can access the data broker registry on CPPA’s website, and complaints can be sent to the agency about a data broker that isn’t complying.
Data brokers are less known but collect and sell a lot of information, including social security numbers and geolocation. Our report recently found they keep really detailed profiles spanning hundreds of pages, with inferences about finances, family, eating and exercise habits, down to how likely you are to get a vaccine or subscribe to a streaming service. And a lot of it is wrong. They make incorrect inferences about ethnicity, finances, and consumer preferences.
And we found that they share this data with tech, insurance and financial services companies, as well as government agencies. Major data brokers such as Experian and Acxiom also send data to Facebook. One data broker, LiveRamp, said it sends data to Amazon, Disney, Fox, Comcast, Google, and Uber. Experian said it sources geolocation data from apps on your phone, and discloses it to “law enforcement,” “financial services,” “insurance companies” and “regulatory authorities,” among others. That’s creepy.
The agency over a year ago announced a similar sweep of the car industry’s data practices under the California Consumer Privacy Act. In 2022 Consumer Watchdog authored a report outlining the data collection practices of cars called, “Connected Cars and the Threat to Your Privacy.”
As of this summer, the agency’s investigation is still ongoing.
“That sweep is just one example of the types of investigations that we have ongoing,” said Macko.
