CalPrivacy Warns Data Brokers Not to 'Hide the Ball' When Registering
Data brokers must register quickly and comprehensively in California, the California Privacy Protection Agency said in an enforcement advisory Wednesday. CalPrivacy issued the advisory, which addresses data broker registration requirements related to trade names, websites and parent-subsidiary relationships, with about two weeks to go until the planned Jan. 1 launch of the Delete Request and Opt-Out Platform (DROP).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Wednesday’s advisory is “a reminder for data brokers to register before they hear from us,” said CalPrivacy Executive Director Tom Kemp in a news release.
The California Delete Act requires businesses to register and pay an annual fee by Jan. 31 every year if they operated as a data broker in the prior year, with failure to register resulting in $200 daily administrative fines, plus registration fees and the agency’s expenses pursuing the case, CalPrivacy said.
“The rules of the road are clear, and we expect data brokers will register as required,” said Michael Macko, CalPrivacy’s enforcement head. “We will continue using all available tools to investigate potential violations and bring enforcement actions where appropriate.”
Last month, the privacy agency established a Data Broker Enforcement Strike Force (see 2511190041). Its most recent Delete Act action, brought through that strike force, was a $56,000 fine against marketing firm ROR Partners (see 2512050054). While that penalty might seem modest, Delete Act fines are expected to explode next fall when a requirement for data brokers to honor DROP deletion requests comes into effect (see 2512100040).
“Data brokers must register in a timely manner,” states the enforcement advisory. “Registration is not complete until all registration information and payment have been received.”
“Each data broker must register, including subsidiaries of parent companies,” it added. “Data brokers cannot rely on a parent or affiliated entity’s registration to ‘cover’ them.” In addition, brokers “must list all websites and trade names, or DBAs, as part of their DROP account and verify their accuracy as part of registration.”
Agency enforcers have “observed that certain data brokers ‘hide the ball’ from consumers by (1) doing business under multiple trade names, or DBAs, or operating multiple websites without listing those trade names and websites on their registration, or (2) pointing to a parent or affiliated entity’s registration instead of registering on their own,” according to the advisory. “Data brokers must register in accordance with the law, without hiding their activity or interfering with consumers’ ability to exercise their privacy rights.”
Registration doesn’t “pass automatically from parent companies to subsidiaries or between affiliates,” the agency stressed. “Instead, each distinct legal entity operating as a data broker and qualifying as a business must register and establish its own DROP account.”
CalPrivacy staff presented a walkthrough of its upcoming data deletion platform at its Nov. 7 meeting (see 2511100015). Recently adopted DROP rules take effect the same day the platform launches. Meanwhile, data brokers’ new obligations to honor consumer deletion requests begin Aug. 1, though the agency has said it will allow brokers to test the platform this spring, said Laird.
Taken together with the data broker strike force, Wednesday's enforcement advisory shows CalPrivacy is "watching and enforcing their requirements," Womble Bond attorney Taylor Ey posted on LinkedIn.