Data Brokers and Delete Acts

The modest fine of $56,000 that California Privacy Protection Agency’s (CalPrivacy) assessed against a company recently for failing to register as a data broker (see 2512030029) “may be the last penalty we see of this size,” said Dentons privacy attorney Dalton Cline, who sees several factors increasing monetary burdens on violators in the future.

Vermont Rep. Monique Priestley (D) will push again for comprehensive privacy legislation -- and probably one of two data broker bills -- when the legislature returns Jan. 8, she said in an interview last week with Privacy Daily. A series of town halls yielded much public excitement for privacy protections and potential new support from small businesses next year, said Priestley, who also will be running for state senator in 2026 (see 2510290024).

The California Privacy Protection Agency (CalPrivacy) fined Nevada-based marketing firm ROR Partners $56,000 for its failure to register as a data broker, in violation of the state's Delete Act. The agency's Data Broker Enforcement Strike Force brought the fine. Part of the Enforcement Division, the Strike Force was announced in November (see 2511190041).

New York must not give in to staunch industry efforts to stop a health data privacy bill, said state Sen. Liz Krueger and Assemblymember Linda Rosenthal in an emailed statement Wednesday. The Democratic sponsors of the bill (S-929/A-2141) responded to a Monday letter to Gov. Kathy Hochul (D) from many tech industry, advertising and other business groups calling for a veto.

Election year 2026 could drive more headline-grabbing state privacy enforcement, said Womble Bond privacy attorney Tyler Bridegan in an interview with Privacy Daily. In general, state privacy enforcement seems to be at the "very beginning of the bell curve,” said Bridegan, who was recently director of privacy and tech enforcement for Texas Attorney General Ken Paxton (R). Also, Bridegan praised Ryan Baasch, another alumnus of the Texas AG's office, who's expected to be nominated as an FTC commissioner by President Donald Trump.

In 2026, states and regulators will likely focus on many of the same areas they examined previously, including kids’ privacy and AI, said Cobun Zweifel-Keegan, managing director of IAPP, Washington, D.C., in an interview with Privacy Daily. On the federal level, a flood of privacy legislation is expected by year-end, he added.

Aiming to stop a surge of litigation under New Jersey’s Daniel’s Law, state Sen. Gordon Johnson (D) introduced a bill this week to amend the legislation to protect the privacy of judges and other public servants. Atlas Privacy, which has sued many times as an assignee under Daniel’s Law, condemned the proposal Friday. However, a privacy lawyer who defends businesses welcomed the bill.

The California Invasion of Privacy Act (CIPA) has included a private right of action since it was established in 1967, and weakening this and other protections under the wiretapping statute would lead to abuse, said privacy experts Don Marti of the vendor Aloodo and Robert Tauler, an attorney, in an AdExchange op-ed Thursday.

The California Privacy Protection Agency will roll out a Data Broker Enforcement Strike Force to review industry compliance with the California Consumer Privacy Act (CCPA) and the Delete Act’s registration requirements, CalPrivacy said Wednesday.

Vermont Rep. Monique Priestley (D) defended her continued push for a private right of action (PRA) in comprehensive privacy legislation while speaking on Marketecture's Monopoly Report podcast Wednesday. Also, Priestley said she aims to respect donors’ privacy as she makes a run for state Senate in 2026 (see 2510290024).