In the fifth in our series of California developments, we turn to data broker obligations. There are two of note. First, the California privacy agency is moving forward Delete Act regulations it proposed earlier this year. (Its board voted to move regulations addressing data broker requirements to the Office of Administrative Law for review and approval last month.) Second, it announced an investigative sweep of compliance with the Act.Continue Reading California’s Privacy Regulator Had a Busy November, Data Broker Edition: What Does It Mean for Businesses?

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!

The Biden Administration recently issued an Executive Order aimed at protecting American’s sensitive information and certain US Government data from threats posed by foreign actors. Of note is the Order’s focus on data brokers that may share data in bulk with foreign entities and/or individuals.Continue Reading New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors

The FTC is beginning 2024 with a bang. Just a few short days after announcing a settlement with lead-generation company Response Tree, the FTC has announced another decision. In this latest announcement, the FTC has described this as its first settlement with data broker over the sale of sensitive information. According to the FTC, X-Mode Social, and its successor company Outlogic, LLC, tracked and sold to third parties precise location information, which information could identify if people visited “sensitive” locations like medical or reproductive clinics or domestic abuse shelters. This allegation is similar to that the agency made last year against Kochava, in a case that is still pending.Continue Reading FTC Continues Focus on Data Brokers and Sensitive Information

Continuing its focus on potential dark patterns, the FTC has reached a settlement with the lead generation company Response Tree LLC and its president over allegations that the company ran sites that tricked people into opting into receiving marketing calls. The FTC brought the case arguing that the company had violated both Section V of the FTC Act as well as the Telemarketing Sales Rule (or TSR, which implements TCFAPA).Continue Reading FTC Reaches $7 Million Settlement Over Response Tree’s “Consent Farm” Sites

Both Texas and Oregon recently adopted rules that will, among other things, implement a registry required by both states’ data broker laws. The Texas law went into effect September 1, 2023, and the Oregon law will go into effect January 1, 2024. Both are similar to laws in Vermont and California.Continue Reading Data Broker Rulemaking in Texas and Oregon

The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)Continue Reading Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles

California recently passed a groundbreaking new law aimed at further regulating the data broker industry. California is already one of only three states (along with Oregon and Vermont) that require data brokers—businesses that collect and sell personal information from consumers with whom the business does not have a direct relationship—to meet certain registration requirements.Continue Reading California’s “Delete Act” Significantly Expands Requirements for Data Brokers

Oregon recently joined Vermont and California as the third state requiring data broker registration before collecting, selling, or licensing “brokered personal data.” Several types of entities are exempt from the law. These include those collecting information from their customers, subscribers or users or those in a “similar” relationship or an entity acting as those companies’ agents. Also exempt are consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions subject to GLBA. The new law takes effect on January 1, 2024.Continue Reading In 2024 Oregon Will Join Short List of States Requiring Data Broker Registration