In the fifth in our series of California developments, we turn to data broker obligations. There are two of note. First, the California privacy agency is moving forward Delete Act regulations it proposed earlier this year. (Its board voted to move regulations addressing data broker requirements to the Office of Administrative Law for review and approval last month.) Second, it announced an investigative sweep of compliance with the Act.Continue Reading California’s Privacy Regulator Had a Busy November, Data Broker Edition: What Does It Mean for Businesses?
data broker
Mid-Year Recap: Think Beyond US State Laws!
Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!
FTC Continues Focus on Data Brokers and Sensitive Information
The FTC is beginning 2024 with a bang. Just a few short days after announcing a settlement with lead-generation company Response Tree, the FTC has announced another decision. In this latest announcement, the FTC has described this as its first settlement with data broker over the sale of sensitive information. According to the FTC, X-Mode Social, and its successor company Outlogic, LLC, tracked and sold to third parties precise location information, which information could identify if people visited “sensitive” locations like medical or reproductive clinics or domestic abuse shelters. This allegation is similar to that the agency made last year against Kochava, in a case that is still pending.Continue Reading FTC Continues Focus on Data Brokers and Sensitive Information
FTC Reaches $7 Million Settlement Over Response Tree’s “Consent Farm” Sites
Continuing its focus on potential dark patterns, the FTC has reached a settlement with the lead generation company Response Tree LLC and its president over allegations that the company ran sites that tricked people into opting into receiving marketing calls. The FTC brought the case arguing that the company had violated both Section V of the FTC Act as well as the Telemarketing Sales Rule (or TSR, which implements TCFAPA).Continue Reading FTC Reaches $7 Million Settlement Over Response Tree’s “Consent Farm” Sites
Data Broker Rulemaking in Texas and Oregon
Both Texas and Oregon recently adopted rules that will, among other things, implement a registry required by both states’ data broker laws. The Texas law went into effect September 1, 2023, and the Oregon law will go into effect January 1, 2024. Both are similar to laws in Vermont and California.Continue Reading Data Broker Rulemaking in Texas and Oregon
California’s “Delete Act” Significantly Expands Requirements for Data Brokers
California recently passed a groundbreaking new law aimed at further regulating the data broker industry. California is already one of only three states (along with Oregon and Vermont) that require data brokers—businesses that collect and sell personal information from consumers with whom the business does not have a direct relationship—to meet certain registration requirements.Continue Reading California’s “Delete Act” Significantly Expands Requirements for Data Brokers
In 2024 Oregon Will Join Short List of States Requiring Data Broker Registration
Oregon recently joined Vermont and California as the third state requiring data broker registration before collecting, selling, or licensing “brokered personal data.” Several types of entities are exempt from the law. These include those collecting information from their customers, subscribers or users or those in a “similar” relationship or an entity acting as those companies’ agents. Also exempt are consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions subject to GLBA. The new law takes effect on January 1, 2024.Continue Reading In 2024 Oregon Will Join Short List of States Requiring Data Broker Registration
Vermont Is First Mover Regulating Data Brokers
Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers