CPPA March 6th and 7th Meeting - A Warning to Registered and Unregistered Data Brokers

First off, a bit of housekeeping news from the California Privacy Protection Agency (CPPA) – starting this year, the agency extended their meetings to two days, in exchange for meeting a bit less often. The agency’s most recent session took place on March 6th and 7th (recordings here and here). This session showcased the ever-growing spotlight on (and regulation of) data brokers, both registered and unregistered. Data brokers are definitely having their time in the regulatory spotlight. 

Day 1 Recap—Data Brokers Beware!

The first day of the March meeting was a closed session where the CPPA discussed two topics: (1) the appointment of a new Executive Director; and (2) ongoing litigation and settlement negotiations.

1. Tom Kemp, Appointed CPPA Executive Director

Following Ashkan Soltani’s stepping down as Executive Director at the end of 2024, the agency announced that Tom Kemp will be the next executive director of the CPPA. Kemp has a long track record as an entrepreneur, author, and policy advisor, as well as a fierce critic of big tech and data brokers. He was heavily involved in leading the campaign marketing efforts in 2020 to pass California’s Proposition 24 (the California Privacy Rights Act—which amended the California Consumer Privacy Act (CCPA)), and advising and contributing to drafting California’s Delete Act and Texas’ Data Broker Registry law.   

Lucid’s Ben Isaacson participated in a data broker-focused panel discussion with Kemp at the 2024 California Lawyers Association's Privacy Summit where Kemp describes many of his critiques of this industry, which you can watch here (paywalled). And for those who want to dive deeper, Ben also participated in this year’s Privacy Summit’s data broker session with CPPA Attorney, Liz Allen, which is now online here. Given his focus, all registered data brokers, and companies that SHOULD register as data brokers (more on this below), should take note. Kemp will be sworn in and begin the role on April 1, 2025. 

2. More Enforcement Actions are Coming

The CPPA also met to confer with legal counsel about ongoing litigation. This isn’t a new topic, and the CPPA have held multiple closed-door sessions on enforcement actions over the last year, resulting in seven enforcement actions against data brokers. For more details, please see our previous blog comparing enforcement actions against data brokers.

Day 2 Recap—Third Party Cookie Providers are Data Brokers; Delete Act Formal Rulemaking

On the second day of the March meeting, we learned that: (1) the CPPA considers third party cookie providers to be data brokers; and (2) that position is formalized in the Delete Act Draft Regulations which the CPPA voted to move to formal rulemaking. 

1. Third-Party Cookie-Based Service Providers Are Data Brokers

At 1:34, Liz Allen, an attorney with the CPPA, confirms the CPPA’s position that all third-party cookie-based services that collect/sell ‘inferences’ (and/or sell or share cookie IDs/IP addresses/other identifiers) are considered to be data brokers and subject to the Delete Act/Deletion Mechanism. From my vantage, that means that the majority of companies creating proprietary ‘addressable IDs’ or are in the ‘identity resolution’ business are currently unregistered and potentially at risk.   

Moreover, the most recent Delete Act Draft Regulations clarifies existing rules on the question of who has a 'direct relationship'. For context, a data broker is an entity that processes personal information about consumers with whom the data broker does not have a direct relationship. The Delete Act Draft Regulations state that “A business does not have a 'direct relationship' with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business.” In other words, companies such as ad networks that utilize opaque third party cookies are likely to be deemed ‘data brokers’ under California law.   

2. Delete Act Draft Regulations Enter Formal Rulemaking

CPPA voted to move the Delete Act Draft Regulations to the formal rulemaking process. We expect these draft regulations to be released in the next couple of weeks which will open the 45-day comment period. A bit of advice for data brokers and would-be data brokers: we recommend that you review the draft regs, and share your views (we're always happy to help!).

Other Enforcement News Suggesting That the Adtech Ecosystem is Part of the Data Broker Industry 

In addition to the CPPA’s March meeting, on March 14, the California Attorney General, Rob Bonta, announced an investigative sweep of the “Location Data Industry" and compliance with the CCPA. As part of this sweep, AG Bonta sent letters to advertising networks, mobile app providers, and data brokers who appear to be in violation of the law.

Conclusion

Data brokers need to revisit their compliance with data broker laws, including the California Delete Act, and consider submitting comments. As for everyone else, especially those companies in the adtech ecosystem and third-party cookie-based service providers, should think hard about whether they might be a data broker.

California is poised to continue the hunt for unregistered data brokers, and fining them tens of thousands of dollars in the process. But California isn’t the only state to worry about anymore–Texas is actively enforcing their data broker registration law, and other states are following suit with their own data broker legislation.