Home Data Privacy Roundup ‘I Don’t Think I’m A Data Broker’ Is Not A Defense

‘I Don’t Think I’m A Data Broker’ Is Not A Defense

SHARE:
Comic: "Don't worry, it's simple."

Just because a company doesn’t see itself as a data broker when it looks in the mirror doesn’t mean regulators would agree.

“‘I’m not a data broker’ – that’s probably what a lot of you in this room think,” said Tony Ficarrotta, VP and general counsel of the Network Advertising Initiative, addressing a small group of in-house counsel and privacy attorneys at an event hosted by law firm Frankfurt Kurnit in New York City earlier this week.

“But you should really double check and make sure that’s true,” Ficarrotta said.

Because being wrong is about to get quite expensive.

Mic DROP

On August 1, California’s Delete Act deadline kicks in for data brokers, backed by DROP, the state’s new one-stop Delete Request and Opt-Out Platform.

Through the new platform, California residents can send a single request to all registered data brokers to delete their data, and the clock starts ticking on penalties if those requests aren’t honored. Data brokers will be required to check the DROP platform at least every 45 days and process deletion requests within 90 days.

Failure to comply carries fines of $200 per request per day – and man, that could really add up quickly.

In late March, Tom Kemp, executive director of CalPrivacy, California’s privacy protection agency, told another room of ad tech lawyers and vendors at the IAB’s Public Policy and Legal Summit in Washington, DC, that nearly 270,000 Californians had already signed up for DROP.

Nearly two months have gone by since then, so let’s say that number has ticked up a bit and is now perhaps closer to 300,000.

“Multiply that by 200,” Ficarrotta said, “and then multiply that by each day you fail to honor a consumer’s deletion request – those are very large fine amounts.”

With that math, there could theoretically be a $600 million fine for failing to honor the first large wave of deletion request for just 10 days.

“Do I think CalPrivacy will fine somebody $600 million? No. But there’s no ‘up to’ in the statute,” Ficarrotta said. “Maybe there’s some prosecutorial discretion they can use, but I think some heads will roll.”

And this should surprise no one. CalPrivacy has been signaling for a while that data brokers are in the crosshairs. “They’re telegraphing that this is their issue,” he said.

Michael Macko, who leads the agency’s enforcement division, has already brought a string of actions against unregistered data brokers. And, late last year, CalPrivacy published a separate enforcement advisory warning data brokers not to make it difficult for consumers to identify them by hiding behind trade names or subsidiary relationships.

“They’re going to go out there and try to make an example of some data brokers,” Ficarrotta said.

Be reasonable

Which brings us back to the basic question of which companies are classified as data broker under the law.

The core definition of a data broker is fairly consistent across statutes, as in, any business that knowingly collects and sells or licenses the personal information of people it doesn’t deal with directly. But there are nuances.

So get ready for some lawyerly minutiae!

Under California’s Delete Act, a data broker is a business that knowingly collects and sells personal information to third parties despite having no direct relationship with the consumer. Using that definition, Ficarrotta said, even a company with first‑party data could still end up in the data broker bucket if it buys third‑party data to enrich those records and then sells or shares the combined dataset downstream.

But then there’s Connecticut’s Senate Bill 4, which makes no mention of a “direct relationship” at all. (The bill, which would go into effect on October 1 if it’s signed by the governor, amends the Connecticut Data Privacy Act by, among other things, establishing a data broker registry and creating a centralized deletion mechanism.)

Under SB 4, a data broker is any business that sells or licenses “brokered personal data,” meaning, personal data obtained from a third party and organized for the purpose of selling or licensing to someone else.

On paper, that definition looks narrower than the terms used in California, where a company can potentially argue its way out of the data broker label by pointing to some kind of direct relationship with the consumer. Connecticut’s law doesn’t seem to allow for that argument. If you buy data from a third party and organize it for sale, you’re a data broker, full stop.

Yes, but, the Connecticut bill also enumerates a circumscribed list of specific identifiers that would be covered, including name, address, date of birth, Social Security Number and biometric data. Avoid that information, and you’re fine, right?

Well, there’s a catch-all in the language.

Brokered personal data is also defined as any “other information that alone, or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”

Which is giving “it depends on what the meaning of the word ‘is’ is” vibes.

“I don’t know what Connecticut is going to consider reasonable and I don’t know what is considered reasonable in the market,” Ficarrotta said, “but that’s really where the rubber is going to meet the road.”

Well then, TBD.

¯\_(ツ)_/¯

🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback. And if you have time, may I recommend the video diaries of one Mr. Freddie Mercury, feline. He’s a British gent, but if he lived in California, I’m certain that he’d sign up for DROP.

Oh! And if you’ll be in Las Vegas for Programmatic AI next week, please find me and say “hi.”

Must Read

LinkNYC Kiosks Have Started Airing World Cup Games – TV Ads And All

The cinematic trope of people stopping to watch the news on a storefront TV display feels pretty out of date today. But sometimes, life can still imitate art.

How TIME’s CMS Transition Laid The Foundation For Its AI-Driven Content Overhaul

The CMS migration helped unify TIME’s fragmented content data after years of platform transitions under multiple owners. This enabled TIME to launch its own AI search product and convert archival content into AI-friendly “markdown” pages.

Adobe Advertising Just Launched Its Own Custom Algorithms Product

Last week, Adobe Advertising announced the general release of its own Custom Algorithms product, which is “a huge departure from the TubeMogul days,” Erwin Castellanos, GM of Adobe Advertising, tells AdExchanger.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

MFA Ad Spend Is Increasing. Is AI Slop To Blame?

This year, the percentage of ad spend going toward made-for-advertising (MFA) sites went up instead of down for the first time since 2023.

Kickbacks Takes An Outsider’s View While Bringing Ads To AI Agents

Andrew McCalip is a founding engineer at Varda Space Industries, where he oversees the manufacturing of things like hypersonic reentry vehicles and satellite buses.

CTV Buyers Are Getting The Show-Level Performance Optimization They’ve Always Wanted

A collaboration between InterMedia Advertising, Peer39 and Pontiac Intelligence provided show-level cost-per-acquisition data for 94% of CTV ad impressions.