Just because a company doesn’t see itself as a data broker when it looks in the mirror doesn’t mean regulators would agree.
“‘I’m not a data broker’ – that’s probably what a lot of you in this room think,” said Tony Ficarrotta, VP and general counsel of the Network Advertising Initiative, addressing a small group of in-house counsel and privacy attorneys at an event hosted by law firm Frankfurt Kurnit in New York City earlier this week.
“But you should really double check and make sure that’s true,” Ficarrotta said.
Because being wrong is about to get quite expensive.
Mic DROP
On August 1, California’s Delete Act deadline kicks in for data brokers, backed by DROP, the state’s new one-stop Delete Request and Opt-Out Platform.
Through the new platform, California residents can send a single request to all registered data brokers to delete their data, and the clock starts ticking on penalties if those requests aren’t honored. Data brokers will be required to check the DROP platform at least every 45 days and process deletion requests within 90 days.
Failure to comply carries fines of $200 per request per day – and man, that could really add up quickly.
In late March, Tom Kemp, executive director of CalPrivacy, California’s privacy protection agency, told another room of ad tech lawyers and vendors at the IAB’s Public Policy and Legal Summit in Washington, DC, that nearly 270,000 Californians had already signed up for DROP.
Nearly two months have gone by since then, so let’s say that number has ticked up a bit and is now perhaps closer to 300,000.
“Multiply that by 200,” Ficarrotta said, “and then multiply that by each day you fail to honor a consumer’s deletion request – those are very large fine amounts.”
With that math, there could theoretically be a $600 million fine for failing to honor the first large wave of deletion request for just 10 days.
“Do I think CalPrivacy will fine somebody $600 million? No. But there’s no ‘up to’ in the statute,” Ficarrotta said. “Maybe there’s some prosecutorial discretion they can use, but I think some heads will roll.”
And this should surprise no one. CalPrivacy has been signaling for a while that data brokers are in the crosshairs. “They’re telegraphing that this is their issue,” he said.
Michael Macko, who leads the agency’s enforcement division, has already brought a string of actions against unregistered data brokers. And, late last year, CalPrivacy published a separate enforcement advisory warning data brokers not to make it difficult for consumers to identify them by hiding behind trade names or subsidiary relationships.
“They’re going to go out there and try to make an example of some data brokers,” Ficarrotta said.
Be reasonable
Which brings us back to the basic question of which companies are classified as data broker under the law.
The core definition of a data broker is fairly consistent across statutes, as in, any business that knowingly collects and sells or licenses the personal information of people it doesn’t deal with directly. But there are nuances.
So get ready for some lawyerly minutiae!
Under California’s Delete Act, a data broker is a business that knowingly collects and sells personal information to third parties despite having no direct relationship with the consumer. Using that definition, Ficarrotta said, even a company with first‑party data could still end up in the data broker bucket if it buys third‑party data to enrich those records and then sells or shares the combined dataset downstream.
But then there’s Connecticut’s Senate Bill 4, which makes no mention of a “direct relationship” at all. (The bill, which would go into effect on October 1 if it’s signed by the governor, amends the Connecticut Data Privacy Act by, among other things, establishing a data broker registry and creating a centralized deletion mechanism.)
Under SB 4, a data broker is any business that sells or licenses “brokered personal data,” meaning, personal data obtained from a third party and organized for the purpose of selling or licensing to someone else.
On paper, that definition looks narrower than the terms used in California, where a company can potentially argue its way out of the data broker label by pointing to some kind of direct relationship with the consumer. Connecticut’s law doesn’t seem to allow for that argument. If you buy data from a third party and organize it for sale, you’re a data broker, full stop.
Yes, but, the Connecticut bill also enumerates a circumscribed list of specific identifiers that would be covered, including name, address, date of birth, Social Security Number and biometric data. Avoid that information, and you’re fine, right?
Well, there’s a catch-all in the language.
Brokered personal data is also defined as any “other information that alone, or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
Which is giving “it depends on what the meaning of the word ‘is’ is” vibes.
“I don’t know what Connecticut is going to consider reasonable and I don’t know what is considered reasonable in the market,” Ficarrotta said, “but that’s really where the rubber is going to meet the road.”
Well then, TBD.
¯\_(ツ)_/¯
🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback. And if you have time, may I recommend the video diaries of one Mr. Freddie Mercury, feline. He’s a British gent, but if he lived in California, I’m certain that he’d sign up for DROP.
Oh! And if you’ll be in Las Vegas for Programmatic AI next week, please find me and say “hi.”
