Significant data broker regulations like California’s ‘Delete Act’, and federal ‘Fourth Amendment Not For Sale Acts’ show real momentum — July 2023 Newsletter

Hello again – after a hiatus in June, we’re back again with our monthly update on happenings in the privacy space relevant to businesses.

In this edition, you’ll find our take on:

• California’s ‘Delete Act’, and federal ‘Fourth Amendment Not For Sale Acts’
• The MOVEit Data Breach may be the largest data breach event in recent years 
• The COPPA rules expansion against Big Tech

Regulatory Update: Significant data broker regulations like California’s ‘Delete Act’, and federal ‘Fourth Amendment Not For Sale Acts’ show real momentum

California’s ‘Delete Act’ has advanced quickly through the state Senate and relevant committees over past months and could soon become state law.  The regulatory template – which requires companies that collect and sell consumer data to register with state AG’s office, and provide a one-stop-shop ‘opt-out’ mechanism for California citizens – was originally proposed in congress last year (albeit with the FTC managing registry and enforcement), and has been reintroduced in the current session. Passage in California would put pressure on Feds to make the framework a national norm.  It could give consumers significantly more control over how data brokers handle personal data.

The ‘Fourth Amendment Not For Sale Act’ was a 2021 congressional bill that proposed barring government agencies from buying commercial surveillance data on Americans that bypass normal search warrant requirements.  It was recently inserted to a Section 702 surveillance reform bill that has bipartisan support, which makes its prospects for passage much stronger than when originally introduced.

Our take:

The Wild West days of the data broker industry may not be over, but we might be beginning the last act.

There have been no significant data broker regulations passed in decades. But pressure to introduce new ones has never been higher.  Piecemeal laws that address key components of the sprawling industry have greater near-term prospects for success than omnibus national consumer privacy laws like the federal ADDPA, which try to do everything at once.

The Delete Act framework has been compared to the FCC’s “Do Not Call” list, which has historically been a toothless gesture by consumers to try and limit unwanted robocalls and spam, because there are no practical means of monitoring and enforcement.  But companies like DeleteMe, that came into being because of consumer needs for data control, are in an excellent position to provide exactly that capability, and we see these laws as a positive development that give us greater relevance to ensure companies are honoring consumer privacy demands.

Cybersecurity Update: MOVEit may turn out to be the biggest data breach event in recent years

The compromise of the MOVEit file transfer system has hit more than 420 organizations over the past two months, of which nearly 300 are American businesses, universities, and government agencies. The number/amount of compromised employee and consumer information remains imperfectly accounted for, but it is certain to continue to grow.  

Our take:

Early in 2023, researchers were suggesting there was a downtrend in cybersecurity risk relative to 2022, but, as the recent events show, successful attacks on a single, widely-used vendor can have massive impact.  The most at-risk institutions continue to be public sector and healthcare service providers who remain behind the curve in terms of limiting exposure to 3rd party vendor risk.

Enforcement updates: FTC expanding application of COPPA rules against Big Tech; CA AG interested in CCPA employee privacy compliance

Over the past months, both Amazon and Microsoft were charged with Children’s Online Privacy Protection (COPPA) rule violations and each paid $20M+ fines. FTC has recently taken an expansive and aggressive approach to interpreting COPPA as part of a growing Federal interest in focusing on Children’s privacy online.  ‘Age verification’ requirements for online services remains a complex and problematic issue, and its unclear how companies can easily offer flexible services to users without potentially coming in conflict with the vague application of legacy children’s privacy laws.

California Attorney General Rob Bonta recently sent inquiry letters to many of California’s largest employers to learn how they’re approaching CCPA compliance with employee data privacy rules, which affect how companies treat information about their workforce and job applicants.  California is one of the only states whose privacy law currently addresses workforce data, and provides an early warning of the kind of frameworks that may emerge in other states in the future.

Our take:

The biggest problem with many existing privacy laws is the lack of clarity about what compliance really means.  Many companies take a ‘wait and see’ approach to see what will be enforced, and rely on test-cases to demonstrate what the limits are.  ‘Kids Privacy’ is a current danger-zone for some businesses (specifically in social media, gaming, and other areas with high youth presence); workforce privacy rules is a potential future area of risk given recent White House interest in the status-quo of workforce surveillance.

Check Out Our Latest Blog Posts

• FL and TX Pass Comprehensive Consumer Data Privacy Bills
• Data Broker Hearings, CISA ‘Secure by Design’ Standards, and Telegram Bots
• Open Data, Hidden Risk: Publicly Available Employee Data & Cyber Risk [+ Breach Prevention Tips]

DeleteMe in the News

• Check out our running log of DeleteMe in the news in 2023.