California Delete Act Fines Expected to Explode, Won't Be Negotiable
California Privacy Protection Agency (CalPrivacy) fines for Delete Act violations next fall could rise from tens of thousands of dollars to tens of millions of dollars -- at least -- with no room for negotiation on total penalties, panelists said on a webinar by consumer privacy vendor Reklaim on Wednesday. In addition, many more companies may be considered data brokers covered by the law than realize it now, they said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
CalPrivacy attorney Liz Allen noted that all the agency’s Delete Act penalties so far have been for failures to register as data brokers, a violation that carries relatively small fines. The agency’s most recent $56,000 action, against marketing firm ROR Partners, is an example of one such modest fine (see 2512050054). However, starting Aug. 1, when a requirement to honor deletion requests comes into effect, there will be an administrative fine of $200 for each deletion request for each day a data broker fails to delete the requested information, said Allen. The $200 penalty can’t be reduced at the agency’s discretion, she added.
Reklaim founder Neil Sweeney pointed out that, under that policy, fines could quickly add up to "tens or maybe even hundreds of millions of dollars,” an amount that could easily put a company out of business.
Benjamin Isaacson, an attorney at In-House Privacy, emphasized that the enforcement action won’t be a negotiated consent decree where the final total fine could be reduced. There's no built-in appeal process to challenge the size of the fee, he said. "The statutory penalties are quite clear."
There's nothing comparable in the U.S., added Isaacson. "The FTC can't even really issue fines like this."
Sweeney asked Allen to confirm that entities will have no recourse if they challenge fines related to failure to honor consumers’ deletion requests.
“No,” said the CalPrivacy official. “I mean, the law is the law. The law is written the way it's written."
Meanwhile, many entities that haven't registered as data brokers could be in the law’s scope, said Isaacson. The California regulations could cover "pretty much every web publisher today that is monetizing their audience,” he said.
Many ad or marketing agencies may also be unaware they are covered, Isaacson said. However, Sweeney said, "If you're in advertising and there's any sort of enrichment that is happening on this data, it seems to me that you fall under this regulation.”
The last company to receive a CalPrivacy penalty for failure to register was a marketing company, noted Allen, referring to ROR Partners. Also, she said, if someone is paying to come in and look at a company’s data, "that's a sale ... even if you're not giving them the data."
States like California have stepped in because most consumers lacked awareness of industry’s self-regulatory mechanisms, said Isaacson, who worked for the Direct Marketing Association before it was acquired by the Association of National Advertisers in 2018. Sweeney said, "The days of … industry self-regulation are over.”
The California privacy agency blogged about its upcoming Delete Request and Opt-Out Platform on Wednesday. DROP launches for consumers on Jan. 1.