CPPA Crackdown on Data Broker Registration Continues With $55K Fine
The California Privacy Protection Agency (CPPA) announced a $55,400 fine Tuesday against Accurate Append for failing to register as a data broker and pay the annual fee required by the state’s Delete Act (see 2507290031). The CPPA's latest fine signals the agency's crackdown on data brokers, said Troutman Amin law clerk Tammana Malik in a blog post. However, a study last month on California data brokers argues they largely ignore regulation.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Accurate Append failed to register by the Jan. 31, 2024, deadline for its 2023 activities, as required by the California Delete Act, and only registered after the Enforcement Division contacted it, the CPPA said. The action follows a CPPA investigative sweep of data broker registration compliance announced in October 2024.
“This settlement shows, once again, the peril faced by data brokers who fail to register,” CPPA's head of enforcement, Michael Macko, said in a news release. “We are committed to bringing transparency to the data broker industry, and vigorous enforcement of California's registration requirement is one way to do that.”
In her blog, Malik said "the sixth enforcement action against an unregistered data broker in the past year ... is yet another indication that the CPPA is prepared to be aggressive in enforcing the Delete Act.” She noted that if “Accurate Append ceases operating as a data broker, it will need to inform the CPPA in writing before the deadline to register.”
Accurate Append did not respond to a request for comment.
The Accurate Append fine is one of several examples of the CCPA's aggressive enforcement. Clothing retailer Todd Snyder was fined more than $345,000 in May and agreed to change its business practices after violating the California Consumer Privacy Act (see 2505060043). Honda was required to pay one of the highest fines in the law’s history, the CPPA said, at $632,500, as well as amend privacy practices as part of a March settlement (see 2503120037).
But a June study by researchers at the University of California, Irvine, found that many data brokers ignore the registry and other compliance requirements. The researchers came to their conclusions after manually submitting data-access requests to the state's 543 officially registered data brokers. They said they found "rampant non-compliance and lack of standardization of the data access request process,” which “highlight[s] an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers’ privacy protections and improve data broker accountability.”
In addition, their study said “a substantial portion of data brokers (43%) completely ignored” verifiable consumer requests, which “undermines CCPA’s efficacy and highlights significant enforcement gaps in current privacy regulation.”
There is also “a troubling paradox," in that "exercising privacy rights under CCPA introduces new privacy vulnerabilities,” since “consumers must provide personal information -- sometimes including sensitive [information] such as SSNs, government IDs, and biometric data -- to data brokers who may never respond.” This, the researchers said, creates “a privacy catch-22 where consumers must risk exposing additional personal data to potentially untrustworthy entities to learn what information these brokers already (do not) possess.”