CalPrivacy explores data broker enforcement uptick, EU adequacy prospects

The California Privacy Protection Agency's latest board meeting underscored the wide-ranging nature of its current focus and work program.

One steady priority that remains atop CalPrivacy's list is its enforcement work for data broker compliance with the Delete Act and Delete Request and Opt-Out Platform requirements, respectively. The agency noted during the 1 May meeting that it intends to ramp up probes into data broker registrations, noting that while there are thousands of data brokers that do business in the state, only 575 data brokers have so far registered. 

CalPrivacy Deputy Director of Enforcement Michael Macko said the agency plans to "devote significant enforcement resources" leading up to the Delete Act's 1 Aug. deadline for organizations to comply with registration obligations within the Delete Act. 

Alongside its enforcement efforts, CalPrivacy also spent time considering impacts of federal and global privacy developments. The agency took time to address Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act while also holding dialogue on what it would take for California to obtain an EU adequacy decision.

DROP updates

The data broker registration numbers are notable, but CalPrivacy is hanging its hat on the continued growth in DROP participation. CalPrivacy Executive Director Tom Kemp noted during the board meeting that more than 285,000 California residents have submitted DROP requests.

Kemp said the increase in data broker registration is "no doubt, a consequence of our bringing nearly a dozen enforcement actions against data brokers, along with our significant engagement with data brokers behind the scenes during ongoing investigations."

Non-registration fines will soon be compounded by DROP-related fines after 1 Aug., when registered brokers must begin performing data deletion sweeps every 45 days. Notably, the California Legislature is currently considering a bill to amend DROP deletion window down to 30 days. 

DROP participation is expected to keep rising, fueled by CalPrivacy's new awareness campaign. The statewide roadshow will make eight stops through June to inform state residents about their data subject access rights and how to exercise DROP rights in particular.

Kemp noted the agency's "grassroots component" of the outreach campaign "not only helps more people to sign up for DROP but also broadens public awareness of the agency."

As several states look to introduce "delete-style" frameworks like the Delete Act, the agency plans to continue its collaborative work. Minnesota and Vermont are among the states considering 2026 bills to mimic California's DROP system. Oregon, Texas and Vermont are states with data broker registration statutes already on the books.

Kemp said states considering DROP proposals should "reach out and connect directly," noting the agency and DROP developers "stand ready to share technical details and lessons learned so that the rest of the country does not have to start from scratch when it comes to implementing their own instances of this important tool."

SECURE Data Act

California has previously resisted U.S. Congress' attempts to establish a federal privacy framework that preempts the California Consumer Privacy Act with a less protective statute. Congress' latest pitch with SECURE Data Act falls short once again, according to the agency.

In a letter to relevant members of Congress, Kemp offered several points on how the SECURE Data Act "could remove important guardrails on businesses, make exercising privacy rights harder for consumers, and weaken available remedies, leaving Americans less protected."

"(The bill) would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly," he added.

During the board meeting, CalPrivacy Deputy Director of Policy and Legislation Maureen Mahoney highlighted the agency's opposition further, claiming the bill is "substantially weaker than the California Consumer Privacy Act, and would seek to eliminate many existing privacy rights and protections that Californians depend on."

CPPA Chairperson Jennifer Urban said the agency cannot "support any law that has a broad preemption provision in it, we believe that all Americans should have privacy rights."

EU adequacy discussions

The board revisited whether California could pursue adequacy between the CCPA and the EU General Data Protection Regulation. The designation would allow personal data to flow from the European Union to California without additional safeguards if the EU-U.S. Data Privacy Framework were to be invalidated like predecessor frameworks.

Despite the potential long-term appeal, the agency's staff noted a California-specific adequacy decision might not currently benefit the state. The DPF already enables trans-Atlantic data flows, including for California businesses, limiting the practical impact of a separate state-level determination.

CalPrivacy General Counsel Philip Laird noted if the EU-U.S. adequacy decision is invalidated, "it would most likely be due to concerns about the federal government's collection and use of personal information. California would be unable to address some of those concerns, because ... the supremacy of the U.S. Constitution and federal law prevent California from limiting the federal government's processing of personal information for law enforcement or national security purposes."

Differences between California law and the GDPR could also pose challenges. CalPrivacy's scope, which primarily covers for-profit entities, does not extend to enforcement over government or nonprofit organizations, creating gaps when compared to the GDPR.

Laird said while an adequacy decision between California and the EU would be particularly valuable, "pursuing an adequacy decision for California will likely require significant time and resources, not just from agency staff, but close coordination and work amongst other state stakeholders, such as the governor and the legislature."

Agency staff recommended maintaining a monitoring posture.

Despite concerns over whether an adequacy decision is in reach for California, CalPrivacy Board member Alastair Mactaggart said, "It'll be a multi-year process to get this thing to work. If you want the tree to be 100 feet tall, you plant it tomorrow."