California governor signs Delete Act into law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Governor Signs Delete Act Into Law

The California Delete Act, which will require data brokers to register with the California Privacy Protection Agency (CPPA), disclose to the CPPA and consumers certain information about its use of personal information, and, starting in 2026, listen for and respect deletion requests submitted by consumers to a central deletion mechanism maintained by the CPPA, among other requirements, has been signed by the Governor. 

The law will go into effect January 31, 2024.

WHAT’S NEXT

A “data broker” under the law is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. 

Data broker registration and reporting has been required under California law since 2019, and there are currently about 500 data brokers registered.

The Delete Act will include new requirements though and move the registry from the Attorney General’s Office to the CPPA.

It also provides for administrative fines of up to $200/day that a data broker fails to register (doubled from current fines) and up to $200 per day per deletion request that a data broker fails to respect.

Read more: The Delete Act: ‘A Fantastically Flawed Attempt At Solving A Critical Problem’ (AdExchanger)

Class Action Accuses Costco of sharing sensitive data with Meta

A lawsuit filed in the Western District of Washington (case No. 2:23-cv-1548) claims violations by Costco of the Electronic Communications Privacy Act, the Washington Privacy Act (Washington’s wiretapping law), the Washington Consumer Protection Act, and the Washington Uniform Health Care Information Act, among other common law and tort claims.

The lawsuit alleges Costco shared protected patient and prospective patient information with Meta, without notice or consent, through deployment on its Website of the Meta Pixel, which allegedly collected private communications and search results related to past and current prescription medications, treatments, immunizations, health insurance coverage and other sensitive information.

TAKEAWAY

Lawsuits claiming violations of state anti-wiretapping and other laws based on sharing of personal or sensitive information through use of third-party trackers have been prevalent in recent years.

The laws differ slightly from state to state, but most impose liability for reading the contents of a communication while in transit without consent of all parties to the communication.

In the context of web trackers, complainants claim that third party collection of consumer personal information through such trackers without consent constitutes the unauthorized reading of a communication between the user and the website.

Although involvement of sensitive data is not an element of most anti-wiretapping laws, in cases, such as this case, that do allegedly involve sensitive information, the plaintiffs utilize the sensitive nature of the information to demonstrate injury as a result of, as stated in this case, the “secret interception and disclosure of their private and sensitive health information”.  

Read more:

FTC warns tax prep companies against using trackers without consent

[WEBINAR] The crackdown on tracking pixels in the US

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.