Connecticut Attorney General William Tong (D) sent more than a dozen violation notices under the state’s comprehensive consumer privacy law in the six months since it took effect July 1, 2023, the AG office reported Thursday. Businesses get 60 days to cure violations upon receiving a notice under the state law. “We have focused on key aspects of the law related to privacy policies, sensitive data and teens’ data,” said the report. “While many companies have taken prompt steps to address issues flagged in cure notices … all matters have resulted in additional follow-up.” The AG office issued 10 cure notices about privacy policy deficiencies, including missing, inadequate or confusing disclosures and missing, burdensome or broken opt-out mechanisms, it said. “Several companies updated privacy policies and/or consumer rights mechanisms quickly upon receiving cure notices.” But some didn’t fully alleviate the AG’s concerns, or their privacy disclosures raised new questions about compliance with other parts of the law, it said. “This process is an iterative one and only time will tell which companies fully satisfy our concerns and which matters will ultimately require more formal enforcement action.” The office received more than 30 consumer complaints, it said. “Many involved consumers’ attempts to exercise new data rights under the CTDPA, and primarily, the ‘right to delete.’” However, about one-third of the complaints involved data or entities exempted by the state privacy law, the AG office said. “A handful of others were exempt for other reasons, including under the CTDPA’s exemption for ‘publicly available information.’” The AG office recommended that legislators revise the law to scale back the number of entity-level exemptions, including one for nonprofits. Also, switch to a data-level rather than entity-level exemption for the federal Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, it said. Among its other recommendations: Enact a “one-stop-shop” deletion mechanism like California’s 2023 Delete Act (see 2309150063); add a right to know specific third parties that receive data from covered businesses; expand biometric data to include data capable of being linked to a consumer like in Oregon’s law; and clarify whether the legislature intended to ban targeted advertising to teens regardless of consent, and review possibly erroneous language on publicly available information.
Data Brokers and Delete Acts
Data brokers aggregate and sell personal data—often without clear user awareness. In response, many U.S. states are passing “delete acts” and other laws to increase transparency, require registration and give users control over data sales. These laws will reshape compliance and collection practices for brokers and companies relying on third-party data. This page tracks legislation, rulemaking and enforcement trends affecting the data brokerage industry.
Director of National Intelligence Avril Haines should direct intelligence agencies to limit purchases of data about Americans when collection of the data meets FTC standards, Sen. Ron Wyden, D-Ore., wrote in a letter Thursday. Wyden released documents he said confirm that the NSA “buys Americans’ internet records, which can reveal which websites they visit and what apps they use.” He noted the FTC issued a recent order (see 2401090081) holding “that data brokers must obtain Americans’ informed consent before selling their data.” The federal government shouldn’t be “funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.” He urged the DNI to direct agencies to inventory purchased data, determine whether it meets FTC standards, and purge whatever doesn’t. DNI didn’t comment.
The FTC is examining Alphabet, Amazon and Microsoft to see if they are unfairly exerting undue control over AI markets, Chair Lina Khan announced Thursday.
Passing a data broker registration bill would help Washington state better understand the industry's scope, Rep. Shelley Kloba (D) said Friday as the state’s House Consumer Protection Committee heard testimony on Kloba’s HB-2277 during a livestreamed hearing. The bill would require data brokers to register with the state. Submitted information would appear on a public website. Brokers are selling data that people generate during daily activities online, through connected devices and while driving cars, said Kloba: It often happens without a person’s permission. The committee also mulled multiple AI bills, including HB-1934, which would establish an AI task force and HB-1951, which attempts to prevent algorithmic discrimination. "Sometimes we have to put guardrails around things to protect people's civil liberties and to keep people safe,” said HB-1934 sponsor Rep. Travis Couture (R). Rep. Clyde Shavers (D) said his HB-1951 is an “incremental first step to make sure that the use of artificial intelligence helps, not harms us."
The California Privacy Protection Agency, the nation's first dedicated privacy regulator, has “many investigations underway,” Executive Director Ashkan Soltani said at a partially virtual CPPA board meeting Friday. Soltani estimated that the agency has received about 100 complaints from consumers since forming in 2021. The CPPA’s data broker registry is up and running after a 2023 bill transferred it to the agency from the California DOJ, Soltani said. Many have since registered and CPPA plans to publish a list of registrants in March, he said. Staff is preparing a proposed rulemaking package including cybersecurity risk assessments, automated decision-making technology for the next board meeting, said Soltani: Staff is incorporating feedback from board members after the Dec. 8 meeting (see 2312080064). In addition, staff is writing draft language and speaking with possible legislative authors for a potential bill that would require browser vendors to let users exercise their California privacy rights through a global opt-out signal, said Maureen Mahoney, deputy director-policy and legislation. “We’re confident that we have adequate resources to effectively sponsor the bill.” CPPA's board voted at last month’s meeting to advance the legislative proposal. The board considered a draft 2024-27 strategic plan with the mission statement: “Protect consumers’ privacy, ensure that businesses and consumers are well-informed about their rights and obligations, and vigorously enforce the law against businesses that violate consumers’ privacy rights.”
Data brokers don’t have a “free license” to sell sensitive location data, FTC Chair Lina Khan said Tuesday, announcing the agency’s first ban on selling location data. The agency announced a nonmonetary settlement with Virginia-based X-Mode Social and Outlogic, its successor. Until May, the company lacked policies "to remove sensitive locations from the raw location data it sold,” the FTC said. X-Mode/Outlogic didn’t “implement reasonable or appropriate safeguards against downstream use of the precise location data it sells, putting consumers’ sensitive personal information at risk,” it added. The commission approved a consent order 3-0 with the company. X-Mode now faces fines of up to $50,120 per violation for future infractions. X-Mode must implement a program with continuous review of its data sets and prevent disclosure of sensitive location data. In addition, it must delete all location data it previously collected. Sen. Ron Wyden, D-Ore., applauded the agency for “taking tough action to hold this shady location data broker responsible.” He said that in 2020, he “discovered that the company had sold Americans' location data to U.S. military customers through defense contractors.” The FTC action is “encouraging,” but Congress needs to pass legislation allowing regulators to hold data brokers more accountable, Wyden said. An attorney for X-Mode didn’t comment Tuesday.