The new year has seen a variety of developments for companies that offer access to and analysis of personal data to their customers (data services) and others that work with them. The California Privacy Protection Agency (CalPrivacy) began 2026 by settling with two such companies for their alleged failures to register as data brokers. Meanwhile, the Federal Trade Commission (FTC) has addressed its enforcement of the Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFAA), and plaintiffs' lawyers are exploring new litigation theories tied to federal rules regarding foreign data transfers.
New California Delete Act and Delete Request and Opt-out Platform Mechanism Regulations
California continues to iterate on its data broker framework. Starting January 1, the state's centralized deletion mechanism or Delete Request and Opt-out Platform (DROP) was opened to consumers and businesses. Beginning August 1, businesses must begin deleting data pursuant to DROP requests. The regulations cover a broad definition of "data broker" (including by narrowly defining what constitutes a "direct relationship" between a business and consumers).
Accordingly, companies that might not otherwise think of themselves as data brokers may find themselves subject to the DROP and the need to register with California's data broker registry. Organizations should carefully review their operations, given CalPrivacy's active enforcement and the amended regulations' potential broad applicability.
FTC Enforcement of the Protecting Americans' Data from Foreign Adversaries Act (PADFAA)
On February 9, the FTC sent letters to 13 companies reminding them of their legal obligations under PADFAA and noting that FTC is "monitoring the marketplace" for potential violations. These letters reiterate PADFAA's restrictions on "data brokers" disclosing certain defined data elements about U.S. individuals to certain foreign entities and encourage compliance reviews.
The letters also specifically warn that the FTC identified instances where the letter recipients offered "solutions and insights involving the status of an individual as a member of the Armed Forces"--which is covered data under PADFAA and subject to the law's restrictions. The FTC's letters signal that the agency is actively monitoring industry for potential PADFAA violations.
DOJ Bulk Data Rule Provides New "Hook" for Plaintiff's Bar
Plaintiffs' lawyers also have attempted to leverage the Department of Justice's Final Rule, Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries of Concern or Covered Persons (BDR) to advance claims under state and federal wiretap laws. A recent complaint in private litigation makes frequent reference to the BDR to claim that transfers of web browsing data about individuals were allegedly unlawful.. Although no claims are made under the BDR itself, which is not subject to private litigation, a purported violation of the BDR is relied on to support a claim of liability under federal and state wiretap laws.
What Companies and Data Services Providers Should Do Now
Companies of all types and sizes rely on the products and services offered by their data services company partners to prevent fraud, find new customers, and operate their day-to-day business. As all actors in the data-driven economy seek effective partnerships, companies should consider the following steps.
- Companies can mitigate their risk by reviewing how their partners (including vendors and suppliers) comply with applicable legal requirements related to foreign data transfers
- Companies that work with personal data (including large data sets regulated by the BDR) should review and refresh their assessments of what laws and compliance measures apply to their activity, to help create a more complete data governance program
If you have questions about these enforcement trends and related developments, please reach out to Venable's Privacy and Data Security Group for assistance.