• Privacy Picks
  • Posts
  • The Delete Act, Class Actions, The State of Opt-Out, Nonprofits, and More

The Delete Act, Class Actions, The State of Opt-Out, Nonprofits, and More

Plus: It took one company almost 5 years to respond to a data access request

Welcome to Privacy Picks! 

This week, I’m diving into a bunch of different topics across the data privacy spectrum.

Please subscribe below if you’d like to receive my updates by email for free. 

Let’s get started!

The Delete Act

On October 10, 2023, California Governor Gavin Newsom enacted the Delete Act (Senate Bill 362). The Act empowers Californians to direct data brokers to delete their personal data and prevent its sale or sharing through a single platform.

It’s now up to the CPPA to create the new platform by January 1, 2026. Then, starting August 1, 2026, data brokers will have 45 days to process each verified deletion request. 

Under the Act, a Data Broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Currently, there are over 500 data brokers listed in California’s data broker registry

Proponents of the Act are thrilled about the new level of control Californians will have over their data.

Some industry groups, on the other hand, claim the new law “undermines consumer fraud protections, hurts small businesses’ ability to compete, and solidifies the big platforms’ data dominance.”

Are State Privacy Laws Actually Worse than No Law at All?

Without a comprehensive federal privacy law on the books in the U.S., we’ve seen a flurry of recent state privacy legislation.

For example, new privacy laws are scheduled to take effect in the near future in several states, including Utah, Florida, Iowa, Indiana, Montana, Oregon, and Tennessee.

However, while these laws specify certain consumer rights and business obligations, none include a private right of action.

Most state laws (except for the CCPA, which provides a limited private right of action for certain personal data breaches) only allow for regulatory enforcement of privacy violations and data breaches, which, as this author points out, does little to compensate consumers whose personal data has been misused or stolen.

Without private enforcement options under general state privacy laws, consumers are often left to pursue common law actions or join a class action suit. 

Speaking of Class Actions . . .

I recently mentioned the wave of recent class actions alleging violations of the Video Privacy Protection Act (VPPA). In fact, along with HIPAA, the VPPA is one of the most frequently cited privacy statutes in class actions.

In the last year alone, over 80 class actions were filed alleging violations of the VPPA. 

As a reminder, VPPA cases often stem from when a business hosts videos on their website or platform and also uses tracking pixels. The tracking pixels transmit a visitor's viewing data to a larger platform, like Facebook, which might use that data to deliver ads. 

Just recently, Crunchyroll, an anime streaming service owned by Sony, reached a 16 million settlement under a class action alleging violations of the VPPA by disclosing the personal information of users, subscribers and viewers to third-party companies without their consent.

Bottom line: These claims are on the rise, so make sure you understand the code that’s placed on your site. Does it transmit user data? Are you getting their consent before doing so? Is your privacy policy consistent with this use? 

Don’t be like this company . . .

“Without undue delay and in any event within one month of receipt of the request.” 

That’s how long a controller has to provide information in response to a data subject access request under Article 12 of the GDPR.

The right to access is defined under Article 15 and grants data subjects the right to confirm the processing of their personal data from a controller and then obtain that data, along with the purpose of the processing, categories of personal data, and recipients or categories of recipients of their data.

Seems straightforward enough, right?

Well, it took DAZN, an online sports streaming platform, almost 5 years to provide the information to NOYB.

In fact, approximately 400 of NOYB’s cases have been pending for more than two years. 

The State of Opt-Out

Universal-Opt Out Mechanisms (UOOMs) are digital tools, typically browser extensions, that make it easier for consumers to opt out of the sale or sharing of personal information from multiple sites at once. 

Most tools use the General Privacy Control specification to transmit your opt-out preferences across the web, saving you from the hassle of visiting each site individually.

Currently, seven state privacy laws, including California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas, require businesses to honor opt-out preferences transmitted through UOOMs. 

However, among the eight UOOM tools endorsed by creators of the Global Privacy Control spec, there are significant differences in how these opt-out preferences are installed, configured, and executed to meet consumer expectations. 

As this article explains, it’s time to revisit the UOOM landscape to provide clarity and consistency for both businesses and consumers. 

Don’t just assume your nonprofit is exempt from state privacy laws.

Many nonprofits are unaware of the applicability of state privacy laws to their organizations or assume they are exempt from requirements that seem to target for-profit companies.

Many state privacy laws, including Oregon and Delaware, only exempt nonprofits with specific missions.

Other states, including Connecticut, Florida, and Virginia, exempt nonprofit corporations or organizations, but those entities may be defined differently depending on the state. 

And, the Colorado Privacy Act applies to nonprofits that conduct business or deliver commercial products or services targeted to residents of Colorado (and meet certain thresholds).

Bottom line: review the privacy laws where your organization operates and take steps to comply with any personal data collection, notice, use, and storage rules that may apply. 

Should Your Business Enroll in the New EU-U.S. Data Privacy Framework (DPF)?

Finally, effective July 10, 2023, the new DPF has already become a reliable mechanism for transferring personal data from the EU to the U.S. The same framework was adopted for UK-U.S. and Swiss-U.S. transfers. 

Now, U.S. companies no longer need to rely on burdensome Standard Contractual Clauses (SCCs) with transfer impact statements, complex and expensive Binding Corporate Rules (BCRs), or restrictive and narrow derogations under the GDPR to facilitate cross-border transfers.

So why don’t all companies simply enroll in the DPF?

As this article points out, while it likely makes sense for most companies, there are still valid reasons companies may be reluctant to enroll.