March 10, 2026

Data Brokers and Their Partners Navigate New Compliance Regimes | Insights

Nana-Kwabena Abrefah, Jennifer Daskal, Kelly DeMarchis Bastide, Rob Hartwell Venable LLP + Follow Contact LinkedIn Facebook X Send Embed

The new year has seen a variety of developments for companies that offer access to and analysis of personal data to their customers (data services) and others that work with them. The California Privacy Protection Agency (CalPrivacy) began 2026 by settling with two such companies for their alleged failures to register as data brokers. Meanwhile, the Federal Trade Commission (FTC) has addressed its enforcement of the Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFAA), and plaintiffs' lawyers are exploring new litigation theories tied to federal rules regarding foreign data transfers.

New California Delete Act and Delete Request and Opt-out Platform Mechanism Regulations

California continues to iterate on its data broker framework. Starting January 1, the state's centralized deletion mechanism or Delete Request and Opt-out Platform (DROP) was opened to consumers and businesses. Beginning August 1, businesses must begin deleting data pursuant to DROP requests. The regulations cover a broad definition of "data broker" (including by narrowly defining what constitutes a "direct relationship" between a business and consumers).

Accordingly, companies that might not otherwise think of themselves as data brokers may find themselves subject to the DROP and the need to register with California's data broker registry. Organizations should carefully review their operations, given CalPrivacy's active enforcement and the amended regulations' potential broad applicability.

FTC Enforcement of the Protecting Americans' Data from Foreign Adversaries Act (PADFAA)

On February 9, the FTC sent letters to 13 companies reminding them of their legal obligations under PADFAA and noting that FTC is "monitoring the marketplace" for potential violations. These letters reiterate PADFAA's restrictions on "data brokers" disclosing certain defined data elements about U.S. individuals to certain foreign entities and encourage compliance reviews.

The letters also specifically warn that the FTC identified instances where the letter recipients offered "solutions and insights involving the status of an individual as a member of the Armed Forces"--which is covered data under PADFAA and subject to the law's restrictions. The FTC's letters signal that the agency is actively monitoring industry for potential PADFAA violations.

DOJ Bulk Data Rule Provides New "Hook" for Plaintiff's Bar

Plaintiffs' lawyers also have attempted to leverage the Department of Justice's Final Rule, Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries of Concern or Covered Persons (BDR) to advance claims under state and federal wiretap laws. A recent complaint in private litigation makes frequent reference to the BDR to claim that transfers of web browsing data about individuals were allegedly unlawful.. Although no claims are made under the BDR itself, which is not subject to private litigation, a purported violation of the BDR is relied on to support a claim of liability under federal and state wiretap laws.

What Companies and Data Services Providers Should Do Now

Companies of all types and sizes rely on the products and services offered by their data services company partners to prevent fraud, find new customers, and operate their day-to-day business. As all actors in the data-driven economy seek effective partnerships, companies should consider the following steps.

• Companies can mitigate their risk by reviewing how their partners (including vendors and suppliers) comply with applicable legal requirements related to foreign data transfers

• Companies that work with personal data (including large data sets regulated by the BDR) should review and refresh their assessments of what laws and compliance measures apply to their activity, to help create a more complete data governance program
  Send Print Report

  Related Posts

• CFPB Requests Information on Data Brokers and Business Practices

Latest Posts

• Data Brokers and Their Partners Navigate New Compliance Regimes | Insights
• Spotlight On: Enbrel® (etanercept) / Erelzi® (etanercept-szzs) / Eticovo® (etanercept-ykro) - March 2026
• Annual Stockholders Meeting: Preparation Guide - March 2026
• Spotlight On: Actemra® (tocilizumab) / Tofidence™ (tocilizumab-bavi) / Tyenne® (tocilizumab-aazg) / Avtozma® (tocilizumab-anoh) - March 2026 See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Venable LLP

Written by:

Venable LLP Contact + Follow Nana-Kwabena Abrefah + Follow Jennifer Daskal + Follow Kelly DeMarchis Bastide + Follow Rob Hartwell + Follow more less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

California Privacy Protection Agency (CPPA) + Follow Data Brokers + Follow Data Privacy + Follow Department of Justice (DOJ) + Follow Enforcement Actions + Follow Federal Trade Commission (FTC) + Follow New Regulations + Follow Personal Data + Follow Protecting Americans Data from Foreign Adversaries Act (PADFA) + Follow Registration Requirement + Follow Risk Management + Follow State Privacy Laws + Follow Antitrust & Trade Regulation + Follow International Trade + Follow Privacy + Follow more less

Venable LLP on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide