California’s New Do Not Email Law – Fines Are Company Ending

The California Privacy Protection Agency (CalPrivacy) is responsible for implementing the new law. It is the fallout from the data broker registration law.

DROP or Delete Request and Opt-Out Platform is taking the fines to a whole new level.

I watched a webinar on this today and the process is complex. If you are doing direct email marketing to people in California, this could get expensive.

The Data Broker Registration Law has been around since 2019 which requires data brokers who collect and sell data on California residents to register or face $200 a day fines. That is manageable.

The Delete Act was signed in 2023 but it is just going into effect this year. The state is running a portal and if you are a California resident and can prove it (there is a consumer registration process), you can enter your email address one time and any data broker who breaks the law faces very serious fines.

But here is the thing. Brokers are required to check the database every 45 days or face fines. Brokers have to download the data, which is actually only a hash, match them against their records, delete records that match and report their status back to DROP. Failing to do that dance is a violation and fine.

In total it could be 90 days from when you make a request until when the broker has to complete the cycle. Every 45 days. Forever.

The definition of a broker is broad. Any business that collects and sells to third parties the personal information of consumers with whom the business does not have a DIRECT RELATIONSHIP. According to the regs, that means that the consumer intentionally interacts with the business.

Interestingly, California does their part – verifying that you are a resident – without maintaining a databases of personal information that can be searched. Good for them. If you want to know how that works, go to the link.

Brokers who acquire new lists have to search that list against all past hashes to make sure none of the people on that newly acquired list are on the do not email list.

Now here is the business ending part of it.

The Delete Act imposes a $200 per day per consumer fine for failure to process delete requests.

There are already over 250,000 names on the list. Say you blow it for a month. 250,000 consumers x 30 days x $200 = $1.5 billion.

The already have gone after dozens of brokers for failing to register so it is reasonable to assume they will continue that when this law goes into effect for brokers in August.

CalPrivacy says they are in talks with multiple states to turn this into a multi-state database.

Even though this goes into effect in August, CalPrivacy has not released the API specifications, a test environment or detailed examples. That will come soon. This is not something you can do by hand.

You might want to have a law firm on speed dial.

In 2028 brokers who are big enough will also have to conduct annual cybersecurity audits. And, conduct risk assessments.

I **THINK** if you do not collect outside of people who have a direct relationship and don’t sell that data, I think this law doesn’t apply, but if you buy data, you probably want to make sure whoever you are buying it from does comply. You don’t need the attention of CPPA. And you might want to consult a law firm just to make sure.

Credit: Perkins Coie (law firm) and Clark Hill (law firm)

by