California Advances Data Privacy Whistleblower Protections and Deletion Rights
The California Privacy Protection Agency (CPPA) has approved three new draft bills aimed at strengthening data privacy protections in the state. The most notable proposal introduces anti-retaliation safeguards and financial incentives for whistleblowers who report companies violating California's privacy laws, with the goal of encouraging insiders to provide valuable information to regulators. The CPPA emphasized that such whistleblower contributions would enhance enforcement efforts, particularly in cases involving complex data processing and emerging technologies.
In addition to whistleblower protections, the draft legislation seeks to expand Californians' rights to have their personal data deleted. The proposed changes would allow residents to request the removal of personal information not only collected directly by businesses but also obtained from third parties. These measures follow recent legislative successes, including a law signed by Governor Gavin Newsom that simplifies consumer opt-outs from data sharing via web browsers, further strengthening privacy rights for California residents.
Sources
Related Stories
California Privacy Regulator Fines and Bans DataMasters for Unregistered Sale of Sensitive Personal Data
California’s **Privacy Protection Agency (CalPrivacy)** announced a settlement action against Texas-based **Rickenbacher Data (doing business as DataMasters)**, fining the company and **banning it from selling Californians’ personal information** as part of a broader enforcement crackdown on data brokers. The action was brought by the agency’s enforcement division and its **Data Broker Enforcement Strike Force**, following CalPrivacy’s stated intent to increase investigations into data broker privacy violations. Regulators said DataMasters traded in data tied to **sensitive health conditions**—including lists associated with **Alzheimer’s disease, drug addiction, and bladder incontinence**—and also bought and sold lists segmented by demographics and inferred attributes such as **“Seniors,” “Hispanic,” political affiliation, grocery purchases, banking activity, and health-related purchases** for targeted advertising. CalPrivacy stated the company conducted these activities in **2024 without registering with the California Data Broker Registry**, a requirement under California’s data broker rules.
2 months ago
Regulatory scrutiny of consumer data collection and opt-out compliance
A U.S. congressional investigation by the Joint Economic Committee’s Democratic minority estimated that identity theft tied to breaches at **four major data brokers** has cost American consumers roughly **$20 billion**, and highlighted how some brokers obscured legally required “opt-out” pages (including use of `no-index` tactics that made deletion/opt-out pages harder to find). The report, prompted by investigative reporting, said several large brokers subsequently engaged with congressional staff and changed practices to make it easier for consumers to control the collection and sale of their personal data. California regulators separately escalated enforcement of opt-out requirements under state privacy law, with the **California Privacy Protection Agency (CPPA)** fining **PlayOn Sports** **$1.1 million** over allegations that its *GoFan* ticketing platform used tracking technologies for targeted advertising without providing a compliant, easy-to-use opt-out mechanism. The CPPA said users—including large numbers of high school students—were effectively forced to “agree” to tracking to access paid tickets and services, and that directing users to industry opt-out programs (e.g., Network Advertising Initiative / Digital Advertising Alliance) did not satisfy California’s requirement that companies provide their **own** opt-out tool and clear disclosures.
1 weeks ago
Regulatory-Driven Consumer Privacy and Child Safety Controls in the EU and California
TikTok said it will roll out stronger **age-verification** capabilities across the EU in the coming weeks, following a year-long pilot that analyzes profile details, posted videos, and behavioral signals to estimate whether an account may belong to a user under 13. Flagged accounts are to be reviewed by specialist moderators rather than automatically removed; TikTok said a UK pilot resulted in the removal of thousands of accounts. The move reflects increasing regulatory and public pressure on major platforms to more reliably prevent underage access, particularly where services process significant personal data and use algorithmic recommendations. California launched a new consumer privacy mechanism—the **Delete Request and Opt-out Platform (DROP)**—that allows residents to request deletion of personal information held by more than 500 registered data brokers. The tool, available via `privacy.ca.gov/drop`, supports identity and residency verification either by entering personal details (e.g., name, date of birth, address) or by using a *login.gov* account (which may require uploading government ID). The platform operationalizes expanded state privacy rights by centralizing deletion requests, aiming to reduce the exposure and resale of personal data by the data broker ecosystem.
2 months ago