Regulatory scrutiny of consumer data collection and opt-out compliance
A U.S. congressional investigation by the Joint Economic Committee’s Democratic minority estimated that identity theft tied to breaches at four major data brokers has cost American consumers roughly $20 billion, and highlighted how some brokers obscured legally required “opt-out” pages (including use of no-index tactics that made deletion/opt-out pages harder to find). The report, prompted by investigative reporting, said several large brokers subsequently engaged with congressional staff and changed practices to make it easier for consumers to control the collection and sale of their personal data.
California regulators separately escalated enforcement of opt-out requirements under state privacy law, with the California Privacy Protection Agency (CPPA) fining PlayOn Sports $1.1 million over allegations that its GoFan ticketing platform used tracking technologies for targeted advertising without providing a compliant, easy-to-use opt-out mechanism. The CPPA said users—including large numbers of high school students—were effectively forced to “agree” to tracking to access paid tickets and services, and that directing users to industry opt-out programs (e.g., Network Advertising Initiative / Digital Advertising Alliance) did not satisfy California’s requirement that companies provide their own opt-out tool and clear disclosures.
Sources
Related Stories
California Privacy Regulator Fines and Bans DataMasters for Unregistered Sale of Sensitive Personal Data
California’s **Privacy Protection Agency (CalPrivacy)** announced a settlement action against Texas-based **Rickenbacher Data (doing business as DataMasters)**, fining the company and **banning it from selling Californians’ personal information** as part of a broader enforcement crackdown on data brokers. The action was brought by the agency’s enforcement division and its **Data Broker Enforcement Strike Force**, following CalPrivacy’s stated intent to increase investigations into data broker privacy violations. Regulators said DataMasters traded in data tied to **sensitive health conditions**—including lists associated with **Alzheimer’s disease, drug addiction, and bladder incontinence**—and also bought and sold lists segmented by demographics and inferred attributes such as **“Seniors,” “Hispanic,” political affiliation, grocery purchases, banking activity, and health-related purchases** for targeted advertising. CalPrivacy stated the company conducted these activities in **2024 without registering with the California Data Broker Registry**, a requirement under California’s data broker rules.
2 months ago
Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing **privacy and data-protection risk** across healthcare and consumer platforms. Epic Systems sued health information exchange implementer **Health Gorilla** and several provider organizations, alleging improper access to roughly **300,000 patients’ records** and claiming some participants abused interoperability frameworks (including **Carequality** and **TEFCA**) to obtain and monetize sensitive health data without appropriate consent or authorization. Separately, pharmacy services provider **PharMerica** agreed to a **$5.2 million** class-action settlement tied to a **2023** hacking incident attributed to the **Money Message** ransomware group, which claimed exfiltration of **4.7 TB** and later leaked data affecting **5.8 million** people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into **xAI** after **Grok** was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay **$8.25 million** to settle claims that its **AdMob SDK** collected data from children’s devices in “Designed for Families” apps in alleged violation of **COPPA**; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
1 months ago
Disney Settlement Over California Consumer Privacy Act Opt-Out Failures
Disney agreed to pay **$2.75 million** to settle allegations by the California Attorney General that it violated the **California Consumer Privacy Act (CCPA)** by making it difficult for consumers to opt out of the sale/sharing of their personal data. California alleged Disney’s opt-out mechanisms contained gaps that prevented users—including those logged into their accounts—from fully stopping data sharing across Disney’s services, devices, and platforms, and that data continued to be shared with **third-party ad-tech companies** whose code was embedded in Disney websites and apps. The settlement (pending court approval) requires Disney to implement a more comprehensive privacy program and provide California officials a **compliance update within 60 days** describing changes made to align with CCPA requirements. State officials characterized the penalty as the **largest fine to date under the CCPA**; Disney did not admit liability as part of the agreement and said it continues to invest in privacy protections across its streaming services.
1 months ago