Aug. 27, 2025

Six Articles on Addressing Legal and Regulatory Scrutiny of Data Brokers

As regulators intensify efforts to curtail opaque data practices and bolster national security, consumer privacy and digital accountability, data brokers face growing legal risks. Among key developments that impact them is the DOJ’s Bulk Sensitive Data Rule, which introduced an expanded interpretation of “data broker,” broadening the universe of entities responsible for compliance. This curated selection of 2025 articles from the Cybersecurity Law Report presents a comprehensive overview of the shifting legal terrain across federal, state and international jurisdictions, with practical insights into enforcement trends and compliance imperatives.

DOJ Guidance on Bulk Sensitive Data Rules Series

The DOJ has issued guidance to facilitate compliance with its final rules, referred to as the Data Security Program (DSP), implementing former President Biden’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Though much of the guidance material rearticulates language in the DSP, there was some notable new compliance information for organizations. This two-part article series highlights the key elements of the guidance, with commentary from Edward McNicholas, a partner at Ropes & Gray. The first installment covered the enforcement grace period, definitions of bulk data and covered persons, and prohibited transactions. Part two distilled guidance on DSP requirements around the data compliance program, recordkeeping, reporting, licenses and advisory opinions.

California’s Delete Act Enforcement Sweep Takeaways

Since the California Privacy Protection Agency (CPPA) announced an enforcement sweep in October 2024, it has settled numerous actions with data brokers for violating the Delete Act. The cases have focused on data brokers’ failures to register with the state and pay the required annual fee. This article, with input from Ben Isaacson, a principal at In‑House Privacy, Inc., and Julie Rubash, GC and CPO at Sourcepoint, assessed commonalities in the CPPA’s Delete Act settlements, identified takeaways for data brokers, and offered advice on preparing to comply with Data Broker Requests and Opt-Out Platform requirements.

Data Clean Rooms and De-Identified Data Are Among Concerns in Navigating State Privacy Laws

Organizations may incorrectly believe they can avoid compliance with state data privacy laws by de-identifying data or running it through so-called “data clean rooms” (DCRs), according to the speakers at a program dissecting the results of the Interactive Advertising Bureau (IAB) 2025 State Privacy Law Survey. In addition to DCRs and de-identification, the survey also assessed privacy professionals’ views on, and experiences with, inferring sensitive PI, private suits under wiretapping statutes, treatment of minors’ data, data minimization, issues involving consent and disclosures, and third-party due diligence. This article synthesized the associated survey findings and insights from industry experts at Frankfurt Kurnit Klein & Selz, IAB, Kelley Drye & Warren, and Ketch.

Navigating DOJ Rules for Data Brokerage and Vendor Agreements

As of July 8, 2025, DOJ expects full compliance with its Data Security Program (DSP), which implements former President Biden’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. To assist organizations in navigating the DSP, this article synthesized insights shared by Latham & Watkins partners Jennifer Archie and Michael Rubin during a firm program regarding the broad scope of the rules and the key provisions, with a focus on prohibited data brokerage arrangements and restricted vendor agreements.

How to Adjust to the FTC’s Crackdown on Sensitive Location Data

The FTC closed 2024 by creating protections around data that reveals people’s visits to sensitive locations. In December, it settled two cases and published blog posts advising companies to keep an updated list of sensitive locations to scrub from their personal data collections, and to avoid using precise geolocation data unless they verify that any data brokers, aggregators or apps supplying it obtained individuals’ explicit consent. This article delved into the takeaways from the December settlements and blog posts, including the key compliance steps that companies should consider taking, and discussed the points of dissent expressed in the cases to highlight possible enforcement priorities for the latest slate of FTC commissioners.

Deciphering the New CPPA Proposed Regulations for Data Brokers

As the California Privacy Protection Agency commenced closely watching data brokers, its Board voted to adopt proposed regulations (Proposed Regs) that expand upon and clarify key provisions of the Delete Act, broadening the definition of data broker. At the same time, it reached settlements with two data broker companies about a week after it had announced that it was beginning a public investigative compliance sweep. This article, with insights from experts at Frankfurt Kurnit, Troutman Pepper and WilmerHale, examined how the Proposed Regs expand upon some of the Delete Act’s central requirements and offered practical measures for data brokers on how to meet their compliance obligations.