Trust Issues: March 2026

In This Issue

• Advertise Online? Don't Be an Accidental Data Broker Under California's Delete Act!
• New York Legislature Considering Substantial Amendments to AI Governance Law
• CISA Announces Virtual Town Halls to Solicit More Feedback on Cyber Reporting Rules
• Federal Government Quietly Overhauls Cybersecurity Requirements for Federal Contractors
• Congress Extends Cybersecurity Intel Sharing Law Until September 2026
• Plaintiffs Continue to Leverage DOJ Bulk Data Rule in ECPA Suits
• Health Privacy Law Outlook for 2026
• FTC Incentivizes Use of Age Verification Technologies Through COPPA Policy Statement
• Enforcement Update
• Recent and Upcoming Events and Key Deadlines

Advertise Online? Don't Be an Accidental Data Broker Under California's Delete Act!

Key Takeaways

• Entities engaged in commonplace adtech data enrichment practices involving the "sale" of personal information to third parties may be data brokers under the California Delete Act and related Delete Request and Opt-Out Platform (DROP) regulations.
• Data brokers' obligations are considerable and will be onerous, especially for entities that—unlike many online advertisers—do not disclose personal information to third parties for advertising purposes as part of their core business.
• Assess your status and obligations now—initial DROP requirements began January 1, 2026, and data brokers must honor consumer deletion requests beginning on August 1, 2026.
• Data broker investigations are a high priority for CalPrivacy.

Many entities may be surprised to find themselves regulated as "data brokers" under California's 2023 Delete Act, which broadly defines a "data broker" to include entities engaging in many types of common data processing and enrichment used throughout the adtech ecosystem. Data brokers' obligations are considerable. They must register with CalPrivacy and participate in the new Delete Request and Opt-Out Platform (DROP), which enables consumers to direct all registered data brokers to delete their personal information in a single request. Many entities engaged in online advertising do not have DROP systems in place to manage these obligations and may not even be aware of them.

To help entities understand their regulatory status and obligations, we provide below a framework for determining whether an entity is a data broker under the Delete Act as well as an overview of DROP regulatory obligations. These duties include registering with CalPrivacy, creating a DROP platform account, processing deletion requests, and accessing deletion lists through DROP every 45 days. CalPrivacy required data brokers to register with the agency under rules adopted in 2024, but the recent DROP regulations were adopted on September 26, 2025, and are not fully in effect.

Online advertisers and any other businesses that "sell" personal information they did not collect directly from consumers should evaluate their potential regulatory exposure before possibly becoming a regulatory target. We do not yet know how far CalPrivacy will go in enforcing DROP obligations against entities that engage in data enrichment but do not otherwise sell personal data. CalPrivacy has made data broker enforcement a top priority, however, including the establishment of a "Data Broker Enforcement Strike Force" announced in November 2025 after reaching settlements with five data brokers.

Step One: Determine Whether You Are a Data Broker

The Delete Act defines a "data broker" as any "business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship," with some exceptions for entities subject to GLBA, FCRA, HIPAA, and California's Insurance Information and Privacy Protection Act. A direct relationship "means that a consumer has intentionally interacted with a business for the purpose accessing, purchasing, using, requesting, or obtaining information about the business's products or services." Personal information that a business collects through a direct relationship is generally called "first-party data," and personal information that a business collects from third parties rather than directly from the consumer is "third-party data," although the Delete Act does not use those terms. A sale under the California Consumer Privacy Act (CCPA) is a transfer of personal information to a third party "for monetary or other valuable consideration." This includes providing personal information to third parties in exchange for other personal information—such as marketing lists—or for services without restricting the receiving party's use of the information. A business that discloses personal information, but fails to enter into data processing agreement that establishes the recipient as a service provider, could convert the disclosure into a "sale."

Because of the nature of online advertising, the Delete Act may apply to a broad range of businesses that engage in typical consumer targeting strategies that could in some circumstances be a sale of personal information, including:

• Buying lists of consumers' personal information (third-party data) and then sharing that list with adtech companies for targeting, without adequately restricting secondary uses of that data.
• Engaging in data enrichment through a data "clean room" without adequately restricting secondary uses by other clean room participants and vendors or tracking the enriched data to prevent a "sale" of that information in the future, or by failing to include contractual provisions required by the CCPA.
• Using internal customer databases without certainty regarding the origin of personal information and then sharing that data with adtech companies for online advertising purposes, without controlling or understanding fully what is happening with that personal information.

Whether a transaction is a "sale" is fact specific, so evaluating whether some advertisers are covered by the Delete Act can be challenging. It is difficult to manage and track personal information in the online advertising ecosystem, where many parties handle personal information, and it is hard to enforce limitations on secondary uses as that personal information passes through many hands. The result is many companies may be uncertain whether they are covered or not or even whether they are selling or sharing personal information under the CCPA, a threshold issue.

While the opacity of adtech data processing and sharing is a real challenge, CalPrivacy has not been sympathetic to entities that fail to adequately implement controls and contract provisions restricting the use of personal information in the advertising context. See, for example, the 2025 enforcement action against Honda on this issue as an example of how CalPrivacy views the responsibilities of online advertisers and their service providers to include contracts that contain the necessary terms to protect privacy.

Step Two: Register as a Data Broker, Create a DROP Account, and Understand Your Delete Act and DROP Regulation Obligations

The Delete Act and new DROP regulations impose extensive obligations that will be unusual for entities whose core business is not the sale of consumers' personal information to third parties, including the following:

• Register and create a DROP account. While existing rules required data brokers to register with CalPrivacy, the new DROP regulations change that process slightly. Specifically, data brokers registering in 2026 must first create a DROP account before completing the registration form and paying the annual registration fee, currently set at $6,000.
• Deletion list access. When registering a DROP account, the data broker must select all deletion lists that contain an identifier matching the personal information the data broker maintains about a consumer.
• Access the DROP Platform every 45 days. Data brokers must download from the DROP Platform the file associated with the consumer deletion list for the types of data the data broker handles. This data is "hashed" rather than clear text.
• Compare your records with the DROP records. The consumer identification identifier in each deletion list can be linked with the information in the data broker's own records.
• Standardize your records. To perform the comparison, data brokers first must standardize their records with the DROP deletion list format. Do not underestimate the challenge of this task, and start early.
• If there is a match, delete all personal information for that consumer for which the business is a data broker, and direct service providers and contractors to do so as well. This deletion obligation does not apply to personal information collected directly from the consumer. (The regulations also provide other exceptions.) Data brokers must report the status of deletion requests to CalPrivacy on request.
• New brokers. Going forward, data brokers who begin operating after the initial registration period begins must (1) create a DROP account, (2) access the account within 45 days of commencing data broker operations, and (3) pay a fee, prorated over the year.

Other DROP regulation obligations require data brokers to do the following:

• Stop accessing the DROP Platform after the entity is no longer a data broker, and notify CalPrivacy about the change in status.
• Use the deletion list only to process DROP requests.
• Use "reasonable security" to protect personal information in the deletion files.
• Refrain from contacting consumers for verification. Verification of consumers will be conducted through CalPrivacy.
• Maintain records on deletion requests and upon request, submit reports to CalPrivacy about their handling of deletion requests.

The DROP Platform appears to be popular among consumers, as 200,000 of them signed up for DROP deletion during the first month it was available. Consumers can exercise their DROP rights through agents and can review the residency classification that CalPrivacy maintains about them.

What now for entities engaged in online advertising? If your advertising involves the disclosure to third parties of personal information collected from consumers with whom you do not have a direct relationship, evaluate your obligations under the Delete Act and DROP regulations before CalPrivacy does and register with CalPrivacy and DROP if you are in scope. And don't forget to consider data broker registration obligations in Vermont, Oregon, and Texas.

Back to top

New York Legislature Considering Substantial Amendments to AI Governance Law

We previously analyzed New York's Responsible AI Safety and Education Act (RAISE Act), which Governor Kathy Hochul signed into law on December 19, 2025. Governor Hochul accompanied her signature with a memorandum stating that she had reached an agreement with the state legislature to substantially amend the law.

Amendments were introduced in the New York General Assembly on January 6, 2026. If passed and enacted, those amendments largely would align the RAISE Act with California's Transparency in Frontier Artificial Intelligence Act (TFAIA). Among other things, TFAIA requires "large frontier developers" to disclose on their website a "frontier AI framework" that describes the company's AI governance, safety and security practices. Large frontier developers also must report "critical safety incidents" within 15 days of discovery. All "frontier model developers" (not just "large" frontier model developers) must disclose on their website a "transparency report," which must include certain information about their frontier models, such as model release dates, supported languages, modalities of output, intended uses of the model and generally applicable restrictions or conditions on use of the model. We analyzed TFAIA in a prior blog post.

Back to top

CISA Announces Virtual Town Halls to Solicit More Feedback on Cyber Reporting Rules

The Cybersecurity & Infrastructure Security Agency (CISA) announced a series of virtual town halls to be held in March and April 2026 to solicit more industry feedback on its forthcoming cybersecurity reporting rules. CISA announced the town halls in the Federal Register on February 13, 2026.

CISA's new rules will require certain entities operating in critical infrastructure sectors to report to CISA "covered cyber incidents" within 72 hours of discovery and "ransom payments" with 24 hours of making the payment. CISA previously delayed issuance of its final rules following significant pushback from industry and criticisms from lawmakers. We previously discussed some criticisms of the Proposed Rules and CISA's decision to delay finalizing its rules until at least May 2026.

CISA is now seeking additional input on how to reduce its rules' regulatory burdens while still giving the federal government crucial visibility into the cyber threat landscape for critical infrastructure. Among other topics, the town halls are intended to focus on the rules' broad definition of "covered entities," and particularly their use of sized-based criteria for defining covered entities.

We discussed CISA's upcoming town halls in further detail in a recent client alert.

Back to top

Federal Government Quietly Overhauls Cybersecurity Requirements for Federal Contractors

The Trump Administration recently made significant changes to cybersecurity requirements for federal contractors—all without any formal changes to the Federal Acquisition Regulation (FAR). In particular:

• The Office of Management and Budget (OMB) issued Memorandum M-26-05, dated January 23, 2026, to rescind some Biden-era initiatives to improve the security of software used by federal agencies. OMB under the Biden Administration directed agencies to obtain secure software development attestations from their software vendors. Calling the Biden-area approach "unproven and burdensome," Memorandum M-26-05 lets each agency decide whether to require its vendors to provide secure software development attestations as part of the agency's ultimate responsibility to secure its hardware and software. Memorandum M-26-05 also clarifies that agencies may choose whether to require their software vendors to provide software bills of materials (SBOMs).
• As part of the Trump Administration's "Revolutionary FAR Overhaul," the Department of Defense issued a "class deviation" overhaul of the Defense Federal Acquisition Regulation Supplement (DFARS).The changes include elimination of a provision allowing contractors to self-assess their compliance with NIST SP 800-171. Self-assessments have now been absorbed into DoD's Cybersecurity Maturity Model Certification Program (CMMC), which we discussed previously. Other sections relevant to cybersecurity were renumbered and reorganized.
• The General Services Administration (GSA) issued Revision 1 of its IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. The GSA guide implements a framework for protecting CUI. Among other things, the GSA guide directs agencies to assess vendors' compliance with controls enumerated in NIST SP 800-171, NIST SP 800-172, and NIST SP 800-53. The guide prescribes a risk-based and flexible approach for agencies but also identifies certain "showstopper" controls that are mandatory for any system processing CUI. We discussed GSA's changes to its guide in more detail in a recent blog post.

Back to top

Congress Extends Cybersecurity Intel Sharing Law Until September 2026

DWT has been following closely the saga of the Cybersecurity Information Sharing Act of 2015 (CISA 2015). The law, which provides significant legal protection to companies that share cybersecurity threat information, was enacted with a 10-year sunset provision. Although Congress was widely expected to renew the law, it failed to do so ahead of CISA 2015's expiration on September 30, 2025. Following the end of the prolonged government shutdown, Congress temporarily renewed the law, which again expired on January 30, 2026. On February 3, 2026, Congress temporarily renewed the law again until September 30, 2026.

The renewals certainly come as welcome news to companies that rely on CISA 2015 to share cybersecurity threat intel with the government and other entities. Even so, the recent string of short-term renewals and occasional lapses makes it difficult for companies to know whether they can rely on CISA 2015 and its extensive legal protections when sharing cybersecurity threat intel.

Back to top

Plaintiffs Continue to Leverage DOJ Bulk Data Rule in ECPA Suits

Last year, the Department of Justice issued a rule prohibiting or restricting certain transfers of bulk personal data of U.S. persons to "countries of concern" and "covered persons." "Countries of concern" include China and "covered persons" include companies owned by the Chinese government, headquartered in China, or organized under Chinese law. Although the DOJ rule has no private right of action, creative plaintiffs have found a way to bring multiple class action lawsuits alleging illegal wiretapping under the Wiretap Act (that is part of the larger Electronic Communications Privacy Act of 1986 (ECPA)) based on alleged violations of the DOJ rule.

The Wiretap Act generally prohibits the intentional interception of any electronic communication. The law provides various exceptions, including what is called the "party exception," which allows a party to the communication to intercept that communication without violating ECPA. However, the "party exception" does not apply if a party intercepts the communication "for the purpose of committing any criminal or tortious act" in violation of federal or state law.

Class action plaintiffs have invoked the DOJ rule in multiple wiretap cases beginning around 2025 and into 2026. Plaintiffs assert that defendants' alleged unlawful interception of their web browsing activity is not protected by ECPA's "party exception" because that that interception occurred for the purposes of violating the DOJ rule, which caries both civil and criminal penalties.

In one such case, Baker v. Index Exchange, Inc. (No. 1:25-cv-10517, N.D. Ill.), plaintiffs allege that Index Exchange, a supply-side digital advertising platform, violated ECPA through "cookie syncing" with Temu, a Chinese retailer. Plaintiffs allege that when they visited certain third-party websites, Index Exchange provided Temu with personal information such as advertising IDs, allowing Temu to build profiles on plaintiffs and track their activities across websites. The DOJ rule prohibits "U.S. persons" (including U.S. companies) from engaging with a country of concern or covered person in a transaction involving "data brokerage," defined broadly to include "the sale of data, licensing of access to data, or similar commercial transaction … where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data." Plaintiffs assert that Index Exchange engaged in a prohibited data brokerage transaction when it provided advertising IDs to Temu, and therefore that the alleged violations of ECPA were committed for the purposes of violating the DOJ rule. Plaintiffs brought suit against both Index Exchange Inc., a Canadian company, and its U.S. affiliate Index Exchange USA, LLC. Defendants have moved to dismiss, arguing among other things that crime-tort theory does not apply, one-party consent is sufficient, the Canadian company is not a "U.S. person," and plaintiffs improperly assert alter ego liability against the U.S. affiliate.

Back to top

Health Privacy Law Outlook for 2026

On February 4, 2026, Adam Greene discussed this year's health privacy and security trends with George Washington University Law School professor Daniel Solove. Adam explained upcoming changes to the HIPAA Privacy and Security Rules, predicting that some of the less controversial changes to the Security Rule will be finalized but expressing skepticism that HHS' Office for Civil Rights will finalize all of the proposals. He discussed enforcement trends, noting that HIPAA enforcement remains consistent across the change in administrations, but he remarked that the FTC is becoming less aggressive in the health data space. Adam and Professor Solove also discussed state law regulation of health information privacy, including New York Governor Hochul's veto of the New York Health Information Privacy Act, why the bill was controversial, its potential future, and the likelihood of new state laws regulating reproductive health care information. You can watch this discussion here.

Back to top

FTC Incentivizes Use of Age Verification Technologies Through COPPA Policy Statement

The Federal Trade Commission (FTC) issued a policy statement on February 25, 2026, that it will not bring enforcement actions under the Children's Online Privacy Protection Act Rule (COPPA Rule) against operators of websites and online services that collect, use, and disclose personal information for the sole purpose of verifying users' ages via age verification technologies. The FTC hopes that this policy statement will "encourage the use of robust age-verification mechanisms" so that operators can "apply their child-protection measures to the fullest extent, thereby protecting more children online."

The FTC made clear, however, that it would refrain from enforcement only if the operator:

• Is otherwise in compliance with the COPPA Rule;
• Does not use or disclose information collected for age verification purposes for any other unrelated purposes;
• Discloses information collected for age verification purposes only to those third parties that the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining written assurances;
• Does not retain the information longer than necessary for age verification and deletes the information promptly thereafter;
• Provides clear notice to parents and children through its privacy policy of the information collection for age verification;
• Implements reasonable security safeguards to protect such information; and
• Takes reasonable steps to determine that any product, service, method, or third party used for age verification purposes is likely to provide reasonably accurate results regarding the user's age.

The FTC also announced that it will review the COPPA Rule in the coming months to address age-verification mechanisms and may amend the COPPA Rule to address this issue.

Back to top

Enforcement Update

The Connecticut Office of the Attorney General (OAG) recently issued its 2025 Enforcement Report (the Report), which, among other things, explains the OAG's compliance expectations and enforcement priorities under the Connecticut Data Privacy Act (CTDPA). The Report notes that the OAG received almost 70 complaints under the CTDPA since the last enforcement report. Many of these complaints related to consumers' inability to effectively exercise their privacy rights under the CTDPA, including the right to delete.

In addition to numerous data breach investigations and settlements, OAG noted the following enforcement priorities:

• OAG regularly reviews privacy notices for compliance and checks the functionality of consumer rights mechanisms. The Report reminds businesses to ensure that privacy email inboxes and other request repositories are monitored regularly and that privacy notices are understandable to consumers. To that end, OAG noted that it settled an enforcement action against TicketNetwork, Inc. which allegedly failed to cure violations involving an "inordinately unreadable" privacy notice that did not explain key privacy rights or provide working rights mechanisms.
• The Report suggests that OAG may try to turn the CTDPA's opt-out framework into an opt-in framework. Specifically, it announces that businesses "must do more than the bare minimum in terms of complying with the CTDPA," stating that "companies should configure consent management pop-ups so that the toggle for cookies that facilitate targeted advertising or data sales is off by default, as the most privacy protective option." The CTDPA does not provide any statutory basis for this position, however, making it difficult to see how OAG could successfully require an opt-in regime in an enforcement action.
• The Report also indicates that opt-out links (e.g., links titled "Do Not Sell or Share My Personal Information") buried in the footer of a homepage may not meet the CTDPA's requirement that such links be "clear and conspicuous. "Noting that the CTDPA does not define the term, the Report looks to Federal Trade Commission (FTC) guidance, which lists the following factors for determining when disclosures are "clear and conspicuous": whether the disclosure is prominent and "unavoidable," "difficult to miss," or whether the consumer must scroll to find it, and when using a hyperlink, whether it is "as close as possible to the relevant information it qualifies…" The Report concludes that opt-out links in the footer of webpages are "not 'obvious'" because "there are no visual clues that encourage consumers to scroll down to the footer to exercise their rights."
• OAG is working with technologists to determine whether companies have implemented mechanisms to recognize universal opt-out preference signals. The Report reminds companies that such signals indicate requests to opt out across all "website-based activities," not just with respect to personal data collected via cookies or software development kits.
• OAG considers it unlawful to process sensitive data—such as consumer health data—without "inform[ing] consumers about the heightened risk of harm inherent to such processing." The Report cites a statutory provision that does not support this statement, however. Instead, the provision cited requires companies to conduct data protection assessments (DPAs) before processing sensitive data.
• Minors' privacy is a top priority for OAG. The CTDPA imposes obligations on companies that offer online services, products, or features to minors (i.e., consumers under 18 years of age), including, among other things, a requirement to conduct a DPA before processing minors' personal data and to obtain opt-in consent before selling or processing minors' personal data for targeted advertising. OAG has begun to issue inquiry letters to social media companies, messaging platform providers, gaming platforms, and companies providing chatbots to investigate compliance with these requirements and has been requesting these companies' DPAs as part of these investigations.

Back to top

Recent and Upcoming Events and Key Deadlines

• February 16: Deadline by which HIPAA covered entities and substance use disorder treatment providers were required to update their notices of privacy practices.
• February 25: Michael T. Borgia and  hosted a webinar on the CCPA's cybersecurity audit regulations on February 25 in DWT's San Francisco office. The session also featured Andrew Belsick, Director, Cybersecurity & Data Privacy/Protection at BDO. This was DWT's third webinar in our series covering the recent CCPA regulations on risk assessments, automated decision-making technology (ADMT), and cybersecurity audits. Register and view our webinars below:
  • Navigating the New CCPA Privacy and Security Regulations: Compliance Priorities and Strategies for Businesses
  • Algorithmic Accountability: Unpacking the CCPA's Automated Decision-Making Rules
  • CCPA Cyber Audit Regulations: Is Your Organization Ready?
• April 15: Entities subject to the New York Department of Financial Services' (NYDFS) cybersecurity regulations must file their annual attestations of compliance with NYDFS by April 15. This is the first year that covered entities will have to attest to their compliance with all the applicable amendments that NYDFS made to its cybersecurity regulations in November 2023. Those amendments have been coming into effect in phases since they were issued. Numerous requirements have become effective since last year's attestation deadline, including requirements related to vulnerability scanning, privileged access management, remote access, multifactor authentication, and other topics. We discussed the amendments in a prior blog post.

Back to top