We’re just 4 weeks away from California’s new DROP system going live, and while the sheer volume and breadth of the requests are occupying the minds of implementors I am thinking about the huge structural change this represents in terms of the enforcement mechanism for the CCPA. Up until now CPPA enforcement actions were effectively limited by human bandwidth, as they have all originated from either newsworthy data breaches, announced sweeps, or more rarely consumer complaints. For the last category, the CPPA has received over 12k consumer complaints but due to staffing limitations have only resulted in a handful of publicized enforcements.
All of that changes with DROP, as the regulator is now effectively inserting itself between California consumers and the 581 registered data brokers. It is no longer necessary for the CPPA to wait for a complaint, schedule specialized personnel to conduct a lengthy investigation, verify what data a company held, how they received and acted upon a particular request, and whether or not the rapidity and thoroughness of the resolution satisfied the CCPA. A missing response row in a DROP upload or a late response is sufficient to demonstrate a violation with no further investigation; by definition the deletion request has not been responded to in the manner prescribed by the Delete Act. With over 300,000 requests in the DROP system and the fine for failing to process a request set at $200 a day, a company that drops the ball and fails to upload a CSV responding to their first batch of DROP requests could incur up to $60,000,000 of fines. A day.
As an aside: unlike CCPA compliance fines which have a set ceiling per violation but the possibility of a lower value, the statutory fines for non-registration and non-operation with the DROP system aren’t flexible at all. The lack of a grey area in DROP registration status means the only legal question is whether or not a business is a data broker and subject to registration in the first place, a question that will be increasingly answered by the coming enforcement actions of the strike force.
The DROP system enables the CPPA to evolve from a reactive to a proactive participant. In parallel to the IRS and annual requirements to file tax returns, the lack of timely submitted compliance information or the submission of atypical compliance information will likely trigger additional scrutiny. Though I am not privy to any internal CPPA plans or thoughts on the matter, a fair estimation of the regulator’s intelligence would cause me to speculate that they will be learning what “typical” DROP response patterns look like and model future audit priorities based on that data. DROP will be a unique and new type of intermediary system, giving regulators a far more detailed picture of compliance workflows than the self reported statistics brokers submit every year.