The Monopoly Report – Episode 67

"Everything’s an ad network & everyone’s a data broker"

Host: Alan Chapell
Guest: Ben Isaacson (Privacy Attorney, In House Privacy)
Date: March 4, 2026

Episode Overview

This episode dives deep into the evolving regulatory landscape of data brokering and ad networks, focusing on California’s broadening definition of "data broker," impending enforcement deadlines under the Delete Act, and what these changes mean for the ad tech ecosystem at large. Ben Isaacson, veteran privacy attorney, joins Alan Chapell to break down the shifting legal terrain, practical compliance challenges, widespread misconceptions, and the significance of looming California enforcement deadlines. The discussion also highlights the growing pressure on companies—big and small—to adapt or face existential risks.

Key Discussion Points & Insights

1. Privacy Law Evolution & Enforcement in California

• CCPA, CPRA, and Delete Act:

  • The California Consumer Privacy Act (CCPA) gave way to the California Privacy Rights Act (CPRA). Both shifted significant regulatory power to California’s privacy board and AG office.
  • The Delete Act (SB362), heavily influenced by privacy advocate Tom Kemp, further expands authority, especially concerning data brokers ([05:42]–[08:01]).
  • Enforcement focus is split: while AG targets bigger brands (e.g., Disney, Sephora, Doordash), the CPPA increasingly focuses on data brokers and smaller non-compliant businesses.

• Regulatory Strength:

  • “They're much more stronger, in my opinion, as far as enforcement goes than the FTC or any other regulatory body in the United States.” – Ben ([07:25])

2. The Expansive “Data Broker” Definition

• Legal Widening:

  • California's definition is far broader than many realize, now applying to any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship" ([10:59]).
  • “Any business, especially in ad tech, can now be defined as a data broker. And it doesn't matter if your contract says you’re a service provider…” – Ben ([15:43]).

• Direct Relationship Exemption—A Trap:

  • Many assume that serving customers’ own users (like retailers, banks, publishers) automatically exempts them—this is a misconception if third-party data is involved ([14:14]).
  • “The business does not have a direct relationship from the consumer simply because it collects the information directly... that's really important in one big context, which is ad tech.” – Ben ([14:50])

3. Ad Tech Ecosystem: No Place to Hide

• Clean Rooms and Ad Tech Companies:

  • DSPs, DMPs, clean rooms: Most assumed their contracts made them safe, but California’s definition looks through contract terms to business practice, especially audience/identity data sharing ([15:13]–[17:10]).
  • Clean rooms themselves may be okay as service providers, but companies using them for cross-platform monetization likely aren’t.

• Retail Media & Walled Gardens:

  • Data use for on-platform targeting is generally safe. Data "leaving" for use elsewhere (e.g., via clean rooms to social) brings data broker risk ([21:36]).
  • “If you are enabling your... retail walled garden, you know, data to be used, you know, to target on another media platform, you are running into this potential issue...” – Ben ([21:44]).

• Big Tech, Smart TVs, and Auto:

  • No industry is truly exempt: “I don't see how there aren't intersections there here that some of those entities are going to be data brokers in this regard.” – Ben, discussing auto dealers and manufacturers ([23:15]).

4. Publicly Available Data Exemption – Common Pitfalls

• Misconceptions:
  • Many companies falsely rely on the “publicly available data” exemption, failing to recognize that inferences, appending data, or combining sources makes them data brokers ([20:11]–[21:04]).
  • “Anytime... a publicly available data aggregator creates inferences or maps additional data... they're going to be a data broker, even if the vast majority of their data may have been public record to begin with.” – Ben ([21:04])

5. The Coming Storm: Enforcement Timelines & Penalties

• What’s Next:

  • “If you are not registered really by August 1st of 2026, in September, they're going to start enforcing against their drop mechanism, which really has again, bankruptcy level enforcement, statutory penalties. This is not like what we've ever seen in the United States...” – Ben ([25:12])
  • Massive penalties are possible—even for large public companies—given the structure of statutory fines.

• Technical Deadlines:

  • API specs for the new DROP (deletion) mechanism expected March; testing in April; enforcement begins August 1, 2026 ([34:09]).

6. Authorized Agents & the End of an Era

• Broker Busters Example:

  • Alan accidentally signs up, illuminating a wave of automated requests many companies receive from “authorized agent” services ([26:29]).
  • The majority of requests relate to deletion; future relevance of these services is in doubt as the DROP mechanism automates much of the process ([29:03]–[29:52]).
  • “With the California drop mechanism coming into effect in August, I don't see any value to them. In California, at least later this year, consumers can just sign up and that is the same thing as an authorized agent.” – Ben ([29:38])

• Compliance All Over the Map:

  • Many companies are ill-prepared for flood of requests—some responses are nearly unintelligible ([32:10]–[33:10]).

7. The Future: Contraction, Federal Preemption, & Industry Advocacy

• Industry Shrinkage:

  • “We're going to see contraction in this industry… I don't think there's a way for the... long tail of small mom and pop businesses... to really survive.” – Ben ([35:49])

• No Strong Lobby:

  • Unlike 20 years ago, data brokers don’t have significant associations fighting for their interests—old associations like DMA have faded, ANA/IAB have not stepped in ([37:02]).

Notable Quotes & Memorable Moments

• On Contractual Illusions:

  • “Having a contract that designates you as a service provider does not protect you from being classified as a data broker under California law.” – Alan ([43:15] Recap)

• On Enforcement Muscle:

  • “Statutory penalties that you can't really challenge... really billions, potentially trillions of dollars of fines.” – Ben ([25:12])

• On “We Don’t Sell Data”:

  • “So many CEOs in particular of companies say we don't sell data. They're still saying it in 2026... there's this sort of notion that, you know, that there's an integrity with a business that they're not going to monetize user data.” – Ben ([38:37])

• On OpenAI’s Dilemma:

  • “We’re not talking about browsing history or purchase signals. We’re talking about the most intimate, unfiltered thoughts, things that people routinely share with an AI tool—health concerns, relationship problems, financial anxieties, career doubts.” – Alan ([43:15] Recap)

• On Privacy by Design as a Competitive Advantage:

  • “OpenAI has an opportunity here, I think, to really look at privacy in a new way in a contextual relationship with what people are using the tool for... it’s got to be based on this true one-to-one relationship... But it can't be based on anything we've ever seen in the ad tech ecosystem.” – Ben ([41:22])

Timestamps for Key Segments

• [03:36] – Ben’s privacy origin story
• [05:14] – How California regulators have shaped the policy landscape
• [10:59] – Why the new “data broker” definition is so sweeping
• [15:43] – How ad tech contracts can't shield companies from the new rules
• [17:52] – Big tech and traditional data brokers under new scrutiny
• [20:11] – Publicly available data exemption misunderstanding
• [25:12] – Upcoming DEADLINES and "bankruptcy level" penalties
• [29:38] – Authorized agents: future relevance and technical changes
• [34:09] – DROP mechanism: timeline for rollout
• [35:49] – Industry contraction and future of compliance
• [38:37] – Biggest CEO misconception: “We don’t sell data”
• [41:22] – OpenAI’s privacy-business challenge
• [43:15] – Host’s recap and main takeaways

Final Insights and Takeaways

• Contracts and self-identification as “service provider” offer no shield if business practices fit the data broker definition.
• Combining first and third-party data and monetizing that on any platform outside original context makes you a data broker.
• Technical deadlines for compliance are non-negotiable; penalties are existential.
• Automated deletion requests (authorized agents) will be eclipsed by state-run automated mechanisms.
• Most companies drastically underestimate their legal exposure, especially around “publicly available” data and misuse of opt-out language (“We don’t sell data”).
• OpenAI and platforms with unique 1:1 user relationships have both opportunity and peril as they scale ad businesses—the pressure to ignore privacy promises, once monetization is at stake, will be enormous.

Host’s Closing Challenge:
"Are you building something that you would be comfortable explaining to the person whose data you're using? If the answer is yes, you've got a shot at building trust and at avoiding regulatory fire." ([43:15] Recap)

Guest Contact:
Ben Isaacson – find him on LinkedIn or at inhouseprivacy.com

To learn more or subscribe:
monopolyreportpod.com