On October 30, 2024, the California Privacy Protection Agency added to the nationwide regulatory scrutiny on data brokers by announcing a public investigative sweep of data broker registration compliance under the Delete Act. In its second announced sweep, the CPPA’s Enforcement Division, led by Michael Macko, has put data brokers on notice. Any business collecting or selling information to third parties must assess their compliance with the Delete Act, the CPPA’s pending regulations, and the growing number of data broker laws across the country.
What does California require?
California’s data broker law defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The statute exempts entities subject to the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Insurance Information and Privacy Protection Act, and Health Insurance and Portability Accountability Act.
Data brokers must:
- Register annually with the CPPA’s data broker registry.
- Disclose the number of consumer deletion requests and the average response time.
- Report if they are collecting certain sensitive personal information.
- Provide a CCPA notice on their website.
California is the only state with data broker registration regulations and is expected to strengthen its requirements as it develops its Data Broker Requests and Opt-Out Platform.
Learning from previous data broker sweeps
State privacy regulators communicate, coordinate, and take cues from one another. It should come as little surprise that the CPPA has followed the lead of the Texas Attorney General’s Office, which announced a similar investigatory sweep in June 2024.
For Texas enforcers, locating alleged violators was simple. Did a business register as a data broker with another state’s registry, but not with Texas’s? If so, that business likely received a notice of violation. The CPPA may follow a similar strategy in this sweep, so any business not registered in California, but registered elsewhere, may want to reconsider.
That said, where Texas’s sweep appeared primarily intended to get alleged violators to register, the CPPA may take a more punitive approach. Macko indicated his division may seek fines from unregistered data brokers of $200 per day, citing that not doing so would be “unfair to the data brokers who have complied with their obligations.” From the January 30, 2024 registration deadline through the October 30, 2024 announcement, fines could accrue to almost $55,000.
What should businesses do?
Register in California. With the most extensive data broker requirements in the nation and likely more to come, any entity that collects and sells personal data should prioritize registering with and monitoring developments in California.
Review the data broker laws. The four state laws diverge in their definitions, registration requirements, and enforcement mechanisms, resulting in inconsistent scopes, business obligations, and risk factors. As just one example of the many differences, Vermont and Oregon’s laws apply to any business that “knowingly collects and sells or licenses” brokered personal information to a third party, whereas Texas relies on a two-step analysis focusing on a business’s “principal source of revenue.”
Watch out for Vermont and Oregon. A data broker sweep is an easy first public action for new and maturing state privacy enforcers. Businesses should anticipate Vermont, Oregon, and other states conducting their own similar sweeps in the future and prioritize compliance accordingly.
Important dates for California
- By January 30, 2024, data brokers had to register with the California Privacy Protection Agency.
- By July 1, 2024, data brokers must collect and report information regarding consumer requests on their website’s privacy policy.
- Beginning August 2026, a data broker must check the accessible deletion mechanism (to be created by the CPPA) at least once every 45 days and process all requests.
- Beginning January 1, 2028, and every 3 years after, data brokers must undergo an independent third-party audit to determine compliance with the law and submit it to the CPPA.
- Beginning January 1, 2029, a data broker registering with the CPPA must disclose whether they have undergone the audit.
“Californians have a right to know who is trafficking in their personal information. That’s why California law requires data brokers to register,” said CPPA’s head of enforcement, Michael Macko. “For data brokers skirting the law, the fine increases with each passing day. Our Enforcement Division will seek to recover this fine because it’s unfair to the data brokers who have complied with their obligations.”
unknownx500
