The California Privacy Protection Agency (CPPA) has recently proposed regulations (the “Proposed Regulations”) implementing California’s data broker registration statute, Cal Civ. Code § 1798.99.80 (the “Data Broker Registration Statute”). If adopted as drafted, the Regulations would expand the scope of entities that are considered to be “data brokers” under the statute to include a) businesses that maintain information about consumers who have not interacted with the business in more than three years, and b) businesses that have direct relationships with consumers but who also sell personal information about the consumer that was not collected directly from the consumer.
Data Broker Registration and the Delete Act
The 2020 Data Broker Registration Statute defines a Data Broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” excluding businesses covered by the FCRA, GLBA, or HIPAA. The statute requires a data broker to pay an annual fee to register with the state and include in its registration certain information about the entity’s data collection and disclosure practices. It also authorizes fines of up to $200 per day for any entity that meets the definition of “data broker” but fails to register. California maintains a public database of registered data brokers and their registration disclosures.
In October 2023, California enacted Senate Bill No. 362 (commonly known as the “Delete Act”), which imposed additional disclosure obligations on data brokers and mandated that the CPPA create a “deletion mechanism” through which consumers can make a single deletion request that is then disseminated to all data brokers. The statute also transferred data broker registration administration responsibilities, rulemaking, and enforcement authority from the Attorney General to the CPPA.
Changes Potentially Introduced by the Proposed Regulations
If enacted, the CPPA’s Proposed Regulations would define the term “direct relationship” used in the definition of “data broker” to mean “a consumer intentionally interacts with business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the past three years.” The new definition also includes a sentence providing that “a business is still a Data Broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”
This addition has the potential to significantly expand the scope of entities that qualify as “data brokers” under the Data Broker Registration Act. Most significantly, a company that combines its first-party data with data purchased from traditional data brokers and then sells that data would be a data broker under the revised definition. For example, combining first- and third-party data to create audience segments and then selling those audience segments to an entity to build profiles could be considered a “data broker” activity under the Proposed Regulations. Certain reactivation campaigns could also pose challenges due to the new three-year limitation in the definition of “direct relationship.”
In addition to the new proposed definition of “direct relationship,” the Proposed Regulations would also:
- Require data brokers to pay the credit card processing fees associated with their annual registrations.
- Establish a broad definition of “reproductive health care data” that includes data relating to consumer searches for “goods or services associated with the human reproductive system” and information put in dating apps about sexually transmitted infection status and “desire to have children,” among other information. (Data brokers that collect “reproductive health care data” must disclose this fact in their annual registrations).
- Limit the data broker registration period to January 1-31 of each calendar year.
- Prohibit a data broker from withdrawing a registration after January 31 unless the registration was fraudulently/erroneously submitted.
- Require that the employee or agent who registers the data broker be knowledgeable about the data broker’s practices such that they can provide accurate information, and require such employee or agent to certify under penalty of perjury that to the best of their knowledge the information they submit is true and correct
Takeaways
The CPPA plans to hold virtual public hearings on August 20th regarding the Proposed Regulations and invites written comments on the proposal by that date.
Businesses should:
- determine if they want to comment on the Proposed Regulations and submit any comments prior to August 20th;
- evaluate their practices to determine if the Proposed Regulations as written would extend data broker obligations to current business operations;
- review existing privacy policies and “opt-out” practices to determine if modifications would be required; and
- determine how to operationally comply with the data broker registration and compliance requirements should the Proposed Regulations be finalized.