This post focuses on the new requirement in California that certain businesses that sell consumers' personal information, as defined under the California Consumer Privacy Act (CCPA), register as data brokers with the California Attorney General by January 31, 2020. For more information about the CCPA, please see our extensive coverage.
The California Data Broker Registration Requirement
To the surprise of many, last fall the California legislature passed, and the California Governor signed into law, Assembly Bill No. 1202 (A.B. 1202). A.B. 1202 added four new sections to the California Civil Code (Cal. Civ. Code 1798.99.80-88) requiring "data brokers" to register with the California Attorney General's Office. Given the wording of the law, it was initially expected that the data broker registration requirement would not go into effect until 2021. However, the California Attorney General's Office has created the registry and is taking the position that organizations that qualify as data brokers must register on or before January 31, 2020. Organizations that qualify as data brokers and fail to register will face penalties, including a civil penalty of US$100 for each day that the data broker fails to register. It is, therefore, important for organizations that do qualify as data brokers to take the necessary steps to register as soon as possible.
As discussed further below, the law is not entirely clear about which organizations qualify as data brokers. Indeed, organizations should carefully consider whether the law applies to them, since their registration as data brokers will be publicly available information and they may find themselves the target of many requests. Furthermore, with additional California consumer data privacy legislation on the horizon, it is possible that data brokers will be subject to additional requirements in the coming years.
Do I Need to Register?
Under the law, all data brokers must register. A data broker is defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." A.B. 1202 refers back to the CCPA for the definitions of "business," "sell," and "third party."
You must register as a data broker if you:
1.Qualify as a business under the CCPA
2.Collect and sell "personal information" of California residents
3.Do not have a "direct relationship" with the individuals whose information you collect and sell
Consumer reporting agencies, financial institutions and insurance companies do not have to register to the extent they are subject to regulation under the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act, respectively.1 Of note, most of the exceptions do not overlap perfectly with other exceptions to the law. For example, most entities that are subject to the Gramm-Leach-Bliley Act will also be subject to the California Financial Information Privacy Act, but there may be gaps that expose organizations to the new data broker registration requirement.
What Constitutes the "Sale" of Personal Information?
Under the CCPA, a "sale" is defined as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." (emphasis added). This definition includes a broad range of transactions and may, therefore, apply to organizations that do not believe they sell personal information.
What Is a "Direct Relationship?"
A.B. 1202 does not define "direct relationship" but states that a direct relationship can be formed in a variety of ways, "such as by visiting a business' premises or internet website, or by affirmatively and intentionally interacting with a business' online advertisements." Presumably, what is or is not a direct relationship will be determined on a case-by-case basis and will not always be clear. For example, a defensible argument could be made that a direct relationship exists between a consumer and a business when the consumer interacts with that business's online advertisements placed on another party's website. The California Attorney General has not issued any clarifying guidance on this matter.
As we previously explained, absent guidance from the California Attorney General, it may be helpful to analyze the data broker registration requirements in Vermont, the only other US jurisdiction that currently requires such registration. Vermont enacted a data broker law (9 V.S.A. 2430, 2433, 2446 and 2447) that went into effect in early 2019 and also provided guidance on what entities qualified as data brokers.
What Is the Deadline to Register?
The new law requires data brokers to register with California's Attorney General on or before January 31, following each year in which a business meets the definition of a data broker. The California Attorney General's Office interprets the statutory language to mean registration is required on or before January 31, 2020.
What Information Do I Have to Provide at Registration?
Data brokers will have to provide their name and primary physical, email and internet website addresses. Additionally, the data broker can provide "any additional information or explanation the data broker chooses to provide concerning its data collection practices."
The data broker's information will then be publicly available on the data broker registration website.
Although A.B. 1202 does not require data brokers to provide information about how consumers may exercise their CCPA right to opt-out of the sale of their personal information, the proposed CCPA regulations do place certain requirements on data brokers before they can sell consumers' personal information, such as requiring data brokers to either: (1) contact consumers directly to provide notice that the data broker sells personal information about the consumer and provide the consumer with a notice of right to opt-out; or (2) confirm that the source of the personal information provided a notice at collection to the consumer AND obtain signed attestations from the source describing how the source gave the notice at collection and include an example of this notice. A data broker is also required to retain such attestation and the example of the notice given for a period of two years and provide them to a consumer upon request.
What Is the Registration Fee?
The registration fee will be "determined by the Attorney General" and in an amount "not to exceed the reasonable costs of establishing and maintaining a website."
What Are the Penalties?
Data brokers that fail to register are subject to injunction, civil penalties and costs related to actions brought by the California Attorney General's Office. As previously noted, penalties include a civil penalty of US$100 for each day that the data broker fails to register as required, and expenses incurred by the Attorney General in investigating and prosecuting an action brought under this law.