In September 2019, the California State Legislature passed Assembly Bill No. 1202 (“A.B. 1202”), amending the California Consumer Privacy Act (“CCPA”). The amendment requires qualified businesses to register as data brokers with the California Attorney General on or before January 31, 2020. A.B. 1202 defines “Data Broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” (emphasis supplied). A.B. 1202 carves out exemptions from the data broker registration requirement for most entities subject to regulation under the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act, respectively.
Who is a Data Broker and what are the data broker registration requirements?
Breaking Down the Data Broker Definition
Before registering, businesses must first determine whether they meet the Data Broker definition. To reach this determination, entities must first ascertain whether they: 1) “sell” personal information to third parties; and 2) have a “direct relationship” with the subject consumers. The CCPA definition of “sale” is quite broad, including the “renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or others means” California consumer information for monetary or other “valuable consideration.” A.B. 1202 does not define what a “direct relationship” is, but the text of the bill explains that a direct relationship “could have formed in a variety of ways such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a with a business’ online advertisements.” Although it is not entirely clear as to which entities meet the definition, in light of the foregoing, any business that may satisfy these two requirements should register as a data broker with the California Attorney General.
Data Broker Registration Process
Data broker registration is done on the California Attorney General’s website. A representative of the business is required to create an account before filing a registration form. To complete the data broker registration form, the business representative is required to submit the applicable data broker’s name, email address, URL, physical address, links to opt-out and data deletion request forms, and any additional information that she/he can provide related to the applicable business’s data collection practices. Registration forms will be evaluated by the Attorney General’s Office and, once accepted, invoices to pay the $360.00 filing fee will be sent to business representatives. Please note that the data broker’s registration information will be publicly available on the Attorney General’s website.
If a data broker fails to register with the California Attorney General by January 31, 2020, it is subject to injunction, civil penalties of up to $100.00 for each day that it fails to register, and costs related to any investigation and/or prosecution of actions brought by the Attorney General under the law.
As of now, California and Vermont are the only two states that have data broker registration requirements. It is recommended that companies operating in the data broker space retain qualified legal counsel to help navigate the existing and emerging issues presented by applicable state and federal privacy laws.