In the flurry of bills relating to the California Consumer Privacy Act (CCPA), the California Legislature also enacted a law requiring data brokers to register, following a similar (but not identical) law in Vermont (see, https://iapp.org/news/a/analysis-vermonts-data-broker-regulation/) and attention by Congress, the FTC and advocates to data brokers in prior years (https://iapp.org/news/a/ftc-calls-for-legislative-action-to-regulate-data-brokers/). California lawmakers placed the broker law right before CCPA in the California Civil Code and clarified in Cal. Civ. Code §1798.99.88 that “Nothing … shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act.”
Under the new California law, data brokers have to register every year on or before January 31 with the California Attorney General. Some commentators have argued that the law might not take effect until January 2021, but the California Attorney General has opened the registration website and more than 50 companies are already registered today. You can access the full list here, and find some highly regarded brands as well as some (but, interestingly, not all) of the companies that have made headlines in the previous controversies around data broker regulation. One of the “big four” accounting and consulting firms is on the list. Newspaper publishers are not.
Media companies, healthcare providers and other organizations that enjoy some exemptions and deferrals regarding CCPA obligations miss similar exceptions in the new California data broker registration law, which expressly exempts consumer reporting agencies that are subject to FCRA, financial institutions that are subject to GLBA, and certain organizations in the insurance sector that are subject to the California Insurance Information and Privacy Protection Act.
Who has to register as a data broker in California?
The new law borrows many of the counter-intuitive and overbroad definitions from the CCPA, including “business,” “consumer,” “personal information” and “sale.” Companies that exchange employee or business contact information with affiliates or other business partners for consideration (monetary or other) may qualify as a business that sells personal information under CCPA. Companies that do not sell personal information for CCPA purposes do not have to register as a data broker. But, the reverse is not necessarily true: Not every company that has to place the “do not sell my personal information” link on its website since January 1, 2020 has to also register as a data broker since January 31, 2020.
“Data broker means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” (Cal. Civ. Code §1798.99.80[d]). The term “direct relationship” is not defined in the CCPA or the data broker law. The term was added also to CCPA in late 2019 in connection with an exception from the requirement to establish a toll free number for any “business that operates exclusively online and has a direct relationship with a consumer.”(Cal. Civ. Code §1798.130.[a][A])
Personally, I am not sure that I know many businesses that “operate exclusively online.” In everyday language, online means connected to a computer or telecommunications system, such as the Internet (www.merriam-webster.com/dictionary/online) or a phone line. Offline means the opposite – not connected to computers or telecommunications. Offline operations traditionally rely on brick, mortar, in-person interactions and snail mail. Most of my clients have offices and employees even if they conduct some of their business via websites or mobile apps. Their employees, independent contractors and individual representatives of corporate vendors meet each other in person – “offline.” They receive and send paper mail to each other, to government authorities, and to business partners. And, most still call each other on the phone now and then, as well as vendors and business partners, too. Even after the various amendments, the CCPA still refers to employees and business representatives as “consumers.” How, then, can any business operate “exclusively online”?
Perhaps the California Legislature meant to exempt businesses that communicate with real consumers (as this term is understood in everyday language) only via websites and apps, and not normally via phone, but that remains unclear. Companies will have to take positions on what it means to “operate exclusively online” under CCPA.
The Vermont data broker law provides examples (for illustration, not enmuerative) of what counts as a “direct relationship” back East for a business that sells personal information of consumers: “if the consumer is a past or present: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business.” (Ch. 62. § 2430(4)(B). H.764, Act 171, https://legislature.vermont.gov/bill/status/2018/H.764). Of course, the definitions in the Vermont statute do not apply in California. Also, they appear in a different legislative context, as the Vermont law contains different definitions and substantive obligations.
With respect to California, every business has to form its own views on where to draw the line with respect to what counts as a “direct relationship” for purposes of complying with the new data broker registration law as well regarding the exception from toll-free numbers in the CCPA (Cal. Civ. Code §1798.130[A] and the various new obligations on companies that collect personal information from sources other than “directly” from the consumer under the draft CCPA regulations. Every business is in a different position in this respect. Scenarios and nuances vary quite a bit depending on companies’ business models, contract flows and communication methods.
Companies that have a “do not sell my personal information link” on their website since January 1, 2020 should accelerate their assessment whether they also have to register as a data broker. According to Cal. Civ. Code §1798.99.82.(c)(1), a data broker that fails to register as required is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the Attorney General, including a civil penalty of $100 for each day the data broker fails to register, fees that were due during the period it failed to register, and expenses incurred by the Attorney General in the investigation and prosecution. Any penalties, fees, and expenses recovered in an action shall be deposited in the Consumer Privacy Fund.