On September 13, 2019, the California State Legislature passed Assembly Bill No. 1202 (the “Bill”), amending the California Consumer Privacy Act (“CCPA”) to require certain businesses to register as data brokers with the State Attorney General’s Office. The Legislature believes that a California data broker registry will provide greater transparency on the issue of third parties that may have access to their personal information (companies that they do not have a first party relationship with the consumer) and allow consumers to prospectively opt out of the “sale” of this personal information. The CCPA defines “sale” in a very broad fashion, such that it includes the “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” In practice, this means that a disclosure of almost any kind (other than to pure service providers) falls within the definition. We can, therefore, assume that in the context of the CCPA, selling really means sharing and should be treated as such. The Bill has moved to Governor Gavin Newsom’s desk, who now has until October 13, 2019 to act on the legislation.
What is required of California Data Brokers?
California Data Broker Definition
The Bill defines a California data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Exempt from the definition are: 1) consumer reporting agencies that are covered by the federal Fair Credit Reporting Act; 2) financial institutions covered by the Gramm-Leach-Bliley Act; and 3) entities covered by the Insurance Information and Privacy Protection Act. A “direct relationship” is not defined in the Bill, but the Legislature has stated that direct relationships can form for various reasons, “such as by visiting a business’ premises or [I]nternet website, or by affirmatively and intentionally interacting with a business’ online advertisements.”
Registering as a California Data Broker
Businesses that meet the definition of California data broker must register annually with the Attorney General on or before January 31. Registration will require California data brokers to: 1) pay a fee that will be determined by the Attorney General; 2) provide their primary physical, email, and Internet website addresses; and 3) include any additional information that they choose to include with respect to their data collection practices. Failing to register as a California data broker may result in a civil penalty of $100 for each day that the California data broker fails to register its business, payment of the registration fee, and any expenses incurred by the Attorney General’s Office to investigate and prosecute any associated regulatory action.
As early as 2012, the Federal Trade Commission (“FTC”) had suggested that legislation should be initiated at the federal and state level to regulate the data broker industry. Currently, Vermont is the only other state of the Union that requires data broker registration. As more states look to follow the lead of California and Vermont in requiring consumer data broker registration, businesses should seek the advice of qualified legal counsel to help navigate the existing and emerging issues presented by applicable state laws.