Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.

Applicability

Clearly noted on the California Attorney General’s CCPA website (the “AG Website”) is that the California Consumer Privacy Act (the “CCPA”) applies to “many businesses, including data brokers.” This means that while the Data Broker Registration Law has specific requirements for a data broker, such as registering with the Attorney General, a data broker can also be subject to the CCPA’s requirements if it meets the thresholds of a “business” as defined under the CCPA.

The term “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Essentially, data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker then analyzes and packages the data for sale to other businesses. However, the following businesses are not considered data brokers under the Data Broker Registration Law:

  • A consumer reporting agency under the federal Fair Credit Reporting Act;
  • A financial institution under the Gramm-Leach-Bliley Act; and
  • An entity under the state’s Insurance Information and Privacy Protection Act.

Requirements

The requirements under the Data Broker Registration Law are fairly simple. On or before January 31st following each year that the business meets the definition of a data broker, the business must register with the California Attorney General. The website created by the California Attorney General for businesses to register as data brokers is located at: https://oag.ca.gov/data-broker/register. To register, the business must provide the following:

  • An annual registration fee of $400;
  • Name of the business and its physical, email, and internet website addresses;
  • Any additional information or explanation the business chooses to provide concerning its data collection practices; and
  • How a consumer can opt-out of the sale of their information or otherwise submit a data subject request under the CCPA.

The information listed above is to be made available to the public on the Attorney General’s website.

Enforcement and Penalties

If a business that meets the definition of a data broker fails to register as a data broker, that business may be subject to the following actions by the California Attorney General:

  • A civil penalty of $100 for each day the business fails to register;
  • An amount equal to the fees that were due during the period it failed to register; and
  • Expenses incurred by the Attorney General during its investigation and prosecution of the action.

Other State Data Broker Bills

A few other states have considered adopting similar laws as the Data Broker Registration Law in California.

  • Delaware HB 262. The bill would require a public data broker registry similar to the requirements in California, including an annual registration fee. The bill is currently awaiting consideration by the Banking, Business & Insurance Committee.
  • Massachusetts 50. The bill was originally referred to the Advanced Information Technology, the Internet and Cybersecurity Committee. The bill was then incorporated into S.2687 and is awaiting consideration by the Senate Ways and Means Committee.
  • Oregon and Washington. Both Oregon and Washington considered data broker registration bills in early 2022, HB 4017 and SB 5813 However, both lawmakers in Oregon and Washington closed out their legislative session without passing the bills.