Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020.
Under California law, a “data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The definition does not include entities already regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or California’s Insurance Information and Privacy Protection Act.
California’s data broker registration requirement may look familiar because it is very similar to Vermont’s data broker registration requirement, which took effect in January 2019. For details on Vermont’s data broker registration requirement, please see our prior post. However, a major difference between the laws is that California’s definition of data broker is far more expansive due to the broad definitions of “sell” and “personal information” under the CCPA. Even if you believe your business does not sell personal information in the traditional sense, you should evaluate whether your business meets the definition under the CCPA.
California’s data broker registration process is currently as follows. A business representative must create an account with the California Office of the Attorney General. Once registered, the representative must then fill out a registration form, which asks for the data broker’s name, email address, website URL, and physical address. The form also includes optional fields regarding how a consumer may opt out of sale or submit requests under the CCPA, how victims of abuse or elected or appointed officials can demand deletion of their information posted online, and any additional information that the business wants to provide about its data practices. Upon completion of the process, the representative pays a fee and the data broker is added to the California registry, where the data broker’s information is publicly available and can be exported via an Excel file. As of the date of this posting, the registry is empty, although we expect that to change as we draw closer to January 31st.
Data brokers that fail to register with the California Office of the Attorney General may be subject to an injunction and liable for penalties of up to $100 for each day they failed to register, unpaid registration fees, and costs associated with an enforcement action brought by the AG.
We will continue to monitor and provide updates on the data broker registration requirement.