On October 11, 2019, California Governor Gavin Newsom signed into law a bill requiring “data brokers” to register with, and provide certain information to, the California Attorney General on or before January 31st following each year in which a business meets the definition of a data broker. A “data broker” means a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Cal. Civ. Code § 1798.99.80(d). The term excludes, however, any of the following:

(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.

(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

In registering with the Attorney General, a data broker is required to do all of the following:

(1) Pay a registration fee; and

(2) Provide the following information:

a. The name of the data broker and its primary physical, email, and internet website address.

b. Any additional information or explanation the data broker chooses to provide concerning its data collection practices.

See Cal. Civ. Code § 1798.99.82(c).

With respect to the registration process, below is an overview of how the process works:

(1) Create an account on the following website: https://oag.ca.gov/data-broker/register.

(2) Once a registrant clicks “create new account,” the registrant will receive an email from the Office of the Attorney General, which provides instructions on how to log into the registrant’s account. The instructions will indicate that the registrant must follow a specific link to change his or her password.

(3) After changing the password, click on the link titled, “Register a Data Broker.” Once you click that link, the registrant will be prompted to provide the following information:

a. Data broker name

b. Email address

c. Website URL

d. Physical Address

e. How a consumer may opt out of sale or submit requests under the CCPA

f. How a protected individual can demand deletion of information posted online under Gov. Code sections 6208.1(b) or 6254.21(c)(1)

g. Additional information about data collecting practices

(4) Once the information is entered, the registrant must click “Submit.” The registrant will likely be required to pay the registration fee to complete registration.

Click here to access the Public Data Broker Listing made available by the Attorney General. The listing allows visitors of the website to view data broker registrations submitted by businesses.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.