On July 5, the California Privacy Protection Agency (CPPA) published a Notice of Proposed Rulemaking regarding Data Broker Registration pursuant to Senate Bill 362 (the Delete Act). The Delete Act requires the CPPA to establish an accessible deletion mechanism. This mechanism allows a consumer, through a single verifiable consumer request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The stated aim of the proposed rulemaking is to clarify and enhance the registration process for data brokers.

Subject to limited exceptions, the CPPA defines “data broker” broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

The proposed rulemaking defines several other key terms:

  • “Direct relationship” means that “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.” The rulemaking clarifies that a business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.
    • Civil Code § 1798.99.80 requires data brokers to register if they do not have a direct relationship with the consumers whose personal information they buy and sell.
  • “Minor” means “a consumer the data broker has actual knowledge is less than 16 years of age.” Further, a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
    • Data brokers are required to disclose whether they collect personal information of minors.
  • Reproductive health care data means “[i]nformation about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system”; “information about the consumer’s sexual history and family planning,” including information input into a dating app; and inferences about the same.
    • Data brokers must disclose whether they collect reproductive health care data annually when registering.

The proposed regulations outline specific requirements for data brokers:

  • Each data broker business, regardless of its status as a subsidiary or parent company, is required to uniquely register.
  • Employees or agents for a data broker business must register on behalf of the data broker and have sufficient knowledge of their practices to provide accurate information.
  • A data broker cannot amend or withdraw a completed registration after January 31, subject to exceptions.
  • The registration fee includes $400 plus any fees for processing electronic payments.
  • A standardized electronic payment method will be established for registration fees.

Registration process requirements, include:

  • All website links and email addresses provided must be accurate and functioning.
  • Data brokers must provide the CPPA with a point of contact, including name, email, and phone number.
  • Where the data broker is regulated by other laws, data brokers must describe the types of personal information collected and sold subject to enumerated laws, specific products or services covered by enumerated laws, and the approximate proportion of data collected and sold subject to enumerated laws in comparison with their total annual data collection and sales.

Data brokers may also contact the CPPA electronically in writing to report changes in:

  • Name, email, or phone number of the point of contact.
  • The data broker’s public-facing contact information.
  • The data broker’s public-facing website addresses.

The CPPA is accepting public comments on the proposed regulations until August 20, 2024.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.

Photo of James Koenig James Koenig

Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and state laws.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield helps consumer-facing clients navigate compliance, litigation and regulatory risks posed by the complex web of state and federal consumer protection laws. He is a trusted advisor and tireless advocate, helping clients develop practical compliance and dispute-resolution strategies.

Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.