On July 5, the California Privacy Protection Agency (CPPA) published a Notice of Proposed Rulemaking regarding Data Broker Registration pursuant to Senate Bill 362 (the Delete Act). The Delete Act requires the CPPA to establish an accessible deletion mechanism. This mechanism allows a consumer, through a single verifiable consumer request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The stated aim of the proposed rulemaking is to clarify and enhance the registration process for data brokers.
Subject to limited exceptions, the CPPA defines “data broker” broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
The proposed rulemaking defines several other key terms:
- “Direct relationship” means that “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.” The rulemaking clarifies that a business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.
- Civil Code § 1798.99.80 requires data brokers to register if they do not have a direct relationship with the consumers whose personal information they buy and sell.
- “Minor” means “a consumer the data broker has actual knowledge is less than 16 years of age.” Further, a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
- Data brokers are required to disclose whether they collect personal information of minors.
- Reproductive health care data means “[i]nformation about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system”; “information about the consumer’s sexual history and family planning,” including information input into a dating app; and inferences about the same.
- Data brokers must disclose whether they collect reproductive health care data annually when registering.
The proposed regulations outline specific requirements for data brokers:
- Each data broker business, regardless of its status as a subsidiary or parent company, is required to uniquely register.
- Employees or agents for a data broker business must register on behalf of the data broker and have sufficient knowledge of their practices to provide accurate information.
- A data broker cannot amend or withdraw a completed registration after January 31, subject to exceptions.
- The registration fee includes $400 plus any fees for processing electronic payments.
- A standardized electronic payment method will be established for registration fees.
Registration process requirements, include:
- All website links and email addresses provided must be accurate and functioning.
- Data brokers must provide the CPPA with a point of contact, including name, email, and phone number.
- Where the data broker is regulated by other laws, data brokers must describe the types of personal information collected and sold subject to enumerated laws, specific products or services covered by enumerated laws, and the approximate proportion of data collected and sold subject to enumerated laws in comparison with their total annual data collection and sales.
Data brokers may also contact the CPPA electronically in writing to report changes in:
- Name, email, or phone number of the point of contact.
- The data broker’s public-facing contact information.
- The data broker’s public-facing website addresses.
The CPPA is accepting public comments on the proposed regulations until August 20, 2024.