Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202 (AB 1202), the nation’s second data broker registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General (AG). AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.
Data brokers in California must register here by January 31, 2020. This year’s registration fee is $360.
The key takeaway: if your business sells personal information under the CCPA, consider your obligations to register as a data broker in California.
Below we describe what activities qualify a business as a data broker in California, what information data brokers must provide to the AG, how AB 1202 is enforced, and whether qualifying as a data broker in California means registration is needed in Vermont or vice versa.
What is a data broker in California?
AB 1202 defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with limited exceptions for entities subject to FCRA, GLBA, or California’s Insurance Information and Privacy Protection Act.
AB 1202 adopts the CCPA’s expansive definitions for key terms, including “business,” “sells,” “personal information,” “third party,” and “consumer.” Thus, if your business “sells” personal information in California, consider whether your business has direct relationships with those consumers. Of particular note, the CCPA definition of “consumer” extends to any California residents, so it can encompass business to business contact information.
What is a “direct relationship”?
AB 1202 does not provide much guidance on how to determine whether a business has a “direct relationship” with the consumer whose personal information the business sells.
The act does not define “direct relationship”; however, the act’s legislative findings provide some insight into the types of relationships that the California Legislature viewed as direct:
- Visiting a business’ premises or internet website
- Affirmatively and intentionally interacting with a business’ online advertisement
- Having some level of knowledge about and control over the business’s collection of personal information, including:
- the choice to use the business’ products or services,
- the ability to review and consider data collection policies,
- the ability to opt out of certain data collection practices,
- the ability to identify and contact customer representatives, and
- the knowledge necessary to complain to law enforcement.
A business that qualified as a data broker last year must register with the AG by January 31, 2020. Registrations can be submitted here. Data brokers that register will be listed on the AG’s public data broker registry.
AB 1202 requires data brokers to provide the following information to the AG:
- The name of the data broker and its primary physical, email, and internet website addresses
- Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
We have heard suggestions that data brokers need not register until January 31, 2021, because AB 1202 did not come into effect until 2020. The California Attorney General seems to have taken a contrary position. In an emergency rulemaking allocating funds and setting the registration fee, the California AG took the position that AB 1202 “requires data brokers to pay a fee and register with the Attorney General by January 31, 2020, and by January 31 each year thereafter.”
A data broker that fails to register may be subject to:
- A civil penalty of $100 per day for each day the data broker failed to register;
- The fees due during the period it failed to register; and
- The AG’s expenses incurred investigating and prosecuting the violation
It is possible private litigants will attempt to file suits against data brokers who fail to register because AB 1202 does not expressly prohibit private rights of actions nor does the CCPA’s express prohibition on private rights of action apply to the data broker registration requirement (AB 1202 is codified under a separate title than the CCPA).
Relation to Vermont
Entities that qualify as a data broker under California may wish to consider whether they also need to register in Vermont or vice versa. The scope of Vermont’s Data Broker Regulation differs from AB 1202. For example, the Vermont law applies to data broker’s handling of “brokered personal information,” which is defined more narrowly than “personal information” under AB 1202 and the CCPA. Therefore, it remains possible that a company will need to register in one state but not the other.
Brittney Griffin, a paralegal in our Washington D.C. office, contributed to this entry.