Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Applicability
Clearly noted on the California Attorney General’s CCPA website (the “AG Website”) is that the California Consumer Privacy Act (the “CCPA”) applies to “many businesses, including data brokers.” This means that while the Data Broker Registration Law has specific requirements for a data broker, such as registering with the Attorney General, a data broker can also be subject to the CCPA’s requirements if it meets the thresholds of a “business” as defined under the CCPA.
The term “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Essentially, data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker then analyzes and packages the data for sale to other businesses. However, the following businesses are not considered data brokers under the Data Broker Registration Law:
- A consumer reporting agency under the federal Fair Credit Reporting Act;
- A financial institution under the Gramm-Leach-Bliley Act; and
- An entity under the state’s Insurance Information and Privacy Protection Act.
Requirements
The requirements under the Data Broker Registration Law are fairly simple. On or before January 31st following each year that the business meets the definition of a data broker, the business must register with the California Attorney General. The website created by the California Attorney General for businesses to register as data brokers is located at: https://oag.ca.gov/data-broker/register. To register, the business must provide the following:
- An annual registration fee of $400;
- Name of the business and its physical, email, and internet website addresses;
- Any additional information or explanation the business chooses to provide concerning its data collection practices; and
- How a consumer can opt-out of the sale of their information or otherwise submit a data subject request under the CCPA.
The information listed above is to be made available to the public on the Attorney General’s website.
Enforcement and Penalties
If a business that meets the definition of a data broker fails to register as a data broker, that business may be subject to the following actions by the California Attorney General:
- A civil penalty of $100 for each day the business fails to register;
- An amount equal to the fees that were due during the period it failed to register; and
- Expenses incurred by the Attorney General during its investigation and prosecution of the action.
Other State Data Broker Bills
A few other states have considered adopting similar laws as the Data Broker Registration Law in California.
- Delaware – HB 262. The bill would require a public data broker registry similar to the requirements in California, including an annual registration fee. The bill is currently awaiting consideration by the Banking, Business & Insurance Committee.
- Massachusetts – 50. The bill was originally referred to the Advanced Information Technology, the Internet and Cybersecurity Committee. The bill was then incorporated into S.2687 and is awaiting consideration by the Senate Ways and Means Committee.
- Oregon and Washington. Both Oregon and Washington considered data broker registration bills in early 2022, HB 4017 and SB 5813 However, both lawmakers in Oregon and Washington closed out their legislative session without passing the bills.
Taft will continue to monitor any changes to data broker bills and laws and keep you updated on such developments right here on Taft’s Privacy and Data Security Insights blog and you can also monitor using the Taft Privacy and Data Security Mobile Application. For more information on the Data Broker Registration Law and other data privacy questions, please contact Taft’s Privacy and Data Security Team.