The annual registration period for data brokers under California law closes this Friday, January 31, 2024. Any business that qualifies as a data broker in 2023 must register with the California Privacy Protection Agency (CPPA) by this deadline.

Does Your Business Need to Register?

Your business may be a data broker if it:

• Collects personal information about California consumers with whom it does not have a direct relationship, and
• Sells that information to third parties.

Late last year, the CPPA voted to adopt new regulations regarding data broker registration requirements and updated its definition of direct relationship. Notably, the regulations clarify that “a business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”

Unpacking the direct relationship definition 

In its final statement of reasons, the CPPA notes that some data brokers collect personal information directly from consumers as a third party during a consumer’s interaction with another first-party business. The proposed definition clarifies that a company can be a data broker even if it collects personal information directly from a consumer, because what makes a relationship “direct” is the consumer’s expectation or intention to interact with a business, not the mere collection of the consumer’s personal information by that business. A company that has a direct/intentional relationship with a consumer in one context but also collects personal information from the consumer as a third party on another platform may be a data broker if they sell the data they collect as a third party. 

For example, if you have a consumer-facing website, the data you collect from the consumer’s interactions with the website is likely collected in the context of your direct relationship with the consumer.  If you also collect data from a third party (either directly from a data broker or via a retargeting cookie or pixel run on another website), that data collection would not be collected as part of your direct relationship with the consumer. If you sell (as the CCPA defines sell) the data collected outside your direct relationship with the consumer, the CPPA will consider you a data broker. This only applies to data that meets the definition of personal information under the CCPA. Data that has been de-identified or aggregated before it is shared will not qualify as a sale.

You are a Data Broker. Now What?

Key Registration Requirements

If your business qualifies as a data broker, you must:

1. Submit registration through the CPPA website (https://cppa.ca.gov/)

2. Pay the annual registration fee of $6,600 plus a 2.99% payment processing fee

3. Provide required information, including:

•    Business name and any DBAs
•    Primary physical, email, and web addresses
•    How consumers can opt out of data collection/sales
•    Description of data collection practices
•    Information about the collection of minors' data and reproductive health data
•    Details about compliance with specific privacy laws

Additional Details:

• Registration Period: January 1-31, 2024
• Registrations cannot be amended or withdrawn after January 31 except for limited circumstances
• All information must be certified under penalty of perjury by an authorized representative

Penalties

The Delete Act imposes fines of $200 per day for failing to register by the deadline. 

On October 30, 2024, the Enforcement Division of the CPPA announced an investigative sweep of data broker registration compliance. Following that announcement, the CPPA announced settlements with four data brokers. 

For example, Infillion, a New York-based data broker, agreed to pay $54,200 for failing to register between February 1 and November 4, 2024. The Data Group agreed to pay $46,600 for failing to register between February 1 and September 20, 2024. 

The CPPA has said publicly that they plan to continue these sweeps, and we should expect additional fines to be announced in 2025 for companies that fail to register. 

Resources

• Email databrokers@cppa.ca.gov to join the data broker mailing list
• Registration forms: https://cppa.ca.gov/data_brokers/2025_form.html

Important Future Deadlines

July 1, 2025: Data brokers must collect and report the following information in their privacy policy:

• The number of consumer requests that a data broker received, complied with in whole or in part, and denied during the previous calendar year (2024):
  • Requests to delete personal information
  • Requests to know or access what personal information the data broker was collecting
  • Requests to know what personal information the data broker was selling or sharing and to whom
  • Requests to opt out of sale or sharing of personal information
  • Requests to limit the data broker's use and disclosure of sensitive personal information.
• The median and the mean number of days within which a data broker substantively responded to the above requests in the previous calendar year.

August 1, 2026: The consumer deletion mechanism is expected to be live. Data brokers will be expected to access the deletion mechanism at least once every 45 days and process all deletion requests. The deletion mechanism will allow a consumer, through a single verifiable request, to request that every data broker that maintains any personal information about them delete their personal information (and to pass those requests to service providers and contractors).

January 1, 2028 (and every 3 years thereafter): Data brokers must undergo an audit by an independent third party to determine compliance with the data broker requirements and must submit the audit report to the CPPA upon request. 

January 1, 2029:  Data brokers will need to disclose whether they have undergone an audit and the most recent year the data broker submitted their audit report to the CPPA.