What will this Law do?
- Under this law, the California Privacy Protection Agency (CPPA) would set up a website where consumers can verify their identity and then make a single request to delete their personal data held by data brokers and to opt out of future tracking. Proponents call it a “do not track” signal similar to the “do not call” list for telemarketers maintained by the Federal Trade Commission.
- Data brokers are required to delete the personal information of a consumer who has submitted a request every 45 days (i.e. understanding that data sets are continually refreshed, brokers will be required to continually delete the consumer’s data so it doesn’t get reintroduced into their systems for future.
- An authorized agent can make this request (*although you can require consumer verification, if the identity can’t be verified, the request must be treated as an opt-out of sale)
Who’s a Data Broker?
- Under the California Data Broker Law, a “data broker” is a CCPA/CPRA-covered business that sells the personal information of a consumer with whom the business doesn’t have a direct relationship. This means you sell the info of people that you received from other businesses.
- Check out the definition here – codified at Cal. Civ. Code §§ 1798.99.80 et seq.
Who’s NOT a Data Broker?
The Data Broker Law sets out several exceptions to the definition of “data broker.” The following are not data brokers:
- Consumer reporting agencies covered by the Fair Credit Act (available here)
- Financial institutions regulated under the Gramm-Leach-Bliley Act (available here)
- Any entity covered by the Insurance Information and Privacy Protection Act (available here)
Companies covered by one or more of the above laws will not need to comply with the Data Broker Law, even if they would otherwise meet the definition of a “data broker.”
What are Data Brokers required to do?
Data brokers must:
- Register with the Data Broker Registry every year
- Pay an annual fee
- Provide details about their business
- Undergo independent compliance audits every three years (beginning in 2028)
Penalties for Not Registering
If you fail to register, you’ll be liable for the following:
- A civil penalty of $100 per day
- The fee for last year (if you were required to register and failed to do so)
- Any costs incurred by the Attorney General in investigating and prosecuting you
Data Broker Laws in Other States
- Vermont: Data brokers need to complete an annual registration with the Secretary of State’s office. Vermont also has certain minimum data security requirements.
- Nevada: Data brokers have to establish a designated request address through which a Nevada consumer can ask to opt out of the sale of their covered information. Certain consumers will have the right to make verified opt-out requests at any time and the broker will have 60 days to respond to verified requests, although they may be able to extend the response window by 30 days with adequate notice to the consumer.