Last month, the California legislature capped its 2019 legislative session by sending five amendments to the California Consumer Privacy Act to the California governor’s desk for signature.
In addition to those CCPA amendments, the Legislature also passed an additional, related data privacy bill — A.B.1202 — which requires certain businesses that sell the personal information of California consumers to register as data brokers with the California attorney general and pay an annual fee.
California’s data broker law is significant not just for those entities that sell the personal data of California residents, but for data brokers from coast to coast, as the law represents a noteworthy growing trend toward increased regulation over data brokers and similar entities that engage in the sale of consumer personal information.
Overview of A.B. 1202
A.B. 1202 applies to “data brokers,” which are defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Significantly, A.B. 1202 incorporates the CCPA’s definition of “business,” meaning that companies must satisfy the CCPA’s thresholds in order to fall under the scope of the state’s data broker law.
Similarly, AB 1202 incorporates the CCPA’s expansive definition of “sale,” which extends to encompass the sharing of data for nonmonetary consideration. Consequently, this means that entities not traditionally considered to be data brokers will now have to comply with California’s new data broker law. Excluded from the scope of A.B. 1202, however, are consumer reporting agencies regulated by the Fair Credit Reporting Act, financial institutions regulated by the Gramm-Leach-Bliley Act and entities regulated by the Insurance Information and Privacy Protection Act.
A.B. 1202 does not offer an explicit definition of “direct relationship” as the term is used in California’s data broker law. Rather, A.B. 1202 provides only that a direct relationship can be formed in a variety of different ways, such as by visiting a business’s premises or internet website or by affirmatively and intentionally interacting with a business’ online advertisements.
Without any concrete direction from A.B. 1202 on what constitutes a “direct relationship,” entities can look to the data broker law that was recently enacted by Vermont to provide guidance on the direct relationship issue. Like A.B. 1202, Vermont’s data broker law provides that a “data broker” is an entity that lacks a “direct relationship” with a consumer.
Significantly, the Vermont attorney general has issued guidance in connection with the state’s data broker law, which includes a detailed discussion of what constitutes a “direct relationship.” Specifically, the Vermont attorney general guidance provides that a “direct relationship” exists if a consumer is a: (1) customer, client, subscriber, user or registered user of the business’s goods or services; (2) employee, contractor or agent of the business; (3) investor in the business; or (4) donor to the business.
The Vermont guidance also offers examples of activities that fall outside the scope of the law due to an absence of a direct relationship, including relators that sell information about their clients, and corporations that sell information about their investors.
Registration Requirement
Entities that satisfy the definition of “data broker” must register with the California attorney general on or before Jan. 31 following each year in which the company satisfies the definition of data broker. In doing so, data brokers must disclose — at a minimum — their name, physical address, email address and website address. In addition, the law also permits data brokers to submit any additional information or explanation that it chooses to provide regarding its data collection practices. The California attorney general will maintain a statewide data broker registry website that makes this information available to the public.
Significantly, however, A.B. 1202 does not require that data brokers disclose any information regarding the entity’s practices as it relates to allowing consumers to opt-out of the broker’s sale of personal information. This aspect of California’s data broker law departs significantly from the Vermont data broker law, which requires data brokers that offer the ability to opt-out to disclose detailed information regarding their opt-out practices, including the process that is offered to consumers to opt out, as well as additional information regarding the scope of activities from which consumers are not able to opt-out, as part of their disclosure obligations.
Annual Fee Requirement
In addition, data brokers must also pay an annual registration fee as well. A.B. 1202, however, only provides that the fee will be “determined by the Attorney General.” At this time, the amount of the registration fee is still unknown.
No Data Security Program Requirements
One of the most significant aspects of Vermont’s data broker law pertains to its data security requirement, which provides that data brokers must develop, implement and maintain a comprehensive written security programs that contain administrative, technical and physical safeguards that are appropriate to the size, scope and type of business of the data broker; the amount of resources available to the data broker; the amount of stored data; and the need for security and confidentiality of personal identifiable information. The California data broker law, however, does not include any type of similar data security requirement.
Penalties and Enforcement
Data brokers that fail to satisfy the requirements of A.B. 1202 are subject to injunctive relief, civil penalties and costs, including a fine of $100 per day that the broker fails to register as required by A.B. 1202, additional monetary penalties equal to the amount of fees that were due during the period that it failed to register, and any expenses incurred in connection with investigations and enforcement actions brought by the California attorney general under the law.
Takeaways
Because California’s new data broker law will require data brokers to register with the California attorney general by Jan. 31, companies that engage in the sale of the personal data of California residents must act immediately to determine if they fall under the scope of the law and, if so, must ensure that they register and pay the annual fee before the end of January to avoid incurring penalties for noncompliance. Any entity that remains unsure as to whether it falls under the scope of the law should consult with experienced counsel to ascertain the full extent of its obligations (if any) under the law.
From a broader perspective, California’s new law represents a growing trend among state-level legislators of enacting legislation geared toward increasing regulation over companies that sell the personal information of consumers. Importantly, with heightened awareness and skepticism regarding the collection and sale of personal data following the recent Facebook Inc. and Cambridge Analytica Ltd. data scandals, as well as a growing interest in consumer privacy, the data broker laws that have been adopted by Vermont and California may influence other states to consider enacting similar legislation in connection with the activity of data brokers and similar types of entities.
In this respect, it is likely that legislatures in other states will follow suit and enact their own laws regulating the sale of consumer data and the data security practices of data brokers, leading to greater regulation of data brokers across the nation in the coming months and years. As such, due to the potential for additional data broker laws to be passed by other states in the immediate future, companies that engage in the sale of consumer data must stay up to date on all new developments in this rapidly growing area of law to ensure that they continue to satisfy any additional compliance obligations moving forward, while at the same time maintaining an understanding of their data flows so that they can be ready to respond quickly to the changing legal landscape.
Furthermore, although California’s data broker law does not include a data security requirement, this is likely due to the unique circumstances of California law and, more specifically, the significant data security requirements that are already placed on companies that utilize personal data in the course of their business operations under the CCPA.
Conversely, as indicated above, the Vermont law includes burdensome data security requirements, which mandate that data brokers implement stringent data security programs to safeguard the personal data that is collected, used, and sold by those entities. Moving forward, it is likely that other states that enact similar data broker laws in the future will follow Vermont’s lead and include a data security aspect to their laws as well.
As such, data brokers — regardless of where they do business — should consider taking proactive steps to review and update their data security practices as necessary and in doing so can use the Vermont law as guidance in order to ascertain the specific security controls that should be implemented to ensure compliance with today’s new wave of data broker laws.
“Calif. Data Broker Law May Be Part of Growing Trend,” by David J. Oberly and Jennifer J. Daniels was published in Law360 on October 22, 2019. Reprinted with permission.
