Last week, the California Privacy Protection Agency (CPPA) announced it will conduct a public investigative sweep of data broker registration compliance under the California Delete Act.
Pursuant to the Act, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a [California] consumer with whom the business does not have a direct relationship.” “Selling” is defined broadly and includes the transfer of personal information for any valuable or monetary consideration. There are exceptions to this definition of a data broker, such as businesses covered and regulated by the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
The Act requires data brokers to pay an annual registration fee along with its annual registration submission identifying itself as a data broker and provide the following information to the CPPA:
- Whether the business collects the personal information of minors, reproductive health care data, or precise geolocation data;
- The number of consumer rights requests the business received during the prior calendar year; and
- The median and mean number of days by which the business substantively responded to those requests.
Data brokers are also required to disclose this information in a link on its website.
Michael Macko, head of the CCPA enforcement division, said in a press release, “Californians have a right to know who is trafficking in their personal information. That’s why California law requires data brokers to register. For data brokers skirting the law, the fine increases with each passing day. Our Enforcement Division will seek to recover this fine because it’s unfair to the data brokers who have complied with their obligations .”
The press release further stated: “The immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy. It’s crucial for data brokers to register with our Agency, so the public can be informed and empowered to exercise their rights. And starting in 2026, these rights will be even stronger with the new deletion mechanism.” Note that all businesses that are data brokers under the Act must register by January 31, 2025, or face a penalty of $200 per day.
[View source.]
