To print this article, all you need is to be registered or login on Mondaq.com.
Recently, multiple states have enacted and passed new data
privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws
and bills have garnered much of the media attention. However, in
the midst of all the new state data privacy laws, new bills
regulating “data brokers” have begun to emerge. To no
surprise, California is leading the way with its Data Broker Registration Law, which was
enacted in 2019.
Clearly noted on the California
Attorney General’s CCPA website (the “AG
Website”) is that the California Consumer Privacy Act (the
“CCPA”) applies to “many businesses, including data
brokers.” This means that while the Data Broker Registration
Law has specific requirements for a data broker, such as
registering with the Attorney General, a data broker can also be
subject to the CCPA’s requirements if it meets the thresholds
of a “business” as defined under the CCPA.
The term “data broker” is defined as “a business
that knowingly collects and sells to third parties the personal
information of a consumer with whom the business does not have a
direct relationship.” Essentially, data brokers collect
information about consumers from many sources including websites,
other businesses, and public records. The data broker then analyzes
and packages the data for sale to other businesses. However, the
following businesses are not considered data brokers under the Data
Broker Registration Law:
- A consumer reporting agency under the federal Fair Credit
- A financial institution under the Gramm-Leach-Bliley Act;
- An entity under the state’s Insurance Information and
Privacy Protection Act.
The requirements under the Data Broker Registration Law are
fairly simple. On or before January 31st following
each year that the business meets the definition of a data broker,
the business must register with the California Attorney General.
The website created by the California Attorney General for
businesses to register as data brokers is located at: https://oag.ca.gov/data-broker/register. To
register, the business must provide the following:
- An annual registration fee of $400;
- Name of the business and its physical, email, and internet
- Any additional information or explanation the business chooses
to provide concerning its data collection practices; and
- How a consumer can opt-out of the sale of their information or
otherwise submit a data subject request under the CCPA.
The information listed above is to be made available to the
public on the Attorney General’s website.
Enforcement and Penalties
If a business that meets the definition of a data broker
fails to register as a data broker, that business may be subject to
the following actions by the California Attorney General:
- A civil penalty of $100 for each day the business fails to
- An amount equal to the fees that were due during the period it
failed to register; and
- Expenses incurred by the Attorney General during its
investigation and prosecution of the action.
Other State Data Broker Bills
A few other states have considered adopting similar laws as the
Data Broker Registration Law in California.
- Delaware – HB 262. The bill would require a public data
broker registry similar to the requirements in California,
including an annual registration fee. The bill is currently
awaiting consideration by the Banking, Business & Insurance
- Massachusetts – 50. The bill was originally referred to the
Advanced Information Technology, the Internet and Cybersecurity
Committee. The bill was then incorporated into S.2687 and is awaiting consideration by
the Senate Ways and Means Committee.
- Oregon and Washington.
Both Oregon and Washington considered data broker registration
bills in early 2022, HB 4017 and SB 5813 However, both lawmakers in Oregon
and Washington closed out their legislative session without passing
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States