Am I A Data Broker?: A Quick Primer On State Laws Regulating A Growing Industry – Privacy Protection

To print this article, all you need is to be registered or login on

Recently, multiple states have enacted and passed new data
privacy laws and bills (ColoradoVirginiaUtahCalifornia Privacy Rights ActConnecticutIndiana, and Ohio). Rightfully so, these laws
and bills have garnered much of the media attention. However, in
the midst of all the new state data privacy laws, new bills
regulating “data brokers” have begun to emerge. To no
surprise, California is leading the way with its Data Broker Registration Law, which was
enacted in 2019.


Clearly noted on the California
Attorney General’s CCPA website
 (the “AG
Website”) is that the California Consumer Privacy Act (the
“CCPA”) applies to “many businesses, including data
brokers.” This means that while the Data Broker Registration
Law has specific requirements for a data broker, such as
registering with the Attorney General, a data broker can also be
subject to the CCPA’s requirements if it meets the thresholds
of a “business” as defined under the CCPA.

The term “data broker” is defined as “a business
that knowingly collects and sells to third parties the personal
information of a consumer with whom the business does not have a
direct relationship.” Essentially, data brokers collect
information about consumers from many sources including websites,
other businesses, and public records. The data broker then analyzes
and packages the data for sale to other businesses. However, the
following businesses are not considered data brokers under the Data
Broker Registration Law:

  • A consumer reporting agency under the federal Fair Credit
    Reporting Act;

  • A financial institution under the Gramm-Leach-Bliley Act;

  • An entity under the state’s Insurance Information and
    Privacy Protection Act.


The requirements under the Data Broker Registration Law are
fairly simple. On or before January 31st following
each year that the business meets the definition of a data broker,
the business must register with the California Attorney General.
The website created by the California Attorney General for
businesses to register as data brokers is located at: To
register, the business must provide the following:

  • An annual registration fee of $400;

  • Name of the business and its physical, email, and internet
    website addresses;

  • Any additional information or explanation the business chooses
    to provide concerning its data collection practices; and

  • How a consumer can opt-out of the sale of their information or
    otherwise submit a data subject request under the CCPA.

The information listed above is to be made available to the
public on the Attorney General’s website.

Enforcement and Penalties

 If a business that meets the definition of a data broker
fails to register as a data broker, that business may be subject to
the following actions by the California Attorney General:

  • A civil penalty of $100 for each day the business fails to

  • An amount equal to the fees that were due during the period it
    failed to register; and

  • Expenses incurred by the Attorney General during its
    investigation and prosecution of the action.

Other State Data Broker Bills

A few other states have considered adopting similar laws as the
Data Broker Registration Law in California.

  • Delaware  – HB 262. The bill would require a public data
    broker registry similar to the requirements in California,
    including an annual registration fee. The bill is currently
    awaiting consideration by the Banking, Business & Insurance

  • Massachusetts  – 50. The bill was originally referred to the
    Advanced Information Technology, the Internet and Cybersecurity
    Committee. The bill was then incorporated into S.2687 and is awaiting consideration by
    the Senate Ways and Means Committee.

  • Oregon and Washington.
    Both Oregon and Washington considered data broker registration
    bills in early 2022, HB 4017 and SB 5813 However, both lawmakers in Oregon
    and Washington closed out their legislative session without passing
    the bills.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Facial Recognition: A New Trend In State Regulation

Womble Bond Dickinson

Ten years ago, the average person did not know what facial recognition was. Now, especially after its use in locating persons involved in the January 6, 2021, riots at the US Capitol…

California Privacy Update, Part III


In our third California Privacy Update, we continue to closely follow potential privacy law updates in California. You can read our most recent update here.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Get our latest downloads and information first. Complete the form below to subscribe to our weekly newsletter.