Compliance alert: California poised to enact data broker registration law
- Written by Guest Contributor on
Awin's external legal counsel Gary Kibel provides an update on California's developing consumer privacy and data regulations.
Share this

Awin's external legal counsel Gary Kibel provides an update on California's developing consumer privacy and data regulations.
While Vermont enacted the nation’s first data broker regulation law in 2018, the California legislature has recently passed a data broker bill of its own. If signed by the governor, it may prove even more restrictive and burdensome than the law in Vermont.
The goal, according to the California legislature, is to provide greater transparency to consumers with respect to who is selling their personal information.
The Vermont Law
The Vermont law defines a “data broker” as a business that knowingly collects and sells or licenses to third-parties “brokered personal information” of a consumer with whom the business does not have a direct relationship.
The law requires that data brokers:
The California Bill
Similar to the Vermont law, under the California bill a “data broker” is a business that knowingly collects and sells to third parties the personal information (as defined in the California Consumer Privacy Act, or CCPA) of a consumer with whom the business does not have a “direct relationship.”
What constitutes a “direct relationship” is not yet defined with certainty. However, the state legislature has indicated that this can form in various ways, such as by visiting a business’s website, or by affirmatively and intentionally interacting with online advertisements.
The California Bill, AB 1202, also requires data brokers to:
In addition, when registering in California a data broker may choose to provide any additional information or explanation concerning its data collection practices.
Certain types of businesses are exempt from the registration requirement, including:
A data broker that fails to register may be sued by the Attorney General in an action in which it could be forced to pay civil penalties of up to $100 for each day it fails to register. Penalties may also include the Attorney General’s investigation and prosecution expenses.
Industry groups (including the Association of National Advertisers) and businesses operating in California and deriving revenue from the data ecosystem are concerned that this bill, if signed into law by Governor Newsom, could have a chilling effect on innovation and business development because of how broadly it may be interpreted (i.e., not just to traditional “data brokers.”)
The California Bill requires that the California Attorney General create a publicly available registry of data brokers on its website to put California consumers on notice of the businesses that sell their personal information (PI) and who to contact in order to opt out from such sale, as permitted by the CCPA.
Although many of the bill’s terms are defined by reference to the CCPA, the bill itself is rather bare bones and has similarities to Vermont.
Significantly, the California bill also does not reduce or override obligations data brokers must meet under the CCPA when that law takes effect on January 1, 2020. In this regard, the California bill specifically states that it does not “supersede or interfere with” the CCPA.
A final word
The largest state in the nation has now passed the country’s second law specifically regulating “data brokers.” Any company that processes personal information of consumers with whom it does not have a direct relationship should test their business practices against the California law to determine if registration is required.
This article was brought to you by Gary Kibel, attorney and partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert LLP. He also serves as general counsel to the Performance Marketing Association. Gary advises interactive companies, advertising agencies, media providers and other commercial entities regarding transactions for interactive media, behavioral advertising, social media, programmatic media buying, mobile marketing, affiliate marketing, data collection and usage, and other emerging products and services. He is a Certified Information Privacy Professional (CIPP) and advises clients in many industries regarding privacy and data security issues, including, internal information security policies, contractual obligations, security breaches, privacy law compliance and other matters in connection with an organization’s collection, storage and use of data in all aspects of its business.
© 2022, AWIN Inc. All rights reserved. AWIN Inc. is part of Axel Springer Group. No part of this publication may be reproduced, translated, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owner.
We blend international reach with local expertise.