Compliance alert: California poised to enact data broker registration law

While Vermont enacted the nation’s first data broker regulation law in 2018, the California legislature has recently passed a data broker bill of its own. If signed by the governor, it may prove even more restrictive and burdensome than the law in Vermont.

The goal, according to the California legislature, is to provide greater transparency to consumers with respect to who is selling their personal information.

The Vermont Law
The Vermont law defines a “data broker” as a business that knowingly collects and sells or licenses to third-parties “brokered personal information” of a consumer with whom the business does not have a direct relationship.

The law requires that data brokers:

• Register with the Vermont Secretary of State by January 31 of every year
• Provide specified information to the state when they register (including the name of a contact person and their own physical, email, and internet addresses)
• Meet certain minimum data security standards, including implement computer system requirements that have secure user authentication protocols;secure access control measures; firewalls and operating system patches; and up-to-date malware, patching, and virus definitions.

The California Bill

Similar to the Vermont law, under the California bill a “data broker” is a business that knowingly collects and sells to third parties the personal information (as defined in the California Consumer Privacy Act, or CCPA) of a consumer with whom the business does not have a “direct relationship.”

What constitutes a “direct relationship” is not yet defined with certainty. However, the state legislature has indicated that this can form in various ways, such as by visiting a business’s website, or by affirmatively and intentionally interacting with online advertisements.

The California Bill, AB 1202, also requires data brokers to:

• Register with the California Attorney General on or before January 31 of every year
• To pay a registration fee in an amount to be determined by the Attorney General
• To provide their name and primary physical, email and internet website addresses

In addition, when registering in California a data broker may choose to provide any additional information or explanation concerning its data collection practices.

Certain types of businesses are exempt from the registration requirement, including:

• Consumer reporting agencies which are subject to the federal Fair Credit Reporting Act
• Financial institutions which are subject to the Gramm-Leach-Bliley Act
• Companies subject to the state’s Insurance Information and Privacy Protection Act

A data broker that fails to register may be sued by the Attorney General in an action in which it could be forced to pay civil penalties of up to $100 for each day it fails to register. Penalties may also include the Attorney General’s investigation and prosecution expenses.

Industry groups (including the Association of National Advertisers) and businesses operating in California and deriving revenue from the data ecosystem are concerned that this bill, if signed into law by Governor Newsom, could have a chilling effect on innovation and business development because of how broadly it may be interpreted (i.e., not just to traditional “data brokers.”)

The California Bill requires that the California Attorney General create a publicly available registry of data brokers on its website to put California consumers on notice of the businesses that sell their personal information (PI) and who to contact in order to opt out from such sale, as permitted by the CCPA.

Although many of the bill’s terms are defined by reference to the CCPA, the bill itself is rather bare bones and has similarities to Vermont.

Significantly, the California bill also does not reduce or override obligations data brokers must meet under the CCPA when that law takes effect on January 1, 2020. In this regard, the California bill specifically states that it does not “supersede or interfere with” the CCPA.

A final word

The largest state in the nation has now passed the country’s second law specifically regulating “data brokers.” Any company that processes personal information of consumers with whom it does not have a direct relationship should test their business practices against the California law to determine if registration is required.

This article was brought to you by Gary Kibel, attorney and partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert LLP. He also serves as general counsel to the Performance Marketing Association. Gary advises interactive companies, advertising agencies, media providers and other commercial entities regarding transactions for interactive media, behavioral advertising, social media, programmatic media buying, mobile marketing, affiliate marketing, data collection and usage, and other emerging products and services. He is a Certified Information Privacy Professional (CIPP) and advises clients in many industries regarding privacy and data security issues, including, internal information security policies, contractual obligations, security breaches, privacy law compliance and other matters in connection with an organization’s collection, storage and use of data in all aspects of its business.