Given Broad Definitions, the Law Could Apply to Businesses That Do Not Consider Themselves Data Brokers

While amending the California Consumer Privacy Act of 2018 (CCPA) last term, the California legislature also passed a CCPA-related privacy bill that applies to “data brokers.” Assembly Bill 1202 (AB 1202) requires businesses that qualify as data brokers to register, pay a fee, and provide certain information to the California attorney general. Because AB 1202 relies on the CCPA’s broad definitions of “sell” and “personal information,” many businesses that might not otherwise consider themselves to be data brokers may fall within the data broker definition.

As a result, all businesses that “sell” “personal information” of California residents should promptly evaluate whether they are subject to the law’s new registration requirements. As discussed below, the California data broker registry website is now live and data brokers must register with the California attorney general on or before January 31, 2020 or face potential penalties.

What Is a Data Broker?

As defined in AB 1202, a data broker is a business that knowingly collects and sells to third parties the personal information of a California resident with whom the business does not have a direct relationship. While AB 1202 does not define the term “direct relationship,” its findings include examples of ways in which a direct relationship can be created, including a California resident’s visit to a business’s premises or website or a California resident’s affirmative and intentional interactions with the business’s online advertisements. The law’s definition of data broker excludes consumer reporting agencies covered by the Fair Credit Reporting Act, financial institutions covered by the Gramm-Leach-Bliley Act, and certain regulated insurance entities.

AB 1202 refers to the CCPA for several pertinent definitions, including the definitions of “business,” “sells,” “personal information,” and “third party.”

A business is defined as a for-profit entity that meets one of the following thresholds or is controlled by and shares common branding with a for-profit entity that meets one of the following thresholds:

  • has annual gross revenues in excess of 25 million dollars ($25,000,000);
  • annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more California residents, households, or devices; or
  • derives 50 percent or more of its annual revenues from selling California residents’ personal information.

AB 1202 uses the CCPA’s broad definition of sale, which is relevantly defined as disclosing, making available, or otherwise communicating orally, in writing, or by electronic or other means, a California resident’s personal information by the business to another third party for monetary or other valuable consideration. Personal information is also broadly defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.

A third party is defined in the negative, as a person that is neither the collector of personal information nor a service provider-type entity to whom the business discloses a California resident’s personal information for a business purpose pursuant to a written contract with specific limitations on the retention, use, and disclosure of the personal information.

What Is Required of Data Brokers?

There are no threshold requirements for qualifying as a data broker. Accordingly, all businesses that qualify as a “business” under the CCPA and “sell” the “personal information” of at least one California resident with whom they do not have a direct relationship are required to register with the state by creating an account on the California attorney general’s website on or before January 31, 2020, as well as each following year that the business satisfies the definition of data broker.

In registering, data brokers must pay a registration fee in an amount to be determined by the California attorney general, not to exceed the reasonable costs of establishing and maintaining a website, and provide the California attorney general with their name, physical address, email address and website address, as well as any additional information or explanation that the data broker chooses to provide concerning its data collection practices. The current registration form also requests, although does not require a data broker provide, information regarding how a California resident may opt out of sales or submit requests under the CCPA and how a protected individual can demand deletion of information posted online pursuant to state laws protecting the confidentiality of home addresses and telephone numbers of elected or appointed officials and victims of domestic violence, sexual assault, and stalking.

The information provided to the California attorney general will be publicly available on the California data broker registry website.

What Are the Penalties of Non-Compliance?

Data brokers that fail to satisfy the requirements of AB 1202 can be subject to injunctive relief and civil penalties of $100 for each day the data broker fails to register, as well as additional monetary penalties equal to the amount of fees that were due during the period that the data broker failed to register and any investigation and prosecution costs incurred by the California attorney general.

For questions regarding registering as a data broker, the CCPA, or any other privacy laws or regulations, please contact Lydia ParnesEddie HolmanMegan Kayo, or another member of the firm’s privacy and cybersecurity practice.