You May Be a Data Broker and California Is Watching

The California Delete Act (CDA), enacted to enhance consumer privacy rights, imposes specific obligations on data brokers operating within the state. Recent enforcement actions by the California Privacy Protection Agency (CPPA) underscore the importance of compliance with these regulations. With data collection and sharing becoming potentially big business in a variety of industries thanks to the value of referral relationships, businesses should prioritize determining whether or not they are required to register under the CDA as a Data Broker, and what operational steps they must take to ensure compliance following such registration.

‍

‍

Defining “Data Broker” Under the CDA

The CDA defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship.” This definition aligns with the one established under the California Consumer Privacy Act (CCPA) and excludes entities covered by specific federal laws, such as the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA). Although currently there is no set definition as to what constitutes a “direct relationship” under the CDA, proposed regulations from the CPPA would define the term “direct relationship” in the CDA as one in which “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.” Further, even where a business did have a direct relationship with a consumer, CPPA proposed regulations would still define that business as a “data broker” where it sold personal information about such consumer that the business did not collect directly from such consumer.” While these proposed regulations are not yet final, they do appear to provide some guidance as to how the CPPA defines “direct relationship” under the CDA even now, and therefore represent good points of reference in crafting responsive compliance policies.

‍

‍

Responsibilities of Data Brokers Under the CDA

Data brokers operating in California are subject to several obligations designed to protect consumer privacy:

1. Annual Registration: Data brokers must register annually with the CPPA and pay a registration fee (currently $6,600.00). This registration is published by the CPPA and available to consumers online. Failure to register can result in administrative fines of $200 per day, and potentially more serious penalties as discussed below.
   
   
2. Consumer Deletion Requests: By January 1, 2026, the CPPA is mandated to establish an accessible deletion mechanism by which consumers can submit a single verifiable request to delete their personal information across all registered data brokers.  Data brokers will be required to comply with this mechanism, and the CPPA will be permitted to charge data brokers a fee for access and use of this deletion mechanism.
   
   
3. Transparency in Data Practices: Data brokers must disclose specific information about their data collection and sales practices, including the categories of personal information collected and sold, and whether they process sensitive data such as reproductive health care information. This information must be included in their privacy policies and updated annually.
   
   
4. Triennial Audits: Starting January 1, 2028, data brokers are required to undergo independent audits every three years to verify compliance with the CDA. These audits aim to ensure that data brokers adhere to the law’s provisions and maintain robust data protection practices.

‍

‍

CPPA’s Enforcement Actions

The CPPA has actively enforced the CDA to ensure data brokers comply with their obligations:

• Background Alert, Inc.: In a recent enforcement action, the CPPA settled with Background Alert, Inc., a California-based data broker, for failing to register as required by the CDA. The settlement resulted in the company agreeing to cease its operations for three years, with the threat of a $50,000 fine if they failed to do so.

• National Public Data (NPD): The CPPA initiated an administrative action against NPD, a Florida-based data broker, for failing to register by the January 31, 2024, deadline. NPD registered only after a data breach exposed 2.9 billion records, leading the CPPA to seek a $46,000 fine for the delayed registration. The Company has since filed for Chapter 11 bankruptcy.

• Growbots, Inc. and UpLead LLC: These data brokers faced fines of $35,400 and $34,400, respectively, for failing to register on time. Both companies settled with the CPPA and agreed to comply with the CDA’s requirements moving forward.

‍

‍

Implications for Data Brokers

The CPPA’s proactive enforcement actions highlight the critical importance of compliance with the CDA. Data brokers must:

• Timely Register: Ensure annual registration with the CPPA by the stipulated deadlines to avoid daily fines.​

• Maintain Transparency: Clearly disclose data collection, processing, and selling practices in privacy policies.​

• Honor Deletion Requests: Implement mechanisms to process consumer deletion requests promptly and effectively, and ensure compliance with the soon to be developed CPPA deletion mechanism.

• Prepare for Audits: Establish internal controls and documentation to facilitate compliance with the triennial audit requirements starting in 2028.​

Non-compliance not only results in financial penalties but also risks reputational harm. Data brokers should assess their current practices, ensure adherence to the CDA, and stay informed about regulatory developments to mitigate potential risks.

‍

‍

Conclusion

The California Delete Act represents a significant advancement in consumer privacy protection, placing stringent obligations on data brokers. The CPPA’s recent enforcement actions serve as a clear message that compliance is mandatory, and that failure to comply can cause irreparable harm to covered businesses. Data brokers must work with information privacy professionals to proactively align their operations with the CDA’s requirements to uphold consumer trust and avoid regulatory penalties.