[co-authors: James O'Reilly and Sharilyn Clark*]
In the fifth in our series of California developments, we turn to data broker obligations. There are two of note. First, the California privacy agency is moving forward Delete Act regulations it proposed earlier this year. (Its board voted to move regulations addressing data broker requirements to the Office of Administrative Law for review and approval last month.) Second, it announced an investigative sweep of compliance with the Act.
Delete Act Regulations
Under the Delete Act, a data broker is a business that “knowingly collects and sells” personal information about consumers with whom they do not have a direct relationship. The law, as many are aware, requires annual registration with the state (similar to laws in Texas, Oregon, and Vermont). There are exceptions, including for those who are governed by GLBA or an entity whose processing of information falls under HIPAA.
The Delete Act regulations, if approved, will become effective January 1, 2025. The rules set the annual data broker registration fee at $400. The rules also clarify that the obligation to register falls on any business that meets the data broker definition, “regardless of its status as a parent company or subsidiary of another business.” As outlined in the rules, data brokers will not be removed from the registry but can provide updated contact information.
Agency Sweep
In advance of the next annual data broker registration deadline (January 31, 2025), the CPPA announced it will take “appropriate actions” against those who do not register. Appropriate actions could include a penalty of $200 per day plus administrative costs. In its announcement, the CPPA also reminded data brokers that they must do the following:
- Report if their collection of data includes personal information of children under 16, precise geolocation data, or reproductive healthcare data. Reproductive healthcare data defined in the proposed rules as including information searching for, buying or otherwise “interacting” with goods like contraception or fertility vitamins.
- Provide a link on the company’s website that informs consumers of their rights under the California Consumer Privacy Act.
- Disclose the number of data deletion request they receive and the average response time.
What’s Next?
California is planning to launch a Data Broker Requests and Opt-Out Platform (“DROP”). It will let consumers direct all data brokers to delete their personal information in a single request. Data brokers must then also delete the requestor’s personal information every 45 days. DROP is supposed to be available in 2026. Beginning in 2028, the CPPA will require covered businesses to undergo an independent audit every three years to verify compliance.
*James O’Reilly and Sharilyn Clark are Cybersecurity and Privacy Fellows in the firm’s Chicago office.
Putting it into Practice: The draft rules provide a baseline for what to expect from the CPPA in these areas. The board expressed their intention to make significant changes to the draft rules during the formal rulemaking process. Companies should keep an eye out for these changes and submit any relevant comments to the CPPA for consideration.
