Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020.
For purposes of the law, a sale is defined as it is under CCPA. Namely, giving personal information to third parties either for money or for “other valuable consideration.” The authors of the law compare data brokers and more typical ecommerce businesses. With the former, the consumer does not know about the company’s use of her information or how to control that use.
To register, data brokers will need to provide information and pay a fee to the AG. Information the AG will collect is brokers’ contact information and according to the law, can provide information about information about its data collection practices. The AG will keep a public list on its website of registered data brokers. There are some exceptions to the registration requirement. This includes companies regulated by GLB and FCRA. Companies who do not register as required face potential civil penalties of $100 for each day it fails to register.
Putting it into practice: Companies considered “data brokers” will need to address this new registration requirement, in addition to that which exists in Vermont, as we have written about before.