In October 2023, California Governor Gavin Newsom signed Senate Bill (S.B.) 362 into law, amending California’s data broker registration law. By January 31, 2024, qualifying data brokers must register with the California Privacy Protection Agency (“Agency”), and report certain additional information by July 1. Failure to comply may result in administrative fines or other costs. The following alert summarizes notable reporting and registration changes, and what action items qualifying organizations should take.
When do the amendments apply?
The amended law has been effective since January 1, 2024.
To whom do the amendments apply?
The previous law, as amended, applies to a “data broker,” which is a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”1 Notably, the amended law removed the definition of “business,” and now expressly incorporates the definitions from the California Consumer Privacy Act (CCPA).2 Consequently, this means the CCPA’s “selling” definition applies, which is broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating... a consumer’s personal information... to a third party for monetary or other valuable consideration.”3 So, businesses that meet the CCPA threshold and which do not have a direct relationship with a consumer, but knowingly collect and sell that consumer’s personal information to third parties, are subject to the California data broker registration law. For instance, these businesses may include companies that scrape together data and license it to political lobbying groups or companies that analyze marketing data on behalf of a third party and sell those results back to the third party or others.
However, the definition of a “data broker” does not include “an entity” to the extent it is covered by the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Insurance Information and Privacy Protection Act, or an entity to the extent it is processing personal information that is exempt under Cal. Civ. Code Section 1798.146, such as protected health information under HIPAA or medical information under California’s Confidentiality of Medical Information Act.4
What does a data broker have to do now?
Registration and reporting. In scope, data brokers must register with the Agency by January 31, 2024, and continue registering with the Agency by January 31 of every year that the business qualifies as a “data broker.”5 The original law required the data broker to pay a registration fee and provide the data broker’s internet website address. The amended law now requires the data broker to provide additional information, including, among other things, a link to the data broker’s privacy notice (or a page that details how consumers may exercise their privacy rights) and information on whether the data broker collects personal information of a minor, reproductive health care data, or consumers’ precise geolocation.6 Data brokers may visit the Data Broker Registry site to fulfill their reporting requirements.
As a new reporting requirement, data brokers must disclose to the Agency the broker’s metrics on its responses to consumer deletion requests by July 1 of each year and post these metrics on the data broker’s website.7 These metrics include the number of deletion requests the data broker received, complied with, and denied, and the average number of days it took for a data broker to respond to the requests. Importantly, these metrics are based on a data broker’s responses from the previous calendar year.8 For 2024, a data broker must compile its metrics from the 2023 calendar year and report to the Agency by July 1, 2024.
What does a data broker have to do in the future?
Deletion Mechanism. By January 1, 2026, the Agency will create a new deletion mechanism that allows California consumers to submit a single deletion request.9 This deletion request is then communicated to all data brokers that maintain that consumer’s personal information.10
By August 1, 2026, data brokers will need to access this mechanism at least once every 45 days and process deletion requests and delete the consumer’s personal information, unless the request could not be verified or if an exception applies.11 Data brokers must also direct their service providers to delete the consumer’s personal information. Also, by August 1, 2026, data brokers must continue to delete the consumer’s personal information at least once every 45 days following the first deletion request and cannot sell or share that personal information, unless in either case the customer requests otherwise or an exception applies.12
Audits. By January 1, 2028 (and for every three years thereafter), data brokers must engage an independent third party to conduct an audit to determine the data brokers’ compliance with the amended law.13 Data brokers must submit the audit results upon the Agency’s request.
What are the consequences of noncompliance?
The amended law imposes an administrative fine of $200 for every day the data broker fails to register or respond to a valid deletion request.14 Data brokers may also be required to cover the costs the Agency incurs in investigating and administering this law.
Takeaways (as applicable)
- Consider and evaluate whether your organization, in whole or in part, acts as a data broker (and whether any exemptions may apply).
- Register with the Agency as a data broker no later than January 31, 2024, and establish procedures to provide this information on a yearly basis.
- Compile deletion request metrics in preparation of the July 1, 2024 deadline and establish procedures to collect and provide this information on a yearly basis.
- Update the privacy notice on your website (or if none, use this opportunity to post one) summarizing your data collection practices, the consumer’s privacy rights, and, after July 1, 2024, your organization’s deletion request metrics.
[1] Cal. Civ. Code § 1798.99.80(c).
[2] See Cal. Civ. Code § 1798.99.80(a); Cal. Civ. Code § 1798.140(d). The amended law also incorporates by reference the CCPA’s definitions of “personal information.”
[3] Cal. Civ. Code § 1798.140(ad)(1).
[4] Cal. Civ. Code § 1798.99.80(c)(1)-(4). The law as revised removed references to a “consumer reporting agency” or “financial institution.”
[5] Cal. Civ. Code § 1798.99.82(a).
[6] Cal. Civ. Code § 1798.99.82(b). The Agency will publicize the registration information via a publicly available website.
[7] Cal. Civ. Code § 1798.99.85(a).
[8] Cal. Civ. Code § 1798.99.85(a)(1)-(2).
[9] Cal. Civ. Code § 1798.99.86(a).
[10] Cal. Civ. Code § 1798.99.86(b)-(c).
[11] Cal. Civ. Code § 1798.99.86(c)(1)(B); Cal. Civ. Code § 1798.99.86(c)(2), respectively.
[12] Cal. Civ. Code § 1798.99.86(d).
[13] Cal. Civ. Code § 1798.99.86(e).
[14] Cal. Civ. Code § 1798.99.82(c)-(d).