The California legislature made several amendments to the California Consumer Privacy Act (“CCPA”) last Friday, September 13, 2019. This post focuses on the enactment of Assembly Bill No. 1202, which requires certain businesses that sell consumers’ personal information, as defined under the CCPA, to register as data brokers with the California Attorney General. For more information about the CCPA, see our prior alerts on applicability and conducting gap assessments, and remember to Register for our October 17, 2019 webinar covering the final requirements under the law.
Assembly Bill No. 1202
In a surprise move, the California legislature passed Assembly Bill No. 1202 (“A.B. 1202”) on September 13, 2019, and will now head to the governor’s desk for a final signature. This new law requires “data brokers” to register with the California Attorney General’s Office on an annual basis.
What are “data brokers?”
Under A.B. 1202, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
Consumer reporting agencies covered by the federal Fair Credit Reporting Act, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by the Insurance Information and Privacy Protection Act are all exempted from the data broker registration requirement.[1]
What is a “direct relationship?”
A.B. 1202 does not define “direct relationship” but states that a direct relationship can be formed in a variety of ways, “such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements.” Presumably, what is or is not a direct relationship will be determined on case-by-case basis.
Absent guidance from the California Attorney General, it can be helpful to analyze the data broker registration requirements in Vermont, the only other U.S. jurisdiction that currently requires such registration. Vermont enacted a data broker law (9 V.S.A. §§ 2430, 2433, 2446 and 2447) that is somewhat similar to A.B. 1202 and went into effect earlier this year. Just like the new California law, Vermont’s law defines a data broker as a business that does not have a “direct relationship” with the consumer. The Vermont Attorney General has provided guidance that includes examples of what constitutes a “direct relationship.” Under Vermont law, a direct relationship exists if the consumer is a: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business. Furthermore, the Vermont Attorney General has provided examples of businesses who are not data brokers, such as retailers that sell information about their customers and businesses that sell information about their employees.
What are the registration requirements?
A.B. 1202 requires data brokers to register with California’s Attorney General on or before January 31 following each year in which a business meets the definition of a data broker and pay a registration fee. The registration fee will be “determined by the Attorney General.” Data brokers will have to provide their name and primary physical, email, and internet website addresses. Additionally, the data broker can provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices.” The California Attorney General will create an internet website where this information will be made publicly available.
A.B. 1202 does not require data brokers to provide information about how consumers may exercise their CCPA right to opt-out of the sale of their personal information. On the other hand, Vermont’s law does not require data brokers to allow consumers to opt-out, but if a process to opt-out is available, data brokers must disclose that process in their registration together with information about the data collection, databases, or sales activities from which consumers may not opt out.
Data brokers who fail to register are subject to injunction, civil penalties, and costs related to actions brought by the California Attorney General’s Office. Penalties include a civil penalty of $100 for each day that the data broker fails to register as required, and expenses incurred by the Attorney General in investigating and prosecuting an action brought under this law.
[1] Cal. Civ. Code. § 1798.99.80(d).