As you may or may not know, California requires Data Brokers to be registered in the state. The bill that expanded the requirements and transferred authority to the California Privacy Protection Agency (CPPA) was signed into law in October 2023, and compliance with the registration requirement went into effect on January 31, 2024. The Agency Board met last week and voted to adopt new drafted regulations to amend the current requirements.

Now, if you are wondering, am I a Data Broker? See the definition below.

(c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:

(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.

(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

(4) An entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146. For purposes of this paragraph, “business associate” and “covered entity” have the same meanings as defined in Section 1798.146.

If the Office of Administrative Law approves the proposed regulation the effective date will be for the January 2025 registration period. What are the proposed changes?

• Requires data brokers to pay registration fee by credit card, subject to certain exceptions, along with covering any transaction fees associated with the electronic payment.

The kicker with this is that the fee for 2024 was $400, moving forward the proposed fee will be adjusted to $6,600 dollars. Yep, you read that correctly a 1550% increase to the fee. They state that the astronomical increase in the fee is to help fund the deletion mechanism DROP (Delete Request and Opt-Out Platform) that will be implemented in 2026. The registration fee will not be prorated or refundable.

• Clarifies that data broker businesses are required to uniquely register regardless of status as a parent company or subsidiary.
• Requires data brokers to provide a point of contact which can be used by the Agency, but that will not be posted on the public registry.
• Clarifies reporting requirements for data brokers covered by FCRA, GLBA, IIPPA, CMIA, and HIPAA (see Civ. Code § 1798.99.82(b)(2)(H)).
• Requires data brokers to sign registrations under penalty of perjury to affirm that the information submitted on the registration form is true and correct.
• Clarified the registration period to be January 1-31
• Added a few definitions, one that will assist in determining if a business falls into the Data Broker category:

(a) “Direct relationship” means that a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years. A consumer does not have a “direct relationship” with a business if the purpose of their engagement is to exercise any right described under Title 1.81.5 of Part 4 of Division 3 of the Civil Code, or for the business to verify the consumer’s identity. A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer

It’s important to note that failing to register could incur fines of up to $200 per day and expenses incurred by the CPPA for investigation and administration of the action. You can check out the press release HERE.