California’s Delete Act imposes landmark obligations on companies deemed to be “data brokers,” and the new regulations recently approved by the California Privacy Protection Agency (CPPA) will significantly expand the range of companies that may be “data brokers.” Companies have limited time to work through the potential impact of these regulations, which, if approved by the Office of Administrative Law, will be effective January 1, 2025.
Expanded Scope of “Data Broker” Status
The Delete Act defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”[1] (Cal. Civ. Code § 1798.99.80). The new regulations narrow the meaning of “direct relationship” in new and unexpected ways, which may subject consumer-facing businesses to the Delete Act when they previously may have assumed they were excluded.
- A “direct relationship” expires 3 years after the consumer’s last interaction with the business
A “direct relationship” involves the consumer intentionally interacting with a business to obtain information about, access, purchase, use, or request products or services. Under the new regulations, a business only has a “direct relationship” with a consumer who has engaged with the business within the last 3 years. (Cal. Code Regs. tit. 11, § 7601(a)). Thus, if a business sells personal information of a consumer who has not interacted with the business within the past 3 years, this may cause the business to become a data broker under the Delete Act.
This change is significant because it will require a company to track consumer interactions with the company and invest in expanded data minimization compliance obligations, if it wishes to sell personal information about that consumer without becoming a data broker.[2]
In practice, however, this three-year timeframe may still give companies a reasonable period to engage in “sales” of a consumer’s personal information without registering as a data broker. For example, information collected and disclosed for targeted advertising may become outdated well before the end of this 3-year period, and “sales” may focus on newer data. Effectively, the new regulations suggest that businesses can sell personal information collected directly from consumers for up to three years after the consumer’s last interaction with them, without being required to register as a data broker.
- Even where the business has a direct relationship with the consumer, the business may still be a data broker if it sells personal information that it did not collect directly from that consumer
Under the new regulations, even if a company collects information directly from consumers, the company may still be considered a data broker, and thus subject to the Delete Act, for personal information that the company collected from other sources and sold to third parties. (Cal. Code Regs. tit. 11, § 7601(a))
The source of the data, rather than the relationship with the consumer, is a key consideration when assessing data broker status. Companies that may have assumed they were not data brokers because of their direct relationships with consumers will now need to consider whether they sell personal information that they did not collect directly from those consumers—again, keeping in mind the expansive definition of “sale” under the CCPA. The regulations do not provide further guidance, such as to what extent this may include inferences drawn from data collected from the consumer.
New Data Broker Registration Details
The regulations also include a number of procedural requirements to strengthen the data broker registration process, detailing parties that must register, limits on altering entries, expanded obligations for data subject to laws exempt from the CCPA, and certification standards (Cal. Code Regs. tit. 11, §§ 7602, 7603, 7604):
- A business that meets the definition of a data broker must register regardless of whether a parent company or associated subsidiary has registered as a data broker.
- If a data broker is regulated by certain laws that provide exemptions from CCPA obligations (e.g., GLBA or HIPAA), the data broker must provide certain additional information in its registration, such as the types of personal information the data broker collects and sells that are subject to those laws and the approximate proportion of data collected and sold that is subject to those laws in comparison with their total annual data collection and sales.
- The data broker registration must be signed under penalty of perjury by an employee or agent of the data broker who is authorized to register the data broker and has sufficient knowledge of the data broker’s practices to provide accurate information.
Takeaways
The new regulations significantly expand the Delete Act’s applicability, including to consumer-facing businesses that previously may have believed that they would be excluded due to their direct relationships with consumers. These regulations highlight the CPPA’s continued interest and focus on data broker issues, which also is demonstrated by the CPPA’s investigative sweep of data broker registration compliance and recent settlements with data brokers for failure to register as required by the Delete Act.
[1] Most of the key terms in the Delete Act have the meanings set forth in the CCPA: for example, “sale” refers disclosure of personal information “for monetary or other valuable consideration,” and thus a business may be a “data broker” based on its disclosure of personal information to business partners or other third parties, even if it receives no payment or other financial benefit.
[2] The regulations note that a consumer does not create a “direct relationship” with a business when communicating with the business to exercise CCPA rights. (Cal. Code Regs. tit. 11, § 7601(a)). For example, if a consumer last interacted with a business for commercial purposes over 3 years ago, but recently contacted the company to make a CCPA request, this new contact would not reestablish a “direct relationship” with that consumer—and the business’ sale of personal information about that consumer may still cause the business to become a data broker.
/Passle/5832ca6d3d94760e8057a1b6/MediaLibrary/Images/2024-11-22-14-03-26-931-67408f2e942763af68945f83.png)