The California Privacy Protection Agency is going after data brokers.

The CPPA board voted earlier this month to adopt new regulations regarding data broker registration requirements. If approved, the regulations will become effective by Jan. 1, 2025.

Key issues that we are discussing with clients that buy and sell data:

  • A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.
  • A “minor” means a consumer the data broker has actual knowledge is less than 16 years of age. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. (There is no definition of “willfully disregard,” so this will be subject to interpretation. However, there is a definition in the Florida privacy law that may provide insight into what regulators look for here).
  • When reporting, a data broker must provide more granular detail like:
    • The types of personal information the data broker collects and sells that are subject to the enumerated laws
    • The specific product(s) or services covered by the enumerated state or federal laws
    • The approximate proportion of data collected and sold that is subject to the enumerated laws in comparison with their total annual data collection and sales (i.e., percentage of their general data broker activities).
  • The CPPA board also moved the data protection assessment and automated decision-making regs to formal rulemaking.