26 February 2021
Two major laws have passed in California since 2019 that affect many companies: the California Data Broker Law and the California Consumer Privacy Act (CCPA).
Both laws have a significant impact on businesses that sell California consumers' personal information. The Data Broker Law has particularly big implications for businesses that sell the personal information of consumers with whom they don't have a direct relationship.
This article will help you understand whether your business qualifies as a "data broker," and, if so, what steps you need to take.
California's definition of a "data broker" is set out at Section 1798.99.80. (d) of California's Data Broker Law (available here):
This definition covers any business that:
The individual components of this definition derive from another law: the CCPA. Let's look at what the CCPA says, to help you understand whether you meet the definition of a "data broker."
Here's the CCPA's main definition of a "business," at Section 1798.140. (c):
A business is any legal entity that:
Fulfills one or more of the following characteristics:
A business can also be an entity that controls or is controlled by a business, as long as it shares common branding with the business.
A data broker is any entity that meets the CCPA's definition of a "business" and the Data Broker Law's definition of a "data broker." This includes any CCPA-covered business that sells the information of one or more consumer with whom it does not have a direct relationship.
You can build your CCPA Opt-Out code by following the steps below:
The Data Broker Law also takes its definition of "collects" from the CCPA, at Section 1798.140. (c) (e):
This broad definition of "collect" is not confined to obtaining personal information directly from a consumer and includes receiving personal information from a third party. This is crucial to the definition of data brokers, who do not have a direct relationship with consumers.
"Personal information" is defined at Section 1798.140 (o) of the CCPA. Here's the main part of the definition:
Each of the following examples can be personal information, as long as it "identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household":
Personal information as defined in the California Customer Records Statute
Characteristics of protected classifications under California or federal law
Internet or other electronic network activity information
Professional or employment-related information
Education information as defined in the Family Educational Rights and Privacy Act (FERPA, available here)
Inferences drawn from personal information to create a profile about a consumer
Remember that if you qualify as a business, and you sell even one of the above types of data about a California consumer with whom you do not have a direct relationship, you are a "data broker."
"Consumer" is defined under Section 1798.140 (g) of the CCPA, which, in turn, refers to the definition of "resident" in Section 17014 of California's Revenue and Taxation Code (available here):
A "consumer" is any California resident: someone who is living in California on a non-temporary basis, even if they are temporarily outside of California.
The Data Broker Law cites the CCPA's definition of "sale." Here's the core definition, at Section 1798.140 (t) (1)
There are three key elements to this definition:
"Valuable consideration" means any benefit, monetary or otherwise, to which your company is not legally entitled.
This very broad definition of "sale" means many companies unexpectedly find themselves within the CCPA's (and thus the Data Broker Law's) remit. However, there are also some important exceptions to the definition.
We looked in detail at this topic in our article CCPA: What Constitutes a "Sale" of Personal Information?
Finally, here's the definition of "third party," at Section 1798.140 (w) of the CCPA:
A "third party" is anyone other than your own business, OR a person operating under a contract meeting the specifications set out at Section 1798.140 (w) (2) (A).
We discussed the nature of this type of "person" in our article: CCPA: What Constitutes a "Sale" of Personal Information?
The Data Broker Law sets out several exceptions to the definition of "data broker." The following are not data brokers:
Companies covered by one or more of the above laws will not need to comply with the Data Broker Law, even if they would otherwise meet the definition of a "data broker."
Now let's take a look at the requirements for businesses covered by the Data Broker Law.
If you've determined that you meet California's definition of a "data broker," you'll need to register with the California Data Broker Registry.
Consumers can visit the registry and see the list of registered data brokers:
You need to register once per year, before January 31, if you met the definition of a "data broker" in the preceding year. So, if you're a data broker in 2021, your registration deadline is January 31, 2020.
When registering with the Data Broker Registry, you must:
Provide the following information:
Your contact details, including:
If you fail to register, you'll be liable for the following:
The fines and fees will be paid into the California Consumer Privacy Fund.
Remember that these Data Broker Law requirements are in addition to your obligations as a business under the CCPA.
There are extensive rules under the CCPA, particularly for businesses that sell personal information. The CCPA's requirements include:
Under the California Data Broker Law, a "data broker" is a CCPA-covered business that sells the personal information of a consumer with whom the business doesn't have a direct relationship.
Data brokers must:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.