Data Brokers and California Law

Two major laws have passed in California since 2019 that affect many companies: the California Data Broker Law and the California Consumer Privacy Act (CCPA), as amended by the CPRA.

Both laws have a significant impact on businesses that sell California consumers' personal information. The Data Broker Law has particularly big implications for businesses that sell the personal information of consumers with whom they don't have a direct relationship.

This article will help you understand whether your business qualifies as a "data broker," and, if so, what steps you need to take.

What is a "Data Broker?"

California's definition of a "data broker" is set out at Section 1798.99.80. (d) of California's Data Broker Law (available here):

This definition covers any business that:

• Knowingly collects the personal information of a consumer
• Does not have a direct relationship with that consumer, and
• Sells the consumers' personal information to third parties

The individual components of this definition derive from another law: the CCPA (CPRA). Let's look at what the CCPA (CPRA) says, to help you understand whether you meet the definition of a "data broker."

What is a "Business?"

Here's the CCPA/CPRA's main definition of a "business," at Section 1798.140. (c):

A business is any legal entity that:

• Operates for profit in California (it doesn't need to have any physical presence in the state)
• Determines the purposes and means of the processing of personal information (decides how and why to process personal information)

• Fulfills one or more of the following characteristics:

  • It has annual gross revenues of more than $25 million
  • It annually buys, receives for commercial purposes, sells, and/or shares for commercial purposes, the personal information of at least 100,000 consumers, devices, and/or households, or
  • It derives more than 50 percent of its annual gross revenues from selling or sharing consumers' personal information

A business can also be an entity that controls or is controlled by a business, as long as it shares common branding with the business.

A data broker is any entity that meets the CCPA/CPRA's definition of a "business" and the Data Broker Law's definition of a "data broker." This includes any CCPA/CPRA-covered business that sells the information of one or more consumer with whom it does not have a direct relationship.

Definition of "Collects"

The Data Broker Law also takes its definition of "collects" from the CCPA, at Section 1798.140. (c) (e):

This broad definition of "collect" is not confined to obtaining personal information directly from a consumer and includes receiving personal information from a third party. This is crucial to the definition of data brokers, who do not have a direct relationship with consumers.

What is "Personal Information?"

"Personal information" is defined at Section 1798.140 (o) of the CCPA. Here's the main part of the definition:

Each of the following examples can be personal information, as long as it "identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household":

• Identifiers

  • Name, social security number, email address, postal address, alias.

• Personal information as defined in the California Customer Records Statute

  • These examples are available here, and include "[...] employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."

• Characteristics of protected classifications under California or federal law

  • Sexual orientation, gender identity and gender expression, race, color, ancestry. national origin, religion, sex, health conditions, AIDS/HIV status, disability: physical or mental, age (if 40 and older), genetic information, marital status, military service or veteran status, political affiliations, status as a victim of domestic violence, assault, or stalking.

• Commercial information

  • Records of personal property, purchase or spending habits.

• Biometric information

  • Iris, retina, fingerprint, face, hand, palm images vein patterns. Voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data.

• Internet or other electronic network activity information

  • Browsing history, search history website, application, or advertisement (e.g. analytics information).

• Geolocation data

  • Information gathered from GPS or other location-tracking techniques.
• Audio, electronic, visual, thermal, olfactory, or similar information

• Professional or employment-related information

  • Employment history, professional qualifications of accreditations.

• Education information as defined in the Family Educational Rights and Privacy Act (FERPA, available here)

  • A student's name, address, telephone number, date and place of birth, honors and awards, dates of attendance.

• Inferences drawn from personal information to create a profile about a consumer

  • This could be a profile based on cookie data or buying habits on an ecommerce website.

Remember that if you qualify as a business, and you sell even one of the above types of data about a California consumer with whom you do not have a direct relationship, you are a "data broker."

Definition of a "Consumer"

"Consumer" is defined under Section 1798.140 (g) of the CCPA, which, in turn, refers to the definition of "resident" in Section 17014 of California's Revenue and Taxation Code (available here):

A "consumer" is any California resident: someone who is living in California on a non-temporary basis, even if they are temporarily outside of California.

What Counts as "Selling?"

The Data Broker Law cites the CCPA/CPRA's definition of "sale." Here's the core definition, at Section 1798.140 (t) (1)

There are three key elements to this definition:

• Communicating a consumer's personal information
• To a third party
• For valuable consideration

"Valuable consideration" means any benefit, monetary or otherwise, to which your company is not legally entitled.

This very broad definition of "sale" means many companies unexpectedly find themselves within the CCPA/CPRA's (and thus the Data Broker Law's) remit. However, there are also some important exceptions to the definition.

We looked in detail at this topic in our article CCPA: What Constitutes a "Sale" of Personal Information?

Definition of a "Third Party"

Finally, here's the definition of "third party," at Section 1798.140 (w) of the CCPA:

A "third party" is anyone other than your own business, OR a person operating under a contract meeting the specifications set out at Section 1798.140 (w) (2) (A).

We discussed the nature of this type of "person" in our article: CCPA: What Constitutes a "Sale" of Personal Information?

Data Broker Exceptions

The Data Broker Law sets out several exceptions to the definition of "data broker." The following are not data brokers:

• Consumer reporting agencies covered by the Fair Credit Act (available here)
• Financial institutions regulated under the Gramm-Leach-Bliley Act (available here)
• Any entity covered by the Insurance Information and Privacy Protection Act (available here)

Companies covered by one or more of the above laws will not need to comply with the Data Broker Law, even if they would otherwise meet the definition of a "data broker."

Data Broker Requirements

Now let's take a look at the requirements for businesses covered by the Data Broker Law.

Register with the California Data Broker Registry

If you've determined that you meet California's definition of a "data broker," you'll need to register with the California Data Broker Registry.

Consumers can visit the registry and see the list of registered data brokers:

You need to register once per year, before January 31, if you met the definition of a "data broker" in the preceding year. So, if you're a data broker in 2021, your registration deadline is January 31, 2020.

When registering with the Data Broker Registry, you must:

• Pay a registration fee. At the time of writing, this is $400.

• Provide the following information:

  • Your contact details, including:

    • Name
    • Primary physical address
    • Primary email address
    • Website addresses
  • Any additional information or explanation you choose to provide concerning your data collection practices

Penalties for Not Registering

If you fail to register, you'll be liable for the following:

• A civil penalty of $100 per day
• The fee for last year (if you were required to register and failed to do so)
• Any costs incurred by the Attorney General in investigating and prosecuting you

The fines and fees will be paid into the California Consumer Privacy Fund.

Other CCPA (CPRA) Obligations

Remember that these Data Broker Law requirements are in addition to your obligations as a business under the CCPA (CPRA).

There are extensive rules under the CCPA, particularly for businesses that sell personal information. The CCPA/CPRA's requirements include:

• Creating a Privacy Policy
• Providing notice at collection
• Setting up a "Do Not Sell My Personal Information" page
• Facilitating CCPA/CPRA consumer rights requests
• Setting up service provider agreements
• Protecting personal information in your control

Summary

Under the California Data Broker Law, a "data broker" is a CCPA/CPRA-covered business that sells the personal information of a consumer with whom the business doesn't have a direct relationship.

Data brokers must:

• Register with the Data Broker Registry
• Pay an annual fee
• Provide details about their business