August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

California Follows Vermont, Requires Data Broker Registration

Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020.

For purposes of the law, a sale is defined as it is under CCPA. Namely, giving personal information to third parties either for money or for “other valuable consideration.” The authors of the law compare data brokers and more typical ecommerce businesses. With the former, the consumer does not know about the company’s use of her information or how to control that use.

To register, data brokers will need to provide information and pay a fee to the AG. Information the AG will collect is brokers’ contact information and according to the law, can provide information about information about its data collection practices. The AG will keep a public list on its website of registered data brokers. There are some exceptions to the registration requirement. This includes companies regulated by GLB and FCRA. Companies who do not register as required face potential civil penalties of $100 for each day it fails to register.

Putting it into practice: Companies considered “data brokers” will need to address this new registration requirement, in addition to that which exists in Vermont, as we have written about before.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 287


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional services agreements, and other commercial agreements involving technology. Julia advises on strategic and operational decisions involved with conducting internal investigations in response to government investigations or for purposes of corporate compliance.