October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

CCPA and California’s New Registration Requirement

The California legislature made several amendments to the California Consumer Privacy Act (“CCPA”) last Friday, September 13, 2019.  This post focuses on the enactment of Assembly Bill No. 1202, which requires certain businesses that sell consumers’ personal information, as defined under the CCPA, to register as data brokers with the California Attorney General.  For more information about the CCPA, see our prior alerts on applicability and conducting gap assessments, and remember to Register for our October 17, 2019 webinar covering the final requirements under the law.

Assembly Bill No. 1202

In a surprise move, the California legislature passed Assembly Bill No. 1202 (“A.B. 1202”) on September 13, 2019, and will now head to the governor’s desk for a final signature.  This new law requires “data brokers” to register with the California Attorney General’s Office on an annual basis.

What are “data brokers?”

Under A.B. 1202, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Consumer reporting agencies covered by the federal Fair Credit Reporting Act, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by the Insurance Information and Privacy Protection Act are all exempted from the data broker registration requirement.[1]

What is a “direct relationship?”

A.B. 1202 does not define “direct relationship” but states that a direct relationship can be formed in a variety of ways, such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements.”  Presumably, what is or is not a direct relationship will be determined on case-by-case basis.

Absent guidance from the California Attorney General, it can be helpful to analyze the data broker registration requirements in Vermont, the only other U.S. jurisdiction that currently requires such registration.  Vermont enacted a data broker law (9 V.S.A. §§ 2430, 2433, 2446 and 2447) that is somewhat similar to A.B. 1202 and went into effect earlier this year.  Just like the new California law, Vermont’s law defines a data broker as a business that does not have a “direct relationship” with the consumer.  The Vermont Attorney General has provided guidance that includes examples of what constitutes a “direct relationship.”  Under Vermont law, a direct relationship exists if the consumer is a: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business.  Furthermore, the Vermont Attorney General has provided examples of businesses who are not data brokers, such as retailers that sell information about their customers and businesses that sell information about their employees.

What are the registration requirements?

A.B. 1202 requires data brokers to register with California’s Attorney General on or before January 31 following each year in which a business meets the definition of a data broker and pay a registration fee. The registration fee will be “determined by the Attorney General.”  Data brokers will have to provide their name and primary physical, email, and internet website addresses.  Additionally, the data broker can provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices.”  The California Attorney General will create an internet website where this information will be made publicly available.

A.B. 1202 does not require data brokers to provide information about how consumers may exercise their CCPA right to opt-out of the sale of their personal information. On the other hand, Vermont’s law does not require data brokers to allow consumers to opt-out, but if a process to opt-out is available, data brokers must disclose that process in their registration together with information about the data collection, databases, or sales activities from which consumers may not opt out.

Data brokers who fail to register are subject to injunction, civil penalties, and costs related to actions brought by the California Attorney General’s Office.  Penalties include a civil penalty of $100 for each day that the data broker fails to register as required, and expenses incurred by the Attorney General in investigating and prosecuting an action brought under this law.


[1] Cal. Civ. Code. § 1798.99.80(d).

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Shalin Sood, Squire Patton Boggs Law Firm, Washington DC, Cybersecurity Law Attorney
Associate

Shalin “Shawn” Sood is an associate in the Data Privacy & Cybersecurity Practice. Shawn advises clients on a variety of issues, including cybersecurity best practices and risk assessments, incident response programs and cybersecurity compliance. He also assists clients on compliance with the EU General Data Protection Regulation (GDPR) and establishing robust and thorough data privacy programs. He also has experience in representing international businesses in compliance and investigations from federal and state governments.

202-457-6183
Lydia de la Torre Privacy Lawyer Squire Patton Boggs
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a multitude of industries, including e-commerce, fintech and computer hardware. This experience has provided her with a direct understanding of client concerns.

Before joining the firm, Lydia served as co-director of the Santa Clara Law School Data Privacy Certificate Program, where she continues to teach privacy law.

Lydia is a frequently invited speaker on privacy-related topics, such as the freedom of speech implications of privacy laws, ethics and privacy, the application of privacy laws to blockchain technology, financial privacy laws and the CCPA. She is also a prolific writer and has been published in a variety of outlets, from mainstream media to privacy and legal publications. She is the editor of Golden Data, a Medium publication focused on data laws.

Lydia is a member of the California Lawyers Association’s Antitrust and Privacy Section and an adjunct professor at Santa Clara Law School.

650 843 3227
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

202-457-6407