February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

CCPA and California’s New Registration Requirement

The California legislature made several amendments to the California Consumer Privacy Act (“CCPA”) last Friday, September 13, 2019.  This post focuses on the enactment of Assembly Bill No. 1202, which requires certain businesses that sell consumers’ personal information, as defined under the CCPA, to register as data brokers with the California Attorney General.  For more information about the CCPA, see our prior alerts on applicability and conducting gap assessments, and remember to Register for our October 17, 2019 webinar covering the final requirements under the law.

Assembly Bill No. 1202

In a surprise move, the California legislature passed Assembly Bill No. 1202 (“A.B. 1202”) on September 13, 2019, and will now head to the governor’s desk for a final signature.  This new law requires “data brokers” to register with the California Attorney General’s Office on an annual basis.

What are “data brokers?”

Under A.B. 1202, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Consumer reporting agencies covered by the federal Fair Credit Reporting Act, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by the Insurance Information and Privacy Protection Act are all exempted from the data broker registration requirement.[1]

What is a “direct relationship?”

A.B. 1202 does not define “direct relationship” but states that a direct relationship can be formed in a variety of ways, such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements.”  Presumably, what is or is not a direct relationship will be determined on case-by-case basis.

Absent guidance from the California Attorney General, it can be helpful to analyze the data broker registration requirements in Vermont, the only other U.S. jurisdiction that currently requires such registration.  Vermont enacted a data broker law (9 V.S.A. §§ 2430, 2433, 2446 and 2447) that is somewhat similar to A.B. 1202 and went into effect earlier this year.  Just like the new California law, Vermont’s law defines a data broker as a business that does not have a “direct relationship” with the consumer.  The Vermont Attorney General has provided guidance that includes examples of what constitutes a “direct relationship.”  Under Vermont law, a direct relationship exists if the consumer is a: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business.  Furthermore, the Vermont Attorney General has provided examples of businesses who are not data brokers, such as retailers that sell information about their customers and businesses that sell information about their employees.

What are the registration requirements?

A.B. 1202 requires data brokers to register with California’s Attorney General on or before January 31 following each year in which a business meets the definition of a data broker and pay a registration fee. The registration fee will be “determined by the Attorney General.”  Data brokers will have to provide their name and primary physical, email, and internet website addresses.  Additionally, the data broker can provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices.”  The California Attorney General will create an internet website where this information will be made publicly available.

A.B. 1202 does not require data brokers to provide information about how consumers may exercise their CCPA right to opt-out of the sale of their personal information. On the other hand, Vermont’s law does not require data brokers to allow consumers to opt-out, but if a process to opt-out is available, data brokers must disclose that process in their registration together with information about the data collection, databases, or sales activities from which consumers may not opt out.

Data brokers who fail to register are subject to injunction, civil penalties, and costs related to actions brought by the California Attorney General’s Office.  Penalties include a civil penalty of $100 for each day that the data broker fails to register as required, and expenses incurred by the Attorney General in investigating and prosecuting an action brought under this law.

[1] Cal. Civ. Code. § 1798.99.80(d).

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 259

About this Author

Shalin Sood, Squire Patton Boggs Law Firm, Washington DC, Cybersecurity Law Attorney

Shalin “Shawn” Sood is an associate in the Data Privacy & Cybersecurity Practice. Shawn advises clients on a variety of issues, including cybersecurity best practices and risk assessments, incident response programs and cybersecurity compliance. He also assists clients on compliance with the EU General Data Protection Regulation (GDPR) and establishing robust and thorough data privacy programs. He also has experience in representing international businesses in compliance and investigations from federal and state governments.

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...