Attention, data brokers: If you operated in California last year, you need to register with the California Privacy Protection Agency (CPPA) by the end of this month.
Otherwise, you might get a nastygram from the CPPA and possibly hit with a $200 fine for each day you fail to register, as per California’s Delete Act, which went into effect on Jan. 1, 2024.
Going forward, data brokers are required to reregister annually on or before January 31.
(The law also gives California consumers the right to delete all of their personal data from a broker’s database with a single request, but that’s a subject for a future newsletter.)
If you’re thinking, “That sounds intense, but I’m all good, since I’m not a data broker” – well, I’d take a beat. Because you may well be one, according to the CPPA.
Recognize yourself?
The term “data broker” is usually associated with credit-reporting agencies (e.g., Experian, TransUnion and Equifax) and data providers (e.g., Acxiom or Dun & Bradstreet) that aggregate and sell consumer data.
But the Delete Act “casts a much wider net,” says Daniel Goldberg, a partner at Frankfurt Kurnit Klein & Selz and chair of the firm’s data strategy, privacy and security group.
The law defines a data broker as any company that collects and sells personal data about consumers without having a direct relationship with them.
And the CPPA goes even further in its regulations, Goldberg says, by broadly interpreting the word “sell” to include activities such as using data for targeted advertising. According to the CPPA, a “direct relationship” only applies to first-party data.
This means companies using third-party data for targeted advertising may qualify as data brokers under California law, Goldberg says, “even if they do not view themselves in that light.”
And California isn’t the only state with a comprehensive data broker law. Texas and Oregon each have their own – both went into effect on Jan. 1, 2024 – and Vermont has had a data broker law since 2019.
Meanwhile, numerous other states have passed state privacy laws that include obligations for data brokers. And just because a company doesn’t self-identity as a data broker doesn’t mean a regulator will see it that way.
“Buying and selling personal data in any capacity could bring companies into the scope of data broker registry requirements,” says Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals.
Expect more enforcement
Problem is, Zweifel-Keegan says, “many companies are not paying enough attention to this,” despite scrutiny of data brokers being “one of the biggest recent policy trends in privacy.”
Which is no bueno, because regulators are paying attention.
The CPPA already announced financial settlements with four companies at the end of last year for failing to register as data brokers: sales tech startup Growbots, B2B lead gen platform UpLead, ad tech company Infillion and data solutions provider The Data Group.
Meanwhile, the Texas attorney general’s office has sent more than 100 notices of violations to alleged unregistered data brokers, and Goldberg says he’s also aware of warning letters sent by regulators in other jurisdictions, as well as ongoing nonpublic investigations.
“Expect more enforcement in 2025,” he says.
So why aren’t businesses rushing to register? It’s not like they aren’t aware regulators are cracking down.
The issue is, many simply still “don’t realize they may fall under the definition,” Goldberg says.
Spirit vs. letter
And “we didn’t realize” isn’t a defense.
The smart move is to consult a privacy attorney, of course, and review your obligations. But it’s also worth acknowledging the spirit of the law and not just the letter.
“The point of this regulation is transparency,” said Dimitri Sirota, CEO and co-founder of privacy tech company BigID.
Beyond registering as a data broker, the Delete Act also requires that covered companies make disclosures to the CPPA about the types of personal data they collect, how they use it and who they share it with. Data brokers also must inform consumers about why they want to collect data and which third parties are involved.
“By enhancing transparency,” Sirota said, “the Delete Act aims to build trust between consumers and organizations while ensuring that data practices are fair and accountable.”
🙏 Thanks for reading! And am I crazy (don’t answer that) or does this incredible sea creature kinda look like a cat?? Anyway, as always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
