United States: California's New Data Broker Requirements

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom's desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).

California, as required by its Data Broker Registration Law, has previously required that data brokers register with the California Attorney General each year and pay an annual registration fee. A "data broker" was defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The new bill keeps the same definition of a "data broker" but requires data brokers to register with the California Privacy Protection Agency instead.

The bill's new requirements include, but are not limited to:

• Registration Information Requirements. When registering, a data broker will need to provide the following information:
  • The name of the data broker and its primary physical, email, and internet website addresses.
  • The number of consumer requests (under the CCPA) received, compiled, or denied in the previous calendar year.
  • The median and mean number of days in which the data broker substantively responded to such CCPA consumer requests in the previous calendar year.
  • Whether the data broker collects the personal information of minors.
  • Whether the data broker collects consumers' precise geolocation.
  • Whether the data broker collects consumers' reproductive health care data.
  • A link to the data broker's website.

A data broker must also disclose the metrics compiled pursuant to (2) and (3) above within the data broker's privacy policy posted on its internet website.

• Website/Privacy Policy. In addition to disclosing the metrics compiled pursuant to (2) and (3) above, the data broker's website must include details on how a consumer can exercise their rights under the CCPA, including but not limited to, the right to delete, correct, opt-out of the sale or sharing of personal information, and limit the use of sensitive personal information.

• Third-Party Audit. Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine the data broker's compliance with the new bill's requirements. These audits must be maintained for at least six years.

To note, a "data broker" does not include an entity that is regulated by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, or the Health Insurance Portability and Accountability Act (to the extent they are exempt under the CCPA).

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company's legal or compliance obligations. Taft's Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don't forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.