California Passes New Data Broker Law In Anticipation of January 1, 2020 Effective Date of California Consumer Privacy Act (“CCPA”)

Software companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.

In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed  a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers:  AB-1202 establishes a new compliance framework for data brokers.

Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online.  Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.

What businesses are defined as “data brokers” under the law?   The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.  “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained

So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker.  Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”