Last week, the California Privacy Protection Agency (CPPA) announced it will conduct a public investigative sweep of data broker registration compliance under the California Delete Act.

Pursuant to the Act, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a [California] consumer with whom the business does not have a direct relationship.” “Selling” is defined broadly and includes the transfer of personal information for any valuable or monetary consideration. There are exceptions to this definition of a data broker, such as businesses covered and regulated by the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

The Act requires data brokers to pay an annual registration fee along with its annual registration submission identifying itself as a data broker and provide the following information to the CPPA:

  1. Whether the business collects the personal information of minors, reproductive health care data, or precise geolocation data;
  2. The number of consumer rights requests the business received during the prior calendar year; and
  3. The median and mean number of days by which the business substantively responded to those requests.

Data brokers are also required to disclose this information in a link on its website.

Michael Macko, head of the CCPA enforcement division, said in  a press release, “Californians have a right to know who is trafficking in their personal information. That’s why California law requires data brokers to register. For data brokers skirting the law, the fine increases with each passing day. Our Enforcement Division will seek to recover this fine because it’s unfair to the data brokers who have complied with their obligations .”

The press release further stated: “The immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy. It’s crucial for data brokers to register with our Agency, so the public can be informed and empowered to exercise their rights. And starting in 2026, these rights will be even stronger with the new deletion mechanism.” Note that all businesses that are data brokers under the Act must register by January 31, 2025, or face a penalty of $200 per day.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.