Below is a proposal to enhance and better align the California Data Broker Registry Law with the California Privacy Rights Act. I first provide a background on the why and what should be done to the Data Broker Registry Law and then provide the proposed edits to the law itself.
In October of 2019 California passed AB 1202 that requires “data brokers to register with, and provide certain information to, the Attorney General” and in turn the Cal AG office would provide a website that lists all the registered data brokers. There is a nominal penalty of $100 per day for failure to register. The intent of the law is “to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.” It went into effect on January 1, 2020.
Given that the passage of Proposition 24 (the California Privacy Rights Act of 2020 aka CPRA) has transferred enforcement of California’s privacy over to the California Privacy Protection Agency (Cal PPA) from the Cal AG and AB 1202 is about furthering Californians’ right to privacy vis a vis the usage of personal data, it makes sense to move the registration of data brokers over to the CalPPA from the Cal AG. Even the Cal AG sees administering California’s current privacy law (the California Consumer Privacy Act or CCPA) and the Data Broker Registry law as being hand-in-hand as evidenced by this press release in January 2020.
Furthermore, it appears this law needs more teeth to get more data brokers to register. The Cal AG determined per this document that the number of data brokers worldwide was 4,000 and projected that 1,000 would register with California. Yet nearly a year into the law only 414 data brokers have registered with the State per the Cal AG data broker registry website, or 41% of projected and 10% of the actual number of worldwide brokers, so maybe further carrots and sticks are needed to get more registrations.
Even more significant, while the Cal AG requires each data broker to provide answers to how a consumer may opt of the sale of their personal information and how the consumer can demand deletion of their personal information (i.e. two of the key data subject rights under the CCPA), many data brokers give either vague and/or non-helpful answers (“through a link on our website”) and/or even ignore the questions. In fact, Consumer Reports asked volunteers to exercise their CCPA data subject rights with a variety of data brokers and many consumers found it be a “scavenger hunt” including the fact that there is no consistency amongst data brokers on how a consumer would go about exercising your data subject rights. The reality is that it takes dozens of hours to have one’s personal deleted from just a handful of data brokers’ databases and it may take weeks or months for the deletion to finally occur.
In addition, the only other state that has a data broker law is Vermont and they ask important questions of data brokers that California does not ask about, such as has the data broker been breached and if the broker collects data of minors — information that would be of significant interest to California consumers.
Therefore having the management and adding the corresponding regulation of data brokers under CalPPA would (a) result in higher levels of registration by data brokers; (b) provide a more consistent, stream-lined and easier way for consumers to exercise their data subject rights, including the new rights under CPRA such as right to correct and limit use of sensitive personal information such as precise geolocation; and (c) provide additional insight for consumers regarding what data the data brokers are collecting and if they have been breached.
Proposed Changes to California Civil Code section 1798.99.80
Proposed changes in bold and/or strikeout.
TITLE 1.81.48. Data Broker Registration [1798.99.80 – 1798.99.88]
For purposes of this title:
(a) “Business” has the meaning provided in subdivision
(c) (d) of Section 1798.140.
(b) “Collects” and “collected” have the meaning provided in subdivision
(e) (f) of Section 1798.140.
(c) “Consumer” has the meaning provided in subdivision
(g) (i) of Section 1798.140.
(d) “Data broker” means a business that knowingly collects and either sells or shares to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(e) “Personal information” has the meaning provided in subdivision
(o) (v) of Section 1798.140.
(f) “Sale” or “sold” have the meaning provided in subdivision
(t) (ad) of Section 1798.140.
(g) “Sensitive personal information” has the meaning provided in subdivision (ae) of Section 1798.140.
(h) “Shares” or “shared” have the meaning provided in subdivision (ah) of Section 1798.140.
(g) (i) “Third party” has the meaning provided in subdivision (ai) of Section 1798.140.
A fund to be known as the “Data Brokers’ Registry Fund” is hereby created within the State Treasury. All registration fees received pursuant to paragraph (1) of subdivision (b) of Section 1798.99.82 shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the
Department of Justice California Privacy Protection Agency, upon appropriation by the Legislature, to offset costs of establishing and maintaining the informational internet website described in Section 1798.99.84.
(a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the
Attorney General California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the
Attorney General California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the
Attorney General California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) Has the data broker been breached and if so, provide additional details of the breach.
(C) Does the data broker collect data of minors.
(D) Instructions on how Consumers can exercise their rights to
(i) delete personal information as described in Section 1798.105
(ii) correct inaccurate personal information as described in Section 1798.106
(iii) know what personal information is being collected and be able to access that personal information as described in Section 1798.110,
(iv) know what personal information is being sold and shared, and to whom, as described in Section 1798.115
(v) opt-out of the sale and sharing of personal information as described in Section 1798.120
(vi) limit the use and disclosure of sensitive personal information as described in Section 1798.121
(B) (E) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the
Attorney General California Privacy Protection Agency as follows:
(1) A civil penalty of one hundred dollars ($
1200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the
Attorney General California Privacy Protection Agency in the investigation and prosecution of the action as the court deems appropriate.
(d) Any penalties, fees, and expenses recovered in an action prosecuted under subdivision (c) shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160, with the intent that they be used to fully offset costs incurred by the state courts and the
Attorney General California Privacy Protection Agency in connection with this title.
Attorney General California Privacy Protection Agency shall create a page on its internet website where the information provided by data brokers under this title shall be accessible to the public.
On or before July 1, 2020, the California Privacy Protection Agency shall solicit broad public participation and adopt regulations to further the purposes of this title.
Nothing in this title shall be construed to supersede or interfere with the operation of the
California Consumer Privacy Act of 2018 California Consumer Privacy Rights Act of 2020 (Title 1.81.5 (commencing with Section 1798.100)).