The California Privacy Protection Agency (Agency) recently opened the formal public comment period on its proposed regulations for data broker registration authorized by Senate Bill (SB) 362, also known as the “Delete Act.”
The Delete Act
In 2023, the California Legislature passed—and Governor Newsom signed—the Delete Act, which, among other things, transferred the administration and enforcement of the Data Broker Registry (Registry) to the Agency as of January 1, 2024. The Agency now maintains the Registry and posts publicly the required information disclosed by data brokers. Under the Delete Act, the Agency was authorized to adopt regulations to implement and enforce the statute.
Data Broker Registration Requirement
As we previously reported in a client advisory, the Delete Act, among other things, required data brokers to annually register with the Agency and pay a registration fee.
The Agency administered the data broker registration process for the first time in January of this year. As a result, the Agency encountered a variety of common questions and occasional obstacles that indicated a need for clarification of the Delete Act’s registration requirements. The Agency notes that data brokers expressed confusion due to a lack of clarity in the statute around undefined terms. In addition, the Agency found that multiple registration statements failed to provide information that promotes the statute’s goals of consumer protection through transparency and informed decision-making around exercising California Consumer Privacy Act (CCPA) rights.
Proposed Regulations
Through its proposed regulations, the Agency aims to address common questions and obstacles that surfaced for data brokers in the most recent registration period. To that end, the proposed regulations:
- detail what is included in, and how to pay the registration fee;
- define terms included in the Delete Act; and
- clarify requirements for registration, updates to the registry, and website disclosures.
Among other things, the proposed rules:
- Establish a rule stating that registration fees will not be prorated or refunded.
- Define the term “direct relationship” between a business and a consumer to clarify what businesses are data brokers. For example, under the proposed rules, a consumer would not have a “direct relationship” with a business if the purpose of their engagement is to exercise their privacy rights, make a payment, or verify their identity. Not having a direct relationship with the consumer is one of the signs of a data broker under the Delete Act.
- Define a “minor” as a person who the data broker knows is younger than 16 years of age and state that willfully disregarding the consumer’s age would be construed as knowing the consumer’s age.
- Clarify that each data broker business, regardless of its status as a subsidiary or parent company to another business, is required to register separately.
- Establish a rule preventing data brokers from removing themselves from the registry absent erroneous registration.
Public Hearing and Comment Timelines
The Agency will hold a virtual public hearing to provide all interested persons an opportunity to present oral or written statements or arguments with respect to the proposed regulations on August 20 at 1:00 – 5:00 p.m. Pacific Time. The written comment period closes on August 20, at 5:00 p.m. Pacific Time.
NEED HELP WITH PRIVACY POLICY ADVOCACY OR COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy obligations under California privacy laws, would like our help preparing and submitting its comments to the proposed regulations, or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com