California Expands Requirements for Data Brokers

On November 8, the California Privacy Protection Agency (CPPA), the agency tasked with implementing and enforcing the California Consumer Privacy Act (as amended by the California Privacy Rights Act), unanimously voted to approve new regulations to implement the Delete Act of 2023.  The Delete Act, in part, requires data brokers to annually register with the CPPA, pay a fee, and provide information about their data processing activities.  Essentially, the new regulations expand the statutory definition of “data broker,” broadening the scope of businesses that would be considered data brokers under the Delete Act.  For example, the regulations clarify that a “direct relationship” with consumers may not protect a business from the application of the Delete Act – specifically, if a business with a direct relationship with a consumer sells information that it did not collect directly from the consumer, it may still be classified as a data broker.

The regulations further clarify the registration requirements and procedures, including what information must be submitted and how to submit or change a data broker registration.  The annual data broker fee was also increased to cover the costs to develop and maintain the new “Delete Request and Opt-out Platform”.

If approved, the regulations will become effective on January 1, 2025, adding to the growing complexity and scope of California’s privacy framework.  For further information about the Delete Act or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz Leist, Nikkia Knudsen, or your Vorys attorney.