In the flurry of bills relating to the California Consumer Privacy Act, the California Legislature also enacted a law requiring data brokers to register — following a similar, but not identical, law in Vermont and attention by Congress — the U.S. Federal Trade Commission and advocates to data brokers in prior years. California lawmakers placed the broker law right before the CCPA in the California Civil Code and clarified in California Civil Code §1798.99.88 that "Nothing … shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act."
Under the new California law, data brokers have to register every year on or before Jan. 31 with the Office of the Attorney General of California. Some commentators have argued that the law might not take effect until January 2021, but the California attorney general has opened the registration website and more than 50 companies have already registered. You can access the full list and find some highly regarded brands, as well as some (but, interestingly, not all) of the companies that have made headlines in the previous controversies around data broker regulation. One of the "big four" accounting and consulting firms is on the list. Newspaper publishers are not.
Read more about the CCPA in "California Privacy Law, Third Edition," by Baker McKenzie Partner Lothar Determann
Media companies, health care providers and other organizations that enjoy some exemptions and deferrals regarding CCPA obligations miss similar exceptions in the new California data broker registration law, which expressly exempts consumer reporting agencies that are subject to the Fair Credit Reporting Act, financial institutions that are subject to the Gramm-Leach-Bliley-Act, and certain organizations in the insurance sector that are subject to the California Insurance Information and Privacy Protection Act.
Who needs to register as a data broker in California?
The new law borrows many of the counterintuitive and overbroad definitions from the CCPA, including "business," "consumer," "personal information" and "sale." Companies that exchange employee or business contact information with affiliates or other business partners for consideration (monetary or other) may qualify as a business that sells personal information under the CCPA. Companies that do not sell personal information for CCPA purposes do not have to register as a data broker. But the reverse is not necessarily true: Not all companies that have to include the “do not sell my personal information” link on its website, as of Jan. 1, need to register as a data broker.
"Data broker means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship," according to California Civil Code §1798.99.80[d]. The term "direct relationship" is not defined in the CCPA or the data broker law. That term was added to the CCPA in late 2019 in connection with an exception from the requirement to establish a toll-free number for any "business that operates exclusively online and has a direct relationship with a consumer."
Personally, I am not sure I know many businesses that "operate exclusively online." In everyday language, "online" means connected to a computer or telecommunications system, such as the internet or a phone line. "Offline" means the opposite — not connected to computers or telecommunications. Offline operations traditionally rely on brick, mortar, in-person interactions and snail mail. Most of my clients have offices and employees even if they conduct some of their business via websites or mobile apps. Their employees, independent contractors and individual representatives of corporate vendors meet each other in person — "offline." They receive and send paper mail to each other, to government authorities and to business partners. And, most still call each other on the phone now and then, as well as vendors and business partners, too. Even after the various amendments, the CCPA still refers to employees and business representatives as "consumers." How, then, can any business operate "exclusively online"?
Perhaps the California Legislature meant to exempt businesses that communicate with real consumers (as this term is understood in everyday language) only via websites and apps and not normally via phone, but that remains unclear. Companies will have to take positions on what it means to "operate exclusively online" under the CCPA.
Companies will also have to take positions on what it means to have a "direct relationship" with a person. A relatively easy case are people who have executed sales, purchase, services or employment contracts with a business; such people have a direct contractual relationship with the business. People who purchased the business's products or services from retailers or other third parties may also have a direct contractual relationship with the business itself because the product may come with a warranty card or software shrink-wrap license agreement. Also, a person who uses a business's products or services may form a direct communication or legal relationship regardless of contract flows. People who work for a company that has a relationship with the business may directly interact and thus have a direct relationship with the business. People who visit a business's website are deemed to accept website terms of use and licenses and thus form a direct contractual relationship. People who click on or perhaps just view a business's advertisements may be said to form a direct relationship of mutual interest. Direct relationships may also follow from deliveries of privacy notices, which the CCPA regulations require. Moreover, pre- and post-contractual relationships come with particular legal obligations and qualify as "direct."
The Vermont data broker law provides examples (for illustration, not enumerative) of what counts as a "direct relationship" back East for a business that sells personal information of consumers: "if the consumer is a past or present: (i) customer, client, subscriber, user or registered user of the business’s goods or services; (ii) employee, contractor or agent of the business; (iii) investor in the business; or (iv) donor to the business." Of course, the definitions in the Vermont statute do not apply in California. Also, they appear in a different legislative context, as the Vermont law contains different definitions and substantive obligations.
With respect to California, every business has to form its own views on where to draw the line with respect to what counts as a "direct relationship" for purposes of complying with the new data broker registration law as well regarding the exception from toll-free numbers in the CCPA (California Civil Code §1798.130[1][A]) and the various new obligations on companies that collect personal information from sources other than "directly" from the consumer under the draft CCPA regulations. Every business is in a different position in this respect. Scenarios and nuances vary quite a bit depending on companies' business models, contract flows and communication methods.
Companies that have a "do not sell my personal information link" on their website since Jan. 1 should accelerate their assessment whether they also have to register as a data broker. According to California Civil Code §1798.99.82.(c)(1), a data broker that fails to register as required is subject to injunction and is liable for civil penalties, fees and costs in an action brought in the name of the people of the state of California by the attorney general, including a civil penalty of $100 for each day the data broker fails to register, fees that were due during the period it failed to register, and expenses incurred by the attorney general in the investigation and prosecution. Any penalties, fees and expenses recovered in an action shall be deposited in the Consumer Privacy Fund.
Photo by AbsolutVision on Unsplash