The California Privacy Protection Agency Board unanimously approved new regulations for data brokers during its 8 Nov. open meeting. The regulations aim to bring more clarity to provisions of the Delete Act, which requires data broker registration with the State of California and further transparency requirements.
The Delete Act bestowed responsibility of California's data broker registry on the CPPA in January 2024. More than 500 data brokers are registered with the state to date.
The law also allows consumers to request that their personal data collected by businesses and data brokers to be deleted. Data brokers that have received consumer data deletion requests are now required to delete any new data collected about the consumer every 45 days.
The broker regulations adopted by the CPPA Board will also add to Delete Act terms. The regulations define data broker relationships and add concepts to advance the bill while simplifying the terms for both consumers and organizations.
In a statement, CPPA Executive Director Ashkan Soltani said the board's approval is an "important next step in the Agency’s mission" to advance consumer privacy rights.
Broker regulations and registration requirements
Most notable within the regulations is the expanded scope of what businesses are considered to be data brokers.
The Delete Act recognizes data brokers as businesses that collect or sell the data of consumers with whom it does not have a "direct relationship." CPPA General Counsel Phillip Laird said when consumers intentionally interact with organizations to obtain information about "accessing, purchasing, using or requesting the business's products or services within the preceding three years," the business is considered to have a direct relationship with the consumer.
The regulations also make clear that businesses with direct consumer relations can still be considered a broker if it "also sells personal information about the consumer that the business did not collect directly from the consumer."
The broker regulations faced public consultation and received 18 comments from consumers, data brokers and various organizations. Although many organizations provided feedback, the CPPA did not make additional changes before approving the originally proposed requirements.
CPPA Attorney Liz Allen, CIPP/US, said, while the agency acknowledges the suggestions, the original regulations provide enough clarity. Allen claimed the regulations also "memorialize certain procedural elements that will streamline the registration process."
Additionally, the board approved agency staff's proposal to increase the data broker registration fee to USD6,600. That increase will allow the cost of Delete Act implementation, which is estimated at approximately USD3.5 million, to be split between registered brokers.
DROP Process
The board discussed the agency's plans to advance the Delete Request and Opt-out Platform requirements that aim to build a data deletion system that makes it easier for consumers to request the deletion of their data through a single request.
The DROP provides additional data protections for consumers by requiring businesses to opt consumers' personal data out of sale and sharing when requested. Data brokers must still uphold these requirements even if the consumers request cannot be verified.
The opt-out system will be free to California consumers to make data deletion and opt-out requests through a secure system. Under the Delete Act, the DROP will be made available for broker installation by 1 Jan. 2026. Starting 1 Aug. 2026, brokers are required to honor opt-out requests and begin their 45-day deletion sweeps.
While some organizations have warned that certain opt-out systems could incidentally clash with privacy-preserving technology, the DROP system will aim to proactively address consumers' data deletion concerns to ensure it is privacy-protective. The DROP could "set an industry standard or a government standard" for other states that aim to implement similar platforms, General Counsel Laird said.
The agency said it is committed to building an interoperable system that could set the standard for opt-out platforms and expand the use of easy-to-use privacy systems for consumers.
Enforcement has begun
Under current broker registration rules still being enforced, defined brokers must register with the CPPA by 31 Jan. annually. Organizations that fail to register with the CPPA will be fined USD200 daily for noncompliance and unpaid registry fee. Data brokers are also obligated to provide information about data collection and deletion practices to ensure consumers’ information is safeguarded and businesses remain compliant with the California Consumer Privacy Act.
The agency recently announced an enforcement sweep regarding 2024 broker registration and results of those investigations are beginning to roll out.
During the closed session of the 8 Nov. board meeting, agency staff indicated the CPPA reached settlements with data brokers Growbots and UpLead after alleged registration noncompliance. Growbots and UpLead will pay USD35,400 and USD34,400, respectively, to resolve claims that each company went unregistered into July.
"Data brokers come in all shapes and sizes, but they have one thing in common: they present extraordinary risk to our privacy by buying and selling our personal information," CPPA Deputy Director of Enforcement Michael Macko said in a statement. "California law doesn’t allow these businesses to operate in the shadows. Our team will continue to enforce the law vigorously."
State Sen. Josh Becker, D-Calif., author of the Delete Act, added the agency's actions send a "clear message" regarding the respect of individuals' rights around their personal information.
"This is a critical step in enforcing the Delete Act and protecting individuals from unwanted tracking and data exploitation," he said.
Lexie White is a staff writer for the IAPP.
