The California Privacy Protection Agency is delving further into its enforcement agenda, announcing plans for an enforcement sweep around data broker registration.
The agency assumed responsibility of California's broker registry 1 Jan. 2024 under provisions of the Delete Act, signed into law October 2023 with the aim of cracking down on the increasingly complex broker landscape. The full provisions of the new law don't take effect until 2026, however, the CPPA is able to enforce prior data broker registration rules overseen by the California attorney general's office
"The immense volume of personal information sold by data brokers can pose a significant threat to Californians' privacy," CPPA Executive Director Ashkan Soltani said in a statement. "It's crucial for data brokers to register with our Agency, so the public can be informed and empowered to exercise their rights. And starting in 2026, these rights will be even stronger with the new deletion mechanism."
The CPPA recalled the updated statute's definition of data brokers as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." With this sweep, the agency will look at companies that did not register with the state by 31 Jan. 2024 after meeting the broker criteria in 2023.
Registration noncompliance comes with a USD200 per day penalty, meaning unregistered brokers face a USD54,600 fine as of 30 Oct.
"We're concerned about compliance with the registration requirement and take it seriously. Data brokers should take it seriously too. Although hundreds of data brokers are properly registered, we’re investigating whether the registry is complete." CPPA Deputy Director of Enforcement Michael Macko told the IAPP.
What's driving enforcement?
California has no shortage of registrants on its broker list, however, the agency's sweep suggests the list is not as complete as it could be.
"This is a multi-billion-dollar industry," Macko said. "Consumers depend on the registry to give them visibility into it. Without the registry, consumers wouldn’t know who might be trafficking in their personal information. It's important for them to have this transparency, that's the spirit and purpose behind the registry in the first place."
A June 2024 report from market research and consulting firm Knowledge Sourcing Intelligence explored the forecast for global data brokerage from 2024 to 2029, highlighting expectations for rapid growth trends. The firm estimated annual broker market growth at 7.58% annually and for the market as a whole to reach a USD561.538 billion valuation by 2029. The current estimated value of global brokerage is USD389.765 billion.
The expected value derives from the depth of brokers' data collection. The consumer profiles being built and sold contain data from a range of online activities, including social media and online gaming accounts, loyalty schemes, medical records, public records, website registrations and geolocation.
The broker registration in California is the starting point for curbing the harms stemming from efforts to growing the industry. Reasons behind companies' noncompliance could vary, according to Macko.
"The registration requirement has been on the books for four, nearly five years now, and we know that data brokers pose unique risks to consumer privacy," he said. With the CPPA's accessible deletion mechanism coming online for consumers in 2026, the registration requirement is more important now than ever."
Exact motivations behind knowingly avoiding registration are unknown and likely vary. One particular area is the business consequences of the transparency that comes with registering.
"Registration is straightforward, but some people tell me that certain data brokers cling to the idea they don’t fall within the definition. So they don't register," Macko said. "In many cases that’s wishful thinking."
Registration is just the cusp of potential broker enforcement as the CPPA is likely to go further once the Delete Act takes effect 1 Jan. 2026. That initial date marks when brokers are required to add a CPPA-generated data deletion mechanism to their website that allows consumers to request their data be removed from broker activities across the registered entities. The deletion mechanism is still in development, according to the CPPA.
Additionally, brokers will be required to honor deletion requests on a rolling basis every 45 days beginning 1 Aug. 2026.
California is not the only state moving against data brokers. The Texas attorney general's office sent more than 100 compliance letters to companies in June citing a lack of registration under its Data Broker Law. Oregon and Vermont also have effective broker registration statutes.
A new FCC partnership
The CPPA's enforcement strategy is growing beyond increased casework, as the agency is incorporating more cooperation with domestic and international regulators. This includes a newly signed partnership with the U.S. Federal Communications Commission agreed to 29 Oct.
In a statement, the FCC characterized the new collaboration as a commitment to "share close and common legal interests in working cooperatively to investigate and, where appropriate, prosecute or otherwise take enforcement action in relation to privacy, data protection, or cybersecurity issues." The CPPA will join 10 state attorneys general in working with the FCC's Privacy and Data Protection Task Force.
"The FCC's enforcement team is doing cutting edge work, and I’m a big fan," Macko said. "It's useful for regulators to work together, especially when it comes to new technologies, and telecom is a great example. We need to tackle privacy harms in a holistic, complete way to make sure we’re solving the problems."
The CPPA currently works in coordination with the California attorney general's office on California Consumer Privacy Act matters while engaging with other state attorneys general through formal and informal channels. Internationally, the agency has a memorandum of understanding with France's data protection authority, the Commission nationale de l'informatique et des libertés, while also reaching an adequacy agreement with the Dubai International Financial Centre in August 2023.
Joe Duball is the news editor for the IAPP.
