In the flurry of bills relating to the California Consumer Privacy Act (CCPA),[1] the California Legislature also enacted a new law effective January 1, 2020, according to which data brokers must register with the California attorney general by January 31, 2020. With the new law, California follows a similar (but not identical) law in Vermont[2] and attention to data brokers by Congress, the Federal Trade Commission (FTC) and advocates in prior years.[3] California lawmakers placed the broker law right before CCPA in the California Civil Code, adopted definitions from the CCPA and clarified that “[n]othing … shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act.”[4]

In recitals to the new law, the California Legislature declares that “data brokers … create risks … associated with the widespread aggregation and sale of data about consumers (…). There are important differences between data brokers and businesses with whom consumers have a direct relationship. Consumers who have a direct relationship with traditional and e-commerce businesses (…) have some level of knowledge about and control over the collection of data by those businesses (…). By contrast, consumers are generally not aware that data brokers possess their personal information. (…) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.”[5]

Who and What Data Is Protected?

California residents are protected with respect to any personal information, which is defined under the CCPA as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California resident] or household.”[6]

2.3.2 Who Must Comply?

Any business established in or outside of California is required to register as a data broker if it (1) meets one of the threshold requirements established by the CCPA; (2) knowingly collects and sells to third parties personal information of consumers, as the terms “personal information,” “selling,” “consumer” and “third party” are defined under the CCPA; (3) does not have a direct relationship with all the consumers whose information it sells; and (4) cannot claim a statutory exemption. The California Legislature notes that “[d]ata brokers may provide information that can be beneficial to services that are offered in the modern economy, including credit reporting, background checks, government services, risk mitigation and fraud detection, banking, insurance, and ancestry research, as well as helping to make determinations about whether to provide these services.”[7] Everyone can view the list of businesses that have registered online.[8]

2.3.2.1 Business

Many companies around the world qualify as a business under the CCPA, given the relatively low revenue threshold ($25 million annually) and the broad definition of “doing business in California.”[9]

2.3.2.2 Personal Information Selling

Companies that have succeeded at eliminating any “selling” of “personal information” as these terms are counterintuitively defined under the CCPA[10] do not have to register as data brokers.

2.3.2.3 Direct Relationship

A business that sells personal information of a California resident must place a “do not sell my personal information” link on its web and mobile sites under the CCPA and also register as a data broker, unless it has a direct relationship with all consumers whose information it shares with third parties under terms that qualify as “selling” under the CCPA.

The term “direct relationship” is not defined in the CCPA or the data broker law. The term “direct relationship” was added to the CCPA in late 2019 in connection with an exception from the requirement to establish a toll-free number for any “business that operates exclusively online and has a direct relationship with a consumer;”[11] in the CCPA, the “direct relationship” element narrows an exemption[12] whereas in the data broker law, businesses that have direct relationships are excluded from the definition of data broker.

Literally, the term “direct relationship” means a connection that is not interrupted or facilitated by intermediaries. “Direct” means “straight,” “free from extraneous influence” and “immediately, not through representatives.”[13] “Direct” means there is no one in between. “Relationship” means a connection or association, including “the way in which two people or two groups feel about each other and behave toward each other.”[14] Relationships can be good or bad, direct or indirect, and may not require the parties to be aware of one another.

In the context of the legislative findings of the data broker law, businesses can claim “direct relationships” whenever the consumer whose information they sell is contracting, communicating or otherwise interacting with the business without intermediaries shielding the business or preventing the consumer from knowing about the business or its data processing practices. A business can claim a direct relationship where a consumer: (1) visits the business online or in person; (2) affirmatively and intentionally interacts with a business’s online advertisements; and (3) has knowledge or options regarding the collection of data by the business, including the choice to use the business’s products or services, the ability to review and consider data collection policies, the ability to opt out of certain data collection practices, the ability to identify and contact customer representatives or the knowledge necessary to complain to law enforcement.[15] Therefore, a business can establish a direct relationship with a consumer if it makes the consumer aware of the fact that the business collects the consumer’s data, affords the consumer an opportunity to exercise choice regarding the business’s data processing or enables the consumer to view the business’s terms or privacy notices.

Businesses that execute sales, purchase, services or employment contracts with a person have a direct (contractual) relationship. People who purchase a business’s products or services from retailers or other third parties may also have a direct contractual relationship with the business itself if the product comes with a warranty card, software shrink-wrap license terms or a privacy notice informing the consumer about data the consumer shares with the business by installing or using the business’s product. People who use a business’s products or services may form a direct communication or legal relationship regardless of contract flows; for example, people who work for a company that has a relationship with the business may directly interact and thus have a direct relationship with the business.

People who visit a business’s website are deemed to accept website terms of use and licenses and thus form a direct contractual relationship. People who click on or perhaps just hover over or view a business’s advertisements may be said to form a direct relationship of mutual interest if they note the business’s brand. Businesses can also establish direct relationships by delivering a privacy notice to a consumer, by mail, email, website pop-up or banner notice. Moreover, pre- and post-contractual relationships come with particular legal obligations and qualify as “direct” in the absence of a middleman.

The Vermont data broker law provides examples (for illustration, not exhaustive) of what counts as a “direct relationship” for a business that sells personal information of consumers: “if the consumer is a past or present: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business.”[16]

In practice, businesses have a number of options to establish direct relationships with consumers to avoid being classified as a data broker and being subject to the associated registration obligations.

2.3.2.4 Exemptions

California lawmakers explicitly excluded the following three groups from being classified as “data brokers” under the data broker registration law: (1) consumer reporting agencies covered by the federal Fair Credit Reporting Act; (2) financial institutions covered by the Gramm-Leach-Bliley Act (GLBA); and (3) organizations in the insurance sector covered by the Insurance Information and Privacy Protection Act.[17] Some organizations, such as media companies and health care providers, which enjoy exceptions under the CCPA,[18] are not similarly privileged under the data broker registration law.

2.3.3 How to Comply?

Data brokers must register on or before January 31 each year with the California attorney general and pay a fee.[19] They must provide their name, primary address, email and website, and may provide additional information concerning their data collection practices.[20] A complete list of the existing California data broker registry can be found on the attorney general’s website.[21]

2.3.4 Sanctions and Remedies

If a data broker fails to register, it is subject to an injunction and “civil penalties, fees, and costs in an action brought” by the California attorney general, including a civil penalty of one hundred dollars ($100) for each day the data broker fails to register and expenses incurred by the California attorney general in the investigation and prosecution of the action.[22] Any penalties the California attorney general recovers will be deposited in the Consumer Privacy Fund to offset the costs of enforcing the statute.[23]

[1]       See Chapter 2.4 of this book.

[2]       Vt. Stat. Ann. tit. 9, § 2447; Hawah Ahmad, Analysis: Vermont’s data broker regulation, IAPP Privacy Tracker (July 11, 2018), https://iapp.org/news/a/analysis-vermonts-data-broker-regulation/.

[3]       See Sam Pfeifle, FTC Calls for Legislative Action to Regulate Data Brokers, IAPP The Privacy Advisor (May 27, 2014), https://iapp.org/news/a/ftc-calls-for-legislative-action-to-regulate-data-brokers/.

[4]       Cal. Civ. Code § 1798.99.88.

[5]       Section 1. Title 1.81.48, Part 4 of Division 3 of the Cal. Civil Code.

[6]       Cal. Civ. Code § 1798.99.80 (c) and (e); § 1798.140 (g) and (o)(1).

[7]       Section 1. Title 1.81.48, Part 4 of Division 3 of the Cal. Civil Code.

[8]       See Data Broker Registry, State of California Department of Justice Office of the Attorney General, https://oag.ca.gov/data-brokers.

[9]       See Chapter 2.4.2 of this book.

[10]     See Chapter 2.4.3 of this book.

[11]     Cal. Civ. Code § 1798.130.[(a)(1)(A).

[12]     Not all companies “operating exclusively online” are exempt from the requirement to establish a toll-free number under Cal. Civ. Code § 1798.130.[(a)(1)(A), only those that have a “direct relationship.”

[13]     Black's Law Dictionary (11th ed. 2019), direct.

[14]     Black's Law Dictionary (11th ed. 2019), relationship.

[15]     See Cal. AB. 1202, Chapter 753 (2019), http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1202.

[16]     Vt. Stat. Ann. tit. 9, Vermont Ch. 62. § 2430(4)(B). H.764, Act 171, https://legislature.vermont.gov/bill/status/2018/H.764. Of course, the definitions in the Vermont statute do not apply in California. Also, they appear in a different legislative context, as the Vermont law contains different definitions and substantive obligations.

[17]     See Cal. Civ. Code § 1798.99.80(d)(1)-(3).

[18]     See Cal. Civ. Code § 1798.145 and Chapter 2.4.3 of this book.

[19]     See Cal. Civ. Code § 1798.99.82(a)(1).

[20]     See Cal. Civ. Code § 1798.99.82(b).

[21]Data Broker Registry, State of California Department of Justice Office of the Attorney General, https://oag.ca.gov/data-brokers.

[22]     See Cal. Civ. Code § 1798.99.82(c)(1)(C).

[23]     See Cal. Civ. Code § 1798.99.82(c)(2).

Photo by Markus Spiske on Unsplash