January 31, 2020
California Data Broker List Comes Online
As 2019 has become 2020, many businesses - including financial institutions - are rightly focused on setting up their CCPA compliance structures. But those businesses also should consider a separate yet related law passed by the California Legislature last year, one requiring that all data brokers register with the state.
Cal. Civ. Code § 1798.99.80 et seq., requires all data brokers to, "on or before January 31 following each year in which a business meets the definition of 'data broker'" register with the California Attorney General, paying a registration fee of $360 and providing specified information about the business and its data collection practices.
The California Attorney General has taken the position that businesses who qualified as data brokers as of the effective date of the California Consumer Privacy Act ("CCPA") - January 1, 2020 - must register by January 31, 2020. The law provides that business failing to register as required may face a civil penalty of $100 per day.
The new law defines a data broker as a "business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."
This definition is almost exactly the same as the Vermont data broker registration law, which took effect January 1, 2019 and with which businesses dealing in data should be familiar. However, businesses should not be distracted by the similarities with Vermont law and should consider the potential application of the California statute separately. There are several important differences businesses should note.
The main difference is that while the Vermont law relates only to limited pieces of personally identifiable information that is "categorized or organized for dissemination for third parties," the California data broker law uses the extraordinarily broad definition used by the CCPA, effectively capturing any information that is identified with or reasonably identifiable to an individual.
Secondly, it is important to note that while Vermont's law could apply to any for-profit business collecting and selling the personal information of a Vermont resident, whatever its size or connections with the state, the California data broker law applies to "businesses" as defined by the CCPA. The CCPA applies to for-profit entities that do business in California, determine the purposes and means for collecting personal information on California residents (in other words, not a service provider), and surpasses one of three size thresholds set out in the statute.
A third difference is that while the Vermont law does not include an affirmative definition for "sell or license," the California law uses the CCPA's broad concept of "sale," which captures any transfer of personal information "for monetary or other valuable consideration." Because California includes this definition, there could be a greater risk that the transfer of personal information not specifically for monetary consideration could be considered to be data brokering.
Finally, the two laws handle exemptions in vastly different ways. While Vermont provides specific exceptions around the scope of terms such as "direct relationship" and "sell or license," Vermont also makes it clear that financial institutions might be data brokers. Vermont notes that customer, employee, or investor information generally is collected within a direct relationship, so dissemination of any of that information would likely not amount to data brokering. Vermont also expressly exempts certain activities, including those incidental to developing or maintaining third-party e-commerce or application platforms or providing publicly available information related to a consumer's business or profession, but the law states that a financial institution may be a data broker. And Vermont provides that the transfer of personal information that is "merely incidental" to the business is not data brokering.
California does not provide any guidance around the terms "direct relationship" or "sell" in the context of data brokering, but it does explicitly exempt financial institutions "to the extent" they are covered by the Gramm-Leach-Bliley Act. California also provides an express exemption for consumer reporting agencies regulated by the Fair Credit Reporting Act.
But with both of these laws, there is a striking lack of clarity around the contours of what makes a business a "data broker." Neither state has offered much in the form of helpful guidance around what kinds of activities amount to data brokering.
Therefore, while these two laws are similar, they may capture different sets of businesses as "data brokers," so any business that knowingly collects and provides to third parties any sort of non-customer personal information should consider whether there is a risk that it might trip into the concept of data brokering under both or either of these laws. Both states publish the registrant lists online, so reviewing those lists might provide insight into how other businesses are interpreting the laws.
We expect more of these registration requirements to pop up in other states, so businesses should monitor developments with these and other states.