On November 9, 2024, the five-person board of the California Privacy Protection Agency (CPPA) voted unanimously to adopt the proposed Data Broker Registration regulations without modifications. The new regulations seek to clarify key provisions of the California Delete Act, which requires data brokers to register with the state of California and the CPPA to establish a universal data deletion mechanism by January 1, 2026.

The board also voted to increase the data broker registration fee from the current $400 to $6,600 for the next registration cycle, starting January 1, 2025. The board meeting agenda is available on the CPPA’s website.

Clarifying key terms and registration procedures

The new regulations adopted by the CPPA expand the scope of businesses considered to be data brokers under the Delete Act, which defines data brokers as businesses that collect or sell the data of consumers with whom the business does not have a “direct relationship.” However, the regulations now clarify that a business with a direct consumer relationship can still be considered a data broker if it “sells personal information about the consumer that the business did not collect directly from the consumer.”

Under the Delete Act, data brokers must disclose specific information about their data collection practices, including whether they collect consumers’ reproductive healthcare data or the personal information of minors (as such terms are now defined under the regulations).

Procedurally, the new regulations largely memorialize the agency’s existing practices related to the data broker registry. Companies are required to register every year on or before January 31 if they have acted as a data broker in the prior year. The Delete Act imposes fines of $200 per day for each day the data broker has failed to register, plus any expenses incurred by the agency in the investigation, and $200 for each deletion request for each day the data broker failed to delete personal information as required by the Delete Act.

The CPPA still needs to file the final rulemaking package with the Office of Administrative Law to complete the formal rulemaking process. While it is not guaranteed, it seems likely that the regulations will become effective before the next registration cycle on January 1, 2025.

Delete Act enforcement

Days after the meeting, the CPPA announced its first enforcement actions under the Delete Act, which resulted in $35,400 and $34,400 settlements for two companies’ failure to timely register with the CPPA. These settlements came shortly after the CPPA’s announcement that it was conducting a “public investigative sweep” of data broker registration compliance.

The agency appears to be signaling an aggressive enforcement posture for the foreseeable future, despite the resignation of its executive director, Ashkan Soltani, which also was announced at the board meeting.

Authors

Lei Shen

Richard Koch

Posted by Patrick Johnson