Keeping the season spooky for data brokers, the enforcement division of the California Privacy Protection Agency announced on October 30, 2024, that it is conducting a public investigative sweep of data broker registration compliance under California’s Delete Act.
What Is a Data Broker?
A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a [California] consumer with whom the business does not have a direct relationship.” “Selling” includes transfers of personal information for any valuable or monetary consideration.
There are several exclusions to the definition of a data broker. For example, the Delete Act does not apply to entities covered by the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), among others.
What Do Data Brokers Need to Do?
Signed into law in October 2023, the Delete Act requires data brokers to annually register, pay a fee, and provide the following information to the California Privacy Protection Agency:
- Whether the company collects the personal information of minors, reproductive health care data, or precise geolocation data;
- The number of consumer rights requests the broker received during the prior calendar year; and
- The median and mean number of days by which the data broker substantively responded to those requests.
These statistics and information regarding consumers’ rights under the California Consumer Privacy Act must also be disclosed in a link on the data broker’s website.
Covered businesses that operated as a data broker during the 2024 calendar year have until January 31, 2025, to register or face a penalty of $200 per day.
