CPPA Launches Investigation into Data Broker Compliance- What Businesses Need to Know
The California Privacy Protection Agency (“CPPA”) announced last week that it is conducting a public investigative sweep to ensure data brokers are complying with the Delete Act, a law that requires businesses to register with the CPPA and pay an annual fee. This marks a significant effort by the CPPA to enforce transparency and accountability in the growing data brokerage industry. Data brokers, which by definition are businesses that collect and sell personal information of consumers they don’t have a direct relationship with, must now adhere to strict registration rules.
This investigation comes after the California Attorney General’s office, which previously oversaw the data broker registry, handed over this responsibility to the CPPA at the start of 2024. The Delete Act stipulates that businesses acting as data brokers must register annually with the CPPA by January 31, providing transparency about the data they collect and sell. Those who miss the deadline face fines of $200 per day, which can quickly add up, making it crucial for businesses to comply on time.
In addition to registration, data brokers must meet several other requirements under the Delete Act. They must disclose the number of consumer deletion requests they receive and report the average time it takes to respond to these requests. Businesses are also required to provide detailed information about their data collection practices, including whether they gather data on minors, reproductive healthcare information, or precise geolocation. Furthermore, data brokers must make consumers aware of their rights under the California Consumer Privacy Act (“CCPA”) by providing a clear link on their websites.
The CPPA is making it clear that businesses who fail to comply with these obligations will face consequences. The agency’s enforcement division is prepared to take action, and fines will increase the longer a company remains out of compliance. As Michael Macko, head of the CPPA’s enforcement division, stated, “For data brokers skirting the law, the fine increases with each passing day.”
Looking ahead, the Delete Act also funds the development of a new, first-of-its-kind mechanism known as the Data Broker Requests and Opt-Out Platform (“DROP”), which is expected to launch in 2026. Once operational, this platform will allow consumers to make a single request that directs all data brokers to delete their personal information. This will further strengthen consumer rights and create more pressure on businesses to comply with data privacy regulations.
Compliance Recommendation.
If your business operates as a data broker, it is critical to understand your obligations under California’s Delete Act. Make sure you’re registered with the CPPA and that you’re providing the necessary disclosures about your data collection and deletion practices. Missing the deadline can result in substantial fines, so it’s important to stay on top of registration requirements. Additionally, keep an eye on the development of DROP and prepare for the changes it will bring in 2026. By staying proactive, you can ensure your business is fully compliant and avoid costly penalties.
Explore our comprehensive CLIClaw Data Broker Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.