CPPA Proposes New Regulations for Data Broker Registration under the Delete Act
CPPA Proposes New Regulations for Data Broker Registration under the Delete ActIn a move to clarify and streamline the data broker registration process, the California Privacy Protection Agency (“CPPA”) recently issued a Notice of Proposed Rulemaking (“NPRM”) for new regulations aimed at enforcing the Delete Act (SB 362). These proposed regulations are designed to address challenges faced by businesses that qualify as data brokers, offering greater clarity on registration requirements and supporting the agency’s goal of consumer protection and transparency.
The Delete Act, signed into law in 2023, transferred the administration of the Data Broker Registry from the California Attorney General’s Office to the CPPA starting January 1, 2024. This law requires businesses that meet the definition of a “data broker” to register with the CPPA, pay an annual fee, and submit relevant registration information. While the initial registration process revealed several ambiguities, the new regulations aim to resolve these issues and ensure that businesses comply with the statute.
Key to the proposed regulations are clearer guidelines on the registration process. For example, the CPPA has specified that data brokers must pay a $400 fee for registration, with additional fees for electronic payment processing. There are also provisions for businesses that cannot pay by credit card, allowing payments via debit card, check, or wire transfer. The regulations also clarify that registration fees are non-prorated and non-refundable, helping businesses better understand their financial obligations.
Additionally, the CPPA has provided definitions for key terms that were previously unclear, such as “direct relationship” and “minor.” These terms are crucial for determining which businesses are required to register as data brokers. The proposed regulations also make it clear that every individual data broker, whether a parent company or subsidiary, must register separately. This ensures that there is no confusion about whether a company’s status as part of a larger corporate group impacts its registration obligations.
Another significant provision is the requirement for data brokers to designate an employee or agent to complete the registration on their behalf. This person must have sufficient knowledge of the company’s practices to ensure the accuracy of the registration information, under penalty of perjury. Furthermore, the regulations prohibit businesses from amending or withdrawing registration information after the registration period has ended, except in cases of error.
These proposed changes are essential for the CPPA to meet its objectives of increased transparency and consumer protection. By creating a more efficient and consistent registration process, the CPPA aims to provide consumers with better access to information about the data brokers who collect and sell their personal data. This, in turn, will empower consumers to make more informed decisions regarding their privacy rights, including the ability to delete personal information or opt out of data sales.
In a broader context, the proposed regulations help businesses comply with the California Consumer Privacy Act (“CCPA”) by ensuring that data brokers follow clear, consistent guidelines for registration. These guidelines will ultimately support the CPPA’s mission to make the data broker industry more transparent, allowing consumers to make decisions about their data with greater ease.
As the CPPA moves forward with these proposed regulations, businesses involved in data brokering must stay informed about these updates. The deadline for public comments on the proposed regulations is August 20, 2024, and a virtual public hearing will be held on the same date. Companies must carefully review these developments to ensure compliance and avoid potential penalties.
The proposed regulations not only enhance clarity but also reinforce California’s leadership in data privacy. As other states continue to refine their own data privacy laws, California’s approach to regulating data brokers sets a significant precedent that could influence future legislation across the country. Businesses should take this opportunity to review their practices and make any necessary adjustments to comply with the evolving landscape of data privacy laws.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.