California Just Passed SB 362: Whatever You Think About the Merits of the Law, It’s a Big Deal
As we’ve discussed here, data brokers have been in the hot seat lately, with the enactment of new state data broker registry laws, aggressive enforcement by the FTC, a looming rulemaking by the CFPB to extend the FCRA’s reach to a broader class of data brokers, multiple federal bills to restrict data broker sales, and a recent meeting at the White House to discuss “harmful data broker practices” and provide further impetus for regulation.
Among the most significant of these developments is California’s SB 362 – a data broker bill that goes well beyond the registration requirements contained in California’s existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.
Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he’ll veto it. Indeed, the bill’s chief sponsor, state Senator Josh Becker, has said that, while he hasn’t reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers’ collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).
What Does SB 362 Require?
Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California’s current data broker law by providing a centralized place where consumers can delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026 or even 2028. Specifically, SB 362:
- Requires data brokers to register with the California Privacy Protection Agency (CPPA) (instead of the California AG’s office, as required by the current law), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
- Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information, subject to the same deletion and other exceptions available under CCPA (beginning in 2026);
- Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
- Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
- Requires any data broker that receives a request to direct their service providers and contractors to delete the information (2026);
- Requires a data broker that denies a request to delete because the request cannot be verified to process the request as an opt-out of sale/sharing and to direct its service providers and contractors to do the same (2026);
- Allows “authorized agents” to assist consumers in making deletion requests (2026);
- Requires data brokers to undergo independent compliance audits every three years (beginning in 2028);
- Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.); and
- Gives the CPPA discretionary rulemaking authority to implement the new law.
Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act and similar California laws, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but also to many members of the advertising industry that collect and sell data but do not have a consumer-facing relationship.
What Did Opponents Argue?
In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn’t carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.
Why is this Significant?
As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).
The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it’s possible that other states will follow suit, amplifying these effects considerably.
Stay tuned as we continue to monitor this important topic.