California Privacy Protection Agency expands the definition of ​“data broker”

On November 8, the California Privacy Protection Agency (CPPA) voted 5-0 to approve new regulations to implement the DELETE Act of 2023. The most noteworthy development was the agency’s adoption of a new definition of ​“direct relationship,” a core term within the statutory definition of a ​“data broker.” The new definition could require a host of new businesses to register as data brokers if they collect personal data about their customers from other sources and sell that data to third parties, including in an ad tech context.

The new regulations also provide direction to data brokers on the registration process, including the information to submit with a data broker registration and the process for submitting and changing a data broker registration.

Finally, the CPPA raised the annual data broker registration fee to $6,600 from $400, a 1550% increase. The agency explained that the price hike will help fund a new ​“Delete Request and Opt-out Platform” or ​“DROP,” a one-stop deletion and opt-out mechanism the agency must create under the DELETE Act.

The new regulations were filed on November 12th with the Office of Administrative Law, which now has up to 30 working days to review the regulations before filing them with the California Secretary of State. If the regulations are filed with the Secretary on or before November 30, they will become effective on January 1, 2025. If filed between December 1 and February 29, they will become effective on April 1, 2025.

The rest of this post takes a closer look at the expanded definition of ​“data broker” and its implications for businesses.

How did the CPPA expand the definition of a data broker?

California law defines a data broker as a ​“business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This definition has widely been interpreted to apply to businesses that sell consumer data but have no consumer-facing relationship.

The new CPPA regulation could be interpreted to mean that a broader array of businesses are data brokers. Specifically, the CPPA defines ​“direct relationship” to mean that ​“a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.”

There are three main consequences of this definition:

• Direct Consumer Relationships Are Not All-or-Nothing: Under the CPPA’s definition, a business can be a data broker even if it has a direct relationship with a consumer. If the business ​“sells personal information about the consumer that the business did not collect directly from the consumer,” the CPPA considers the business to be a data broker. As an example, the CPPA discusses a hypothetical business that offers a video game service and also buys and sells data about a consumer completely unrelated to their game purchases or use. The business would not be considered a data broker with respect to the personal information collected directly from the consumer for the video game, but it would be considered a data broker for the personal information it independently bought and sold to third parties.
• Direct Relationships Can Expire: The interaction with the business must occur within the preceding three years. If a consumer purchased a product or service from a business in the distant past, the business may no longer be considered to have a direct relationship with the consumer.
• Privacy Rights Requests Do Not Create a ​“Direct Relationship”: A direct relationship is not created when a consumer submits a privacy rights request or the business verifies the consumer’s identity for purposes of fulfilling the request.

What is the CPPA trying to accomplish?

To help explain the shift in the definition of a data broker, the agency explained that it is concerned that industry has been broadly interpreting the concept of a ​“direct relationship.” Here are some concerns the CPPA raised in its final statement of reasons responding to comments submitted during the rulemaking process:

• To close a ​“loophole”: In its Final Statement of Reasons (FSOR), the CPPA argues that companies are using any interaction with the consumer to create a ​“loophole” that allows the company entirely to avoid registering as a data broker. Here’s how the CPPA stated its position that a business can simultaneously have a first-party and third-party relationship with a consumer: ​“To interpret the law otherwise would allow businesses to leverage any single interaction (even if such interaction is superficial or misleading) the consumer has with any component of their business—no matter how fleeting or passive—as a means to forever broker their personal information without necessarily having to register as a data broker.”
• To enable deletion of third-party data: The CPPA asserts in the FSOR that this regulation provides the only way to enable consumers to exercise deletion rights over third-party data held by consumer-facing businesses: ​“Under the CCPA, consumers are not able to delete ​‘incidental’ data that originate from someone other than the consumer. Consumers may only request to delete personal information they have provided directly to the business. If consumers are not allowed to take advantage of the protections afforded under SB 362, they will have no way to delete this ​‘incidental’ data and will have less control over their personal information than other consumers.”
• To promote transparency: The CPPA explains that ​“the proposed definition … increases transparency by clarifying that businesses who collect and sell personal information about consumers outside of a direct relationship with the consumer are still required to comply with the law’s registration and reporting requirements.”

What steps can companies take to determine if they must register as a data broker?

Businesses can take a couple of steps to determine whether and how the CPPA’s data broker regulations affect them. One step is to take a fresh look at data flows involving data purchased, licensed, or otherwise accessed from third-party sources, with the aim of understanding whether that data is sold onward to third parties. This inquiry may involve augmenting existing maps describing how a business collects, uses, and may disclose third-party data.

A second inquiry businesses that sell personal information should consider is whether they have a ​“direct relationship” with the consumer, as newly defined by the CPPA. This analysis may include reviewing the length of the consumer relationship and the source(s) of personal information that is sold.