California AG Issues Advisory on CCPA and Data Broker Law

California’s Attorney General has issued a brief advisory providing consumers with an overview of their rights under the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, as well as additional information relating to California’s new data broker law. Although the advisory offers no new guidance on CCPA requirements, it demonstrates the Attorney General’s desire to ensure that California consumers are informed of their rights under the CCPA. The advisory also serves as an important reminder of the new California data broker law, including the new requirement for companies acting as “data brokers” to file an online registration.

The advisory briefly describes consumers’ rights to know, delete, and prevent sales of their personal information, and explains that businesses may not discriminate against consumers who exercise their CCPA rights. The advisory also summarizes the thresholds an entity must meet in order to be considered a “business” subject to the CCPA, and explains that the CCPA affords consumers a private right of action if their personal information is subject to certain types of data breach.

In addition to its CCPA overview, the advisory also contains important information related to California’s new data broker law. As described in our prior client alert, this data broker law was enacted in October 2019, but received limited attention at the time given the near-simultaneous enactment of five other bills amending the CCPA. However, the law is significant and requires action on the part of those businesses that may be classified as “data brokers.”   

The data broker law – codified at Cal. Civ. Code §§ 1798.99.80 et seq. – applies to “data brokers,” which it defines as businesses that knowingly collect and sell to third parties the personal information of consumers with whom the businesses do not have direct relationships. (“Business” has the same meaning that it has under the CCPA.) 

Under the law, a data broker must register with the California Attorney General on or before January 31 following each year when it meets the requirements of the “data broker” definition. The law requires the Attorney General to make a registration website available to the public, and the Attorney General’s advisory provides a link to that registration website for data brokers. The data broker law also requires the Attorney General to create a page on its website where information provided through data broker registrations will be accessible to the public, and the Attorney General has set up this page at https://www.oag.ca.gov/data-brokers. In order to complete registration, data brokers must provide their names and contact information (including their primary physical, email, and website addresses), as well as any additional information they wish to provide regarding their data collection practices. Data brokers must also pay an annual registration fee. Any data broker that fails to register may be subject to a civil penalty of $100 for each day it remains unregistered, along with other penalties, fees, and costs.  

Although California’s new data broker law is separate from the CCPA, it is also related to the CCPA because both of these laws seek to give consumers greater visibility concerning the companies that process their personal information.

For additional thought leadership and compliance tools on these topics, please visit MoFo’s CCPA Resource Center.