Data Broker Registration and the California Privacy Rights and Enforcement Act of 2020

There is one certainty about the 2018 California Consumer Privacy Act of 2018 (CCPA): Today’s CCPA is not going to be next year’s CCPA. The volume and velocity of changes to the CCPA and the lack of substantial guidance regarding it promise to make for an interesting 2020 as companies begin their implementation of privacy compliance for this new regulation.

First, introduced recently into the CCPA, “Data Brokers” are required to register with the California Attorney General. This new requirement is similar to Nevada’s new data privacy law (SB220) applicable to parties that sell personnel data as part of their business model. And while many of the Assembly Bill amendments to the CCPA signed off in October by the California governor reduce certain CCPA obligations for a period of time, the Data Broker obligation is new.

Under California Assembly Bill 1202, if “a business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” the business has to register as a data broker with the California Attorney General.  The registration consists of providing the business name, primary physical address, internet website and email. Consumer reporting agencies and financial institutions are excluded from the regulation. The Attorney General will make the data broker info publicly available online to consumers.

What defines a “direct relationship”?

AB 1202 does not define what “direct relationship” means but does give various scenarios of how a direct relationship can be formed. One way is through the consumer’s direct visit or patronization of the business’s premises or website. A direct relationship can also occur if the consumer “affirmatively and intentionally” interacts with the organization’s online advertisements.

What, if any, is the potential impact of the registry?

It is estimated that with increased visibility by the registry, data brokers are likely to face a higher volume of consumer rights requests under the CCPA. Arguments in favor of AB 1202 were sent via letter to the California Senate Appropriations Committee. The letter asserted the bill would allow consumers to quickly “identify and contact these companies” and “make it easier for consumers to exercise their new privacy rights” under the CCPA.

The registry represents the heightened visibility and awareness surrounding the handling of consumer data by consumers and businesses alike. And likely, the registry will increase the media and regulators’ focus on these organizations.

Should businesses be concerned about the California Privacy Rights and Enforcement Act of 2020 (CPREA)?

Alastair Mactaggart proposed, via ballot initiative, a set of additional considerations and recommendations for CCPA version 2, the CPREA:

  1. Increased transparency over how consumer data is used in ads and marketing
  2. Expanded consent and opt-out rights, many similar to the GDPR
  3. Required security assessments and privacy audits
  4. Introduction of a new privacy protection agency with regulatory enforcement, among other things.

Organizations should take notice of this ballot initiative for a few reasons. First, Mactaggart has stated the CCPA is insufficient since companies are actively seeking to weaken the CCPA. Second, the initiative will need around 623,312 valid signatures of California registered voters by the summer of 2020. The initial CCPA ballot initiative collected enough signatures to appear on the 2018 ballot until initiative backers agreed to a compromise. With the continued awareness surrounding consumer privacy issues, coupled with Mactaggart’s demonstrated ability to obtain the signatures required for the privacy initiative back in 2017, it seems highly probable. Third, at a recent privacy conference, Mactaggart indicated that the initiative is “polling in the 90s.”

Conclusion

The privacy landscape is changing at a rapid pace. Protiviti encourages businesses to adopt comprehensive privacy compliance efforts that are not specific to privacy regulations. This type of proactive adoption allows for an objective-based approach to a rapidly evolving and ever-changing privacy landscape.

We will continue to monitor developments relating to the CPREA of 2020, along with other privacy-related laws and proposed regulations.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy