CPPA Releases Data Broker Regulations for Public Comment
On July 5, 2024, the California Privacy Protection Agency (CPPA) released a notice of proposed rulemaking and proposed regulations to implement the DELETE Act, which requires "data brokers" to register with the CPPA and to disclose certain information to the CPPA and in their website privacy policies (for more details on the DELETE Act, see our previous advisory).
The CPPA stated that it initiated this rulemaking primarily to address "common questions and occasional obstacles that indicated a need for clarification of [the DELETE Act's] registration requirements." The proposed regulations in large part address administrative issues (e.g., clarifying how fees may be paid and whether they can be prorated or refunded). However, the proposed rules also clarify key definitions, including the meaning of "direct relationship" (i.e., between businesses and consumers to make clear which businesses will be deemed "data brokers"), "minor," and "reproductive health care data." The proposed rules also make clear that each data broker business – regardless of its status as subsidiary to another business – is required to uniquely register.
Notably, the proposed rules do not address the CPPA's obligation under the DELETE Act to establish by January 1, 2026, an "accessible deletion mechanism" for consumers "through a single verifiable consumer request" to request that all registered data brokers delete their personal information.
Below, we have summarized the most significant proposed regulations in more detail:
- New Definition of Direct Relationship. The DELETE Act defines "data brokers" as businesses that knowingly collect and sell to third parties personal information of consumers with whom the business does not have a "direct relationship." The proposed regulations define "direct relationship" to mean where "a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business's products or services within the preceding three years." The proposed regulations also clarify that "a business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer." This clarification should help businesses determine whether, when, and for how long they are covered by the Act.
- New Definition of Minor. The DELETE Act requires data brokers to disclose whether they collect personal information of minors which the proposed regulations clarify to mean "a consumer the data broker has actual knowledge is less than 16 years of age."
- New Definition of Reproductive Health Care Data. The DELETE Act requires data brokers to disclose whether they collect reproductive health care data which the proposed regulations define as any of the following:
- Information about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system, which includes goods such as contraception (e.g., condoms, birth control pills), prenatal and fertility vitamins and supplements, menstrual-tracking apps, and hormone-replacement therapy. It also includes but is not limited to services such as sperm- and egg-freezing, in vitro fertilization, abortion care, vasectomies, sexual health counseling; treatment or counseling for sexually transmitted infections, erectile dysfunction, and reproductive tract infections; and precise geolocation information about such treatments.
- Information about the consumer's sexual history and family planning, which includes information a consumer inputs into a dating app about their history of sexually transmitted infections or desire to have children.
- Inferences about the consumer with respect to any of the above information.
- Parent and Subsidiary Registration Requirement. Finally, the proposed regulations require any business that independently meets the definition of "data broker" to register, but the rules also appear to require that a business register "regardless of whether it is a subsidiary or parent of another business" that is a data broker. This suggests that even if a registered data broker has a parent or subsidiary that is not a data broker, each would still have to register with the CPPA. On the other hand, the rule may be simply "clarifying" that if a registered data broker has a parent or subsidiary that is also a data broker, then each cannot avoid registration because a parent or subsidiary entity is registered.
The CPPA is accepting written comments on the proposed regulations until August 20, 2024, which can be submitted to regulations@cppa.ca.gov.