In the flurry of bills relating to the California Consumer Privacy Act (CCPA), the California Legislature also enacted a law requiring data brokers to register, following a similar (but not identical) law in Vermont (see, https://iapp.org/news/a/analysis-vermonts-data-broker-regulation/) and attention by Congress, the FTC and advocates to data brokers in prior years (https://iapp.org/news/a/ftc-calls-for-legislative-action-to-regulate-data-brokers/). California lawmakers placed the broker law right before CCPA in the California Civil Code and clarified in Cal. Civ. Code §1798.99.88 that “Nothing … shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act.”

Under the new California law, data brokers have to register every year on or before January 31 with the California Attorney General. Some commentators have argued that the law might not take effect until January 2021, but the California Attorney General has opened the registration website and more than 50 companies are already registered today. You can access the full list here, and find some highly regarded brands as well as some (but, interestingly, not all) of the companies that have made headlines in the previous controversies around data broker regulation. One of the “big four” accounting and consulting firms is on the list. Newspaper publishers are not.

Media companies, healthcare providers and other organizations that enjoy some exemptions and deferrals regarding CCPA obligations miss similar exceptions in the new California data broker registration law, which expressly exempts consumer reporting agencies that are subject to FCRA, financial institutions that are subject to GLBA, and certain organizations in the insurance sector that are subject to the California Insurance Information and Privacy Protection Act.

Who has to register as a data broker in California?

The new law borrows many of the counter-intuitive and overbroad definitions from the CCPA, including “business,” “consumer,” “personal information” and “sale.” Companies that exchange employee or business contact information with affiliates or other business partners for consideration (monetary or other) may qualify as a business that sells personal information under CCPA. Companies that do not sell personal information for CCPA purposes do not have to register as a data broker. But, the reverse is not necessarily true: Not every company that has to place the “do not sell my personal information” link on its website since January 1, 2020 has to also register as a data broker since January 31, 2020.

“Data broker means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” (Cal. Civ. Code §1798.99.80[d]). The term “direct relationship” is not defined in the CCPA or the data broker law. The term was added also to CCPA in late 2019 in connection with an exception from the requirement to establish a toll free number for any “business that operates exclusively online and has a direct relationship with a consumer.”

(Cal. Civ. Code §1798.130.[a][1][A])

Personally, I am not sure that I know many businesses that “operate exclusively online.” In everyday language, online means connected to a computer or telecommunications system, such as the Internet (www.merriam-webster.com/dictionary/online) or a phone line. Offline means the opposite – not connected to computers or telecommunications. Offline operations traditionally rely on brick, mortar, in-person interactions and snail mail. Most of my clients have offices and employees even if they conduct some of their business via websites or mobile apps. Their employees, independent contractors and individual representatives of corporate vendors meet each other in person – “offline.” They receive and send paper mail to each other, to government authorities, and to business partners. And, most still call each other on the phone now and then, as well as vendors and business partners, too. Even after the various amendments, the CCPA still refers to employees and business representatives as “consumers.” How, then, can any business operate “exclusively online”?

Perhaps the California Legislature meant to exempt businesses that communicate with real consumers (as this term is understood in everyday language) only via websites and apps, and not normally via phone, but that remains unclear. Companies will have to take positions on what it means to “operate exclusively online” under CCPA.

Companies will also have to take positions on what it means to have a “direct relationship” with a person. A relatively easy case are persons who have executed sales, purchase, services or employment contracts with a business; such persons have a direct contractual relationship with the business. Persons who purchased the business’s products or services from retailers or other third parties may also have a direct contractual relationship with the business itself, because the product may come with a warranty card or software shrink-wrap license agreement. Also, a person who uses a business’s products or services may form a direct communication or legal relationship regardless of contract flows. Persons, who work for a company that has a relationship with the business, may directly interact and thus have a direct relationship with the business. Persons who visit a business’s website are deemed to accept website terms of use and licenses and thus form a direct contractual relationship. Persons who click on or perhaps just view a business’s advertisements may be said to form a direct relationship of mutual interest. Direct relationships may also follow from deliveries of privacy notices, which the CCPA regulations require. Moreover, pre- and post-contractual relationships come with particular legal obligations and qualify as ‘direct.’

The Vermont data broker law provides examples (for illustration, not enmuerative) of what counts as a “direct relationship” back East for a business that sells personal information of consumers: “if the consumer is a past or present: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business.” (Ch. 62. § 2430(4)(B). H.764, Act 171, https://legislature.vermont.gov/bill/status/2018/H.764). Of course, the definitions in the Vermont statute do not apply in California. Also, they appear in a different legislative context, as the Vermont law contains different definitions and substantive obligations.

With respect to California, every business has to form its own views on where to draw the line with respect to what counts as a “direct relationship” for purposes of complying with the new data broker registration law as well regarding the exception from toll-free numbers in the CCPA (Cal. Civ. Code §1798.130[1][A] and the various new obligations on companies that collect personal information from sources other than “directly” from the consumer under the draft CCPA regulations. Every business is in a different position in this respect. Scenarios and nuances vary quite a bit depending on companies’ business models, contract flows and communication methods.

Companies that have a “do not sell my personal information link” on their website since January 1, 2020 should accelerate their assessment whether they also have to register as a data broker. According to Cal. Civ. Code §1798.99.82.(c)(1), a data broker that fails to register as required is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the Attorney General, including a civil penalty of $100 for each day the data broker fails to register, fees that were due during the period it failed to register, and expenses incurred by the Attorney General in the investigation and prosecution. Any penalties, fees, and expenses recovered in an action shall be deposited in the Consumer Privacy Fund.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.