Subscribe
The CPPA’s Hunt for Unregistered Data Brokers
The California Privacy Protection Agency (“CPPA”) has ramped up enforcement efforts under the California Delete Act. In the span of a month, the agency announced an investigative sweep, proposed updates to the law’s implementing regulations, and reached settlements with two unregistered data brokers.
This post explores the CPPA’s recent actions, clarifies what the California Delete Act requires of data brokers, and outlines what your organization should know about changes to the data broker registration rules and the CPPA’s enforcement priorities.
The CPPA Takes Over Supervision of Data Brokers Under the Delete Act
The California Delete Act amended California’s existing data broker registration statute to shift enforcement responsibility to the CPPA and to impose various new requirements on data brokers. Under that statute, a data broker is any entity that qualifies as a “Business” under the California Consumer Privacy Act that knowingly collects and sells personal information about consumers with whom it does not have a “direct relationship.”
Under the Delete Act, data brokers must register with the CPPA by January 31 of the year following any year in which the business operates as a “data broker” as defined in the statute. Data brokers must also pay an annual registration fee (which will increase from $400 in 2024 to $6,600 in 2025).[1] Data brokers that fail to register face fines of $200 per day.
When registering with the CPPA, data brokers are required to submit a form providing detailed information about their operations, including:
- Contact information (name; physical, email, and website addresses).
- Metrics regarding the number of consumer rights requests and deletion requests that they received, complied with (in whole or in part), and denied (in whole or in part and the basis for denial) during the prior calendar year, as well as the average number of days it took to respond.
- Whether they collect minors’ personal information, precise geolocation, or reproductive healthcare information.
- A link to a webpage on the data broker’s website that explains how consumers may exercise their consumer privacy rights.
- Whether and to what extent they are regulated by the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), California’s Insurance Information and Privacy Protection Act, or California’s Confidentiality of Medical Information Act.
The CPPA publishes the data broker’s registration information on the California Data Broker Registry, which specifically calls attention to data brokers that collect reproductive healthcare information, precise geolocation, and/or minors’ personal information.
Beginning 2026, the Delete Act will also require all registered data brokers to comply with deletion requests from the CPPA’s new deletion mechanism—Data Broker Requests and Opt-Out Platform (“DROP”). DROP will allow a consumer to direct all data brokers to delete their personal information in a single request. The CPPA is expected to release DROP on its website beginning January 1, 2026.
New Regulations are Coming.
Having taken over the oversight of data brokers under the Delete Act, the CPPA recently announced new proposed data broker regulations. If approved, these new regulations will take effect on January 1, 2025.
Key features of the proposed regulations include:
- A problematic definition of the term “direct relationship.” The new regulations introduce a definition of the term “direct relationship,” as used in the definition of the term “data broker.” That definition problematically states that a business that has a direct relationship with a consumer who intentionally interacts with the business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services may still qualify as a data broker if it also sells information collected about that consumer that the business did not collect directly from the consumer. That definition could drastically expand the universe of “data brokers” required to register under the Delete Act.
- A broad definition of “reproductive health care information.” The new regulations broadly define “reproductive healthcare information” to include information or inferences about a consumer “searching for, accessing, procuring, using or otherwise interacting” with both goods and services related to reproduction (e.g., condoms, birth control pills, pre-natal vitamins, menstrual-tracking apps, treatment or counseling for sexually transmitted infections). The definition also includes information or inferences about the consumer’s sexual history and family planning. The definition specifically calls out information a consumer inputs into a dating app about “their history of sexually transmitted infections or desire to have children.” This broad definition could ratchet up the number of data brokers required to report that they collect “reproductive health care information” on the California Data Broker Registry.
- Additional disclosures. The new regulations will require data brokers to provide additional disclosures about data that is governed by federal laws such as the FCRA, GLBA, and HIPAA.
- Separate Registrations. The new regulations will require parent and subsidiaries to register separately.
Enforcement is Already Underway
The Delete Act empowers the CPPA to enforce data broker registration requirements and compliance with other aspects of the Delete Act. And the agency is actively using that power.
On October 30, 2024, the CPPA’s Enforcement Division announced a public investigation of data broker compliance with the California Delete Act. Not long thereafter, the agency announced its first two settlements with businesses for failing to register with the agency: Growbots and UpLead.
Growbots, an outbound sales platform, must pay the CPPA Enforcement Division $35,400 for allegedly failing to register between February 1 and July 26, 2024. UpLead, a B2B lead generator, must pay $34,400 for allegedly failing to register between February 1 and July 21, 2024.
Both companies also agreed to injunctive terms and to pay all attorneys’ fees and costs resulting from any Delete Act non-compliance.
Those settlements, combined with the CPPA’s announcement of its investigative sweep of data broker compliance with the Delete Act, signals that the CPPA has unregistered data brokers in its crosshairs and enforcement of the Delete Act is a priority.
*****
The CPPA’s recent activity underscores the importance of evaluating whether the Delete Act applies to your organization. With the 2025 registration period approaching, organizations should take proactive steps to determine their status under the California Delete Act, register with the CPPA when necessary, and implement appropriate processes to comply with the law’s requirements.
If you would like assistance determining whether the California Delete Act applies to your organization, or want to discuss strategies for complying with its requirements, please contact any member of the Wyrick Privacy and Data Security team.
[1] The CPPA claims that steep increase is to account for costs associated with implementing the Delete Act and developing the Delete Request and Opt-out Platform requirements (“DROP”).