California recently passed a groundbreaking new law aimed at further regulating the data broker industry. California is already one of only three states (along with Oregon and Vermont) that require data brokers—businesses that collect and sell personal information from consumers with whom the business does not have a direct relationship—to meet certain registration requirements.
Under the new law, the regulation of data brokers—including the registration requirements—falls within the purview of the California Privacy Protection Agency (CPPA) and requires data brokers to comply with expanded disclosure and record keeping requirements. Notably, the law also requires the CPPA to make an “accessible deletion mechanism” available to consumers at no cost by January 1, 2026. The tool is intended to act as a single “delete button,” allowing consumers to request the deletion of all of their personal information held by registered data brokers within the state.
Putting it into practice: Businesses considered “data brokers” should carefully review the new and expanded requirements and develop a compliance plan, as certain aspects of the law (e.g., the enhanced registry requirements) go into effect as soon as January 31, 2024.