As we've discussed here, data brokers have been in the hot seat lately, with the enactment of new state data broker registry laws, aggressive enforcement by the FTC, a looming rulemaking by the CFPB to extend the FCRA's reach to a broader class of data brokers, multiple federal bills to restrict data broker sales, and a recent meeting at the White House to discuss “harmful data broker practices” and provide further impetus for regulation.
Among the most significant of these developments is California's SB 362 – a data broker bill that goes well beyond the registration requirements contained in California's existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.
Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he'll veto it. Indeed, the bill's chief sponsor, state Senator Josh Becker, has said that, while he hasn't reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers' collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).
What's Does SB 362 Require?
Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California's current data broker law by allowing consumers to delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026. Specifically, SB 362:
- Requires data brokers to register with the California Privacy Protection Agency (CPPA), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
- Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information (beginning in 2026);
- Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
- Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
- Allows “authorized agents” to assist consumers in making deletion requests (also 2026);
- Requires data brokers to undergo independent compliance audits every three years (beginning in 2028); and
- Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.)
Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but to many members of the advertising industry as well.
What Did Opponents Argue?
In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn't carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.
Why is this Significant?
As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).
The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it's possible that other states will follow suit, amplifying these effects considerably.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.