On July 5, 2024, the California Privacy Protection Agency (CPPA) requested public comments on a Notice of Proposed Rulemaking regarding Data Broker Registration pursuant to Senate Bill 362 (the Delete Act).

The Delete Act, signed into law on October 10, 2023, entered into force on January 1, 2024. The Delete Act requires the CPPA to establish an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.

The Proposed Regulations provide:

• that the registration fee includes $400 plus any fees for processing electronic payments; and
• for the establishment of a standardized electronic payment method for registration fees.

Definitions

In addition, the Proposed Regulations define 'direct relationship' as one where 'a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business's products or services within the preceding three years.' Further, the Proposed Regulations provide that 'a business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.'

Notably, the Proposed Regulations consider 'reproductive health care data' as:

• information about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system;
• information about the consumer's sexual history and family planning, which includes information a consumer inputs into a dating app; or
• inferences about the consumer with respect to the two above provisions.

Registration requirements

Regarding the registration requirements of data brokers, the Proposed Regulations provide that:

• each data broker business, regardless of status as a subsidiary or parent company to another business, is required to uniquely register;
• employees or agents for a data broker business register on behalf of the data broker and have sufficient knowledge of their practices to provide accurate information; and
• a data broker cannot amend or withdraw a completed registration after January 31, subject to exceptions.

On registration itself:

• all website links and email addresses must be accurate and functioning;
• data brokers must provide the CPPA with a point of contact, including name, email, and phone number; and
• where the data broker is regulated by other laws, data brokers must describe the:
  • types of personal information collected and sold subject to enumerated laws;
  • specific products or services covered by enumerated laws; and
  • approximate proportion of data collected and sold subject to enumerated laws in comparison with their total annual data collection and sales.

Data brokers may also contact the CPPA electronically in writing to update their current registration to reflect a change in:

• name, email, or phone number of the point of contact;
• the data broker's public-facing contact information; or
• the data broker's public-facing website addresses.

Public comments may be sent to [email protected] until August 20, 2024.

You can read the press release here, the Notice of Proposed Rulemaking here, and the Proposed Regulations here.