In 2019, the nation’s first registry of data brokers went online after Vermont’s data broker registry went into effect. In October, California followed suit when Governor Newsom signed AB 1202 – the Data Broker Registration Act.
In enacting the bill, the legislature explained:
Companies regularly and systematically collect, analyze, share, and sell the personal information of consumers. While this data collection provides consumers various benefits, public fears about the widespread, unregulated amassing of personal information have only grown since privacy was made a part of California’s Constitution. One particularly troubling area of this systematic data collection is the emergence of data brokers that collect this data without having any direct relationship with the consumers whose information they amass.
In order to bring this industry into the light and more fully inform consumers about who is collecting their personal information and how, this bill establishes a data broker registry.
The law defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law exempts federally regulated entities like financial institutions, credit reporting agencies, and insurers.
Data brokers must register by January 31st of each year and pay a fee “in an amount determined by the Attorney General, not to exceed the reasonable costs of establishing and maintaining” a link containing the registry on the Attorney General’s webpage.
Failure to register will result in the data broker being assessed:
- a civil penalty of $100 per day;
- fees that were due during the period it failed to register; and
- expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.