TCPAWorld has talked about the CPPA before, but it appears the agency is not going to rest on its laurels.
The California Privacy Protection Agency (“CPPA”) published their Notice of Proposed Rulemaking (“NPRM”) on July 5th. The NPRM is focused on the CPPA’s work around “data brokers” and the requirements that data brokers register with the CPPA under what is being referred to as the “Delete Act” (“Act”).
In January 2024, the CPPA administered California’s first data broker registration process. During the registration process, the CPPA noticed some common question around the registration process. The NPRM is being proposed to answer some of those common questions.
As a reminder, with some exceptions, “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This definition is fairly broad.
The proposed regulations, among other things:
- Add the ability for the CPPA to charge data brokers “associated third party fees for processing electronic payments” in addition to the $400 annual fee to register.
- Added the following definitions:
- “Direct relationship” means that a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years. A consumer does not have a “direct relationship” with a business if the purpose of their engagement is to exercise any right described under Title 1.81.5 of Part 4 of Division 3 of the Civil Code, or for the business to verify the consumer’s identity. A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.
- “Minor” means a consumer the data broker has actual knowledge is less than 16 years of age. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
- “Register” means when a data broker or its agent submits all the information required by section 7603 and pays the annual registration fee required by section 7600.
- “Registration period” means January 1–31 of each calendar year.
- “Reproductive health care data” means any of the following:
- Information about a consumer searching for, accessing, procuring, using, or otherwise interacting with goods or services associated with the human reproductive system, which includes goods such as contraception (e.g., condoms, birth-control pills), pre-natal and fertility vitamins and supplements, menstrual-tracking apps, and hormone-replacement therapy. It also includes, but is not limited to, services such as sperm- and egg-freezing, In Vitro Fertilization, abortion care, vasectomies, sexual health counseling; treatment or counseling for sexually transmitted infections, erectile dysfunction, and reproductive tract infections; and precise geolocation information about such treatments.
- Information about the consumer’s sexual history and family planning, which includes information a consumer inputs into a dating app about their history of sexually transmitted infections or desire to have children is considered sexual history and family planning information.
- Inferences about the consumer with respect to (1) or (2).
- Clarifies that any business that independently meets the definition of “data broker” for any period of time during the previous calendar year is required to register. That registration must be completed by an employee or agent of the data broker who has sufficient knowledge to provide accurate information.
- Require that information provided during registration must be true and accurate with working website links and email addresses.
- Clarifies how and when a data broker can be removed from the registry or have their information updated by the CPPA.
- Requirements for website disclosures.
The CPPA states that these proposed regulations increase the level of transparency around data brokers and “result in efficiencies and consistency in the data broker registration process and the information made available to the public.”
The CPPA’s website has more information on the proposed regulations. And, as always, TCPAWorld will be staying on top of it.