In the past month, the California Privacy Protection Agency (CPPA) announced that it was beginning a public investigative sweep of data broker regulatory compliance and reached settlements with two data broker companies just a couple weeks after. The CPPA Board also voted to adopt new data broker registration rules that would go into effect on January 1, 2025 (pending approval by the Office of Administrative Law).

The CPPA first announced the two data broker settlements in a November 14 press release published on its website. As previewed in the investigative sweep announcement just two weeks prior, the Agency alleged that Growbots, Inc. and UpLead LLC failed to register and pay the annual fee and imposed the $200 per day fine for failing to register for the deadline. This enforcement resulted in a $35,400 fine for Growbots for 177 days of noncompliance (February 1–July 26, 2024) and a $34,400 fine for UpLead for 172 days (February 1–July 21, 2024).

In this post, we summarize key takeaways from the CPPA’s most recent public investigative sweep and regulations regarding data brokers. To continue tracking the latest developments in California privacy law, please be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

Key Takeaways

1. Data brokers must register annually or face progressive fines. The California Attorney General maintained the state’s Data Broker Registry before the Delete Act officially transferred the responsibility to the CPPA at the beginning of 2024. The CPPA now maintains the Data Broker Registry and requires that a business that operated as a data broker in the previous calendar year—that is, it acted as “a business that knowingly collect[ed] and s[old] to third parties the personal information of a consumer with whom the business d[id] not have a direct relationship” — register by January 31. The annual fee to register as a data broker is $400. For businesses that fail to register by the deadline, the CPPA can impose a progressive penalty of a $200 fine for every day of noncompliance after the deadline. As demonstrated in the Growbots and UpLead actions, fines can begin to accumulate starting on February 1.
2. The Data Broker Registry highlights specific data activities, such as a business’s collection and use of: minors’ data, reproductive healthcare data, and precise geolocation data. Just a scroll through the CPPA’s Data Broker Registry illustrates its attention on specific types of sensitive data, which were also a focus in its most recent rulemaking effort for data broker registration regulations. These regulations, if approved, are set to become effective by January 1, 2025. Among other things, they define a minor as “a consumer the data broker has actual knowledge is less than 16 years of age” and establish a broad definition for “reproductive health care data” that includes information about contraception; fertility vitamins and supplements; precise geolocation information for treatments related to reproductive health; and “[i]nformation about the consumer’s sexual history and family planning, which includes information a consumer inputs into a dating app about their history of sexually transmitted infections or desire to have children [and related inferences].” A business must specifically disclose this detail in their registration if they collect and sell this sensitive data to any to third parties. These data practices are called out in the public-facing registry. 
3. New obligations are coming down the pike for data brokers. Not only will businesses have to comply with the new regulations (e.g. additional disclosures regarding data that is governed by federal laws like the Fair Credit Reporting Act and the Confidentiality of Medical Information Act, requirements for parent and subsidiary companies to submit separate data broker registrations, etc.), they will also have to track the rollout of the CPPA’s Data Broker Requests and Opt-Out Platform (DROP). DROP is considered to be a universal deletion mechanism that will allow consumers to submit a single request that would direct all data brokers to delete their personal information and require continuous deletion every 45 days. The CPPA is currently developing DROP and is expected to release it by January 1, 2026. This initiative is funded, at least partially, by the Data Broker Registry registration fees, according to its latest press release about the actions against Growbots and UpLead.