By: Linda L. Goodman
On July 5, 2024, the California Privacy Protection Agency (“Agency”) announced a notice of proposed rulemaking and draft regulations aimed at implementing the DELETE Act. This act mandates that “data brokers”—entities that collect and sell personal information—must register with the CPPA and disclose specific details on their websites and to the agency itself.
The Agency announced its rulemaking process seeks to clarify common questions and resolve obstacles related to the DELETE Act’s registration requirements. The proposed regulations largely address administrative matters, such as the procedures for fee payments, prorations, and refunds. However, they also offer important clarifications on key definitions and registration requirements. The proposed regulations do not yet tackle the Agency’s mandate to establish a single, accessible mechanism by January 1, 2026, which will allow consumers to request the deletion of their personal information from all registered data brokers.
The DELETE Act defines “data brokers” as businesses that collect and sell personal information about consumers with whom they do not have a “direct relationship.” The proposed regulations expands this definition to mean a situation where a consumer interacts with a business to obtain, access, purchase, or request the business’s products or services within the past three years. Importantly, the Agency has expanded businesses are still considered data brokers if they have a direct relationship with a consumer but sell information that was not directly collected from that consumer. This clarification will help businesses understand their obligations under the Act.
Under the DELETE Act, data brokers must disclose if they collect personal information from minors. The proposed regulations specify that a minor is a consumer who is known to be under 16 years of age.
The DELETE Act requires data brokers to disclose the collection of reproductive health care data. The proposed regulations update the definition of reproductive health care data as:
- Information about consumer interactions with goods or services related to reproductive health, such as contraception, fertility treatments, and sexual health services. This also includes precise geolocation data related to such treatments.
- Information on sexual history and family planning, including data shared on dating apps about sexually transmitted infections or family planning desires.
- Inferences about the consumer based on the above information.
The proposed regulations mandate that any business meeting the definition of a “data broker” must register individually, regardless of its parent or subsidiary status. This means that both parent companies and their subsidiaries that qualify as data brokers must register separately with the CPPA, even if a parent or subsidiary entity is already registered. Alternatively, this rule might clarify that if a registered data broker has a related entity also classified as a data broker, each entity must fulfill its own registration requirements.
The CPPA is currently soliciting public feedback on these proposed regulations. Comments can be submitted until August 20, 2024, via email at regulations@cppa.ca.gov.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments and it is not intended to be and should not be relied on as legal advice for any particular matter. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2024 TGLF, A.P.C.