California Privacy Law Plan May Ease Compliance for Data Brokers

Feb. 20, 2020, 11:00 AM

Companies that sweep up data about consumers and sell it to other firms would be getting a break under proposed rules for enforcing California’s new privacy law, attorneys said.

The companies, known as data brokers, wouldn’t need to notify consumers that they collect and sell their information, according to modified draft rules by Attorney General Xavier Becerra.

The proposal would make it easier for data brokers to comply with the California Consumer Privacy Act, which Becerra said he’ll enforce starting July 1, attorneys said.

The change “solves one big problem that data brokers have, which is the difficulty of providing a notice at the time of collection,” said Odia Kagan, a partner at Fox Rothschild LLP who advises companies on compliance with data protection issues.

The companies collect data about consumers, with whom they don’t have a direct relationship, from public records, social media, or commercial sources. They then sell the information to other firms, including advertisers, lenders and people finders.

A data broker would not have to provide a “notice at collection” to consumers as long as it submits a state registration that includes a link to its privacy policy, under revisions to Becerra’s proposal released earlier this month. The privacy policy must tell consumers how they can opt out of the sale of their data, according to the revisions.

Becerra’s office is taking comments on the proposed rules through Feb. 25.

Data brokers already are required to register with Becerra’s office under a separate California law. More than 140 companies have registered with office.

The proposed revisions “doubled down on the fact that data brokers really need to register” with the attorney general’s office, said Gary Kibel, a partner at Davis & Gilbert LLP, who counsels companies on privacy, data security, and advertising matters.

Prior Version

Under the proposed regulations initially released in October, businesses that indirectly collect consumers’ personal data could contact consumers directly to give notice that the business sells personal information about them.

The business would have to provide the individual with a notice of the right to opt out of the sale. That option would be nearly impossible for most data brokers, attorneys said, which by definition don’t have a direct relationship with consumers.

The second option for brokers, under the older version, was to get in touch with the source of the personal information to confirm that the entity had provided a collection notice to the consumer. The data broker would have to get “signed attestations” from the source with details on how that company gave the notice, as well as an example of the notice. The data broker would have to retain the attestations for at least two years.

Some businesses would be able to comply with that requirement, but it would be difficult for many to implement because there can be many data streams going to and from a broker, attorneys said.

The previous requirements “created a loose way for the broker ecosystem to police itself,” said Thomas Codevilla, a partner at SK&S Law Group where he focuses, among other things, on data privacy and security. “The regulations ease those burdens.”

To contact the reporter on this story: Sara Merken in Washington at smerken@bloomberglaw.com

To contact the editor responsible for this story: John Hughes at jhughes@bloomberglaw.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.