CCPA Alert: Thousands of companies have missed this important CCPA deadline; Has yours?

Written By KEN SCHWARTZ

You’ve probably heard of California’s new privacy law, the California Consumer Privacy Act of 2018, but you may not know that an important deadline in its implementation has already passed.  Friday, January 31st was the deadline for data brokers to register with California’s Data Broker Registry without threat of penalty.  

A review of California’s publicly available registry shows that, as of February 4th, only 57 companies have registered. That is much less than the 243 businesses registered in Vermont, and it is nowhere near the estimated number of existing data brokers that may be required to register.  Vermont is the only other state to require data broker registration.  Vermont’s registry came into existence in 2018 and its registration and renewal periods are January 1st to 31st each year.

While these two states’ efforts to corral the largely unregulated “data broker” industry are impressive, the low numbers of companies actually registering suggest that enforcement of these privacy regulations is going to take a lot more resources. How low are the registry numbers?

The states’ respective statutes define “data broker” broadly.

The California statute defines data brokers as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include [entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act or the Insurance Information and Privacy Protection Act]. . .” Cal. Civ. Code § 1798.99.82.

The Vermont statute defines data brokers as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” 9 V.S.A. § 2430(4).

These data broker definitions broadly encompass everything from single-employee email marketing outfits to multinational corporations. With the statutes encompassing such a broad swath of companies, the question remains why so few companies have bothered to register.

According to industry estimates, there are 3,000 – 4,000 data brokers in existence.  Data brokers are only required to register in California or Vermont if they do business in or possess the data of consumers resident in those states, but such low registration numbers could mean the compliance rate is as low as 5%.

Registration is not time consuming.  Companies need only answer a few questions about their data opt out procedures and, in Vermont only, their data security.  Registration is also not expensive. Registration costs $100 per Vermont registration and $360 per California registration.

And data brokers should note that failure to register is not without threat of penalty. In California, the penalty is $100 per day and the Attorney General’s cost of enforcement. In Vermont, the penalty is $50 per day up to $10,000 annually.

Are you familiar with the California and Vermont data broker registry or is your company one of the thousands that has failed to register?

KEN SCHWARTZ
Previous

What Companies Should Know About Illinois’ Biometric Information Privacy Act (BIPA)
Next

Updated: Why should video game companies register copyrights in their video games?