Alert January 17, 2020

California AG Issues Advisory on CCPA Rights and Data Broker Registration Requirements

California Attorney General (AG) Xavier Becerra has issued a brief advisory that (i) highlights consumers’ basic rights under the CCPA; (ii) reminds companies of the CCPA’s threshold triggers for “businesses”; and, importantly, (iii) describes the new registration requirement for businesses that qualify as “data brokers.” The advisory does not, however, provide insight into the status of the proposed regulations, nor does it offer additional guidance on how businesses can comply with the CCPA. The advisory is intended in part to make California residents aware of their rights, but businesses may find it to be a useful reminder of the statute’s core obligations and scope.

Specifically, the advisory highlights consumers’ right to know, delete, and opt out of sales of their personal information, as well as their right to sue for damages for data breaches. The advisory also notes that not all companies doing business in California are subject to the CCPA; rather, only those meeting certain statutory thresholds are considered a “business” with direct legal obligations. (See our previous alerts here and here for more detailed information.)

The advisory also provides that businesses handling personal information of more than four million California residents will have additional record-keeping obligations. The AG’s inclusion of this requirement in the advisory, which is not found in the statute but was introduced in the proposed regulations, indicates the AG’s commitment to record-keeping and that a record-keeping requirement may be retained in the final regulations that will ultimately be promulgated.

Although technically not a feature of the CCPA, the advisory also addresses a new requirement, established in A.B. 1202, that data brokers register with the AG. A.B. 1202 broadly defines a “data broker” as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law does not define what it means to have a “direct relationship,” but the AG could construe the term to include any business that collects personal information from sources other than consumers themselves for purposes of commercializing the information.

Data brokers must pay a fee and register with the AG, which will publish the registry on its website, and provide their name and primary physical, email, and internet website addresses, as well as “[a]ny additional information or explanation the data broker chooses to provide concerning its data collection practices.”

In addition to the foregoing statutory requirements, the AG’s registration form requires data brokers to provide information about how a consumer may opt out of sale or submit other CCPA rights requests, as well as how a “protected individual” can demand deletion of certain information posted online regarding elected officials or domestic violence survivors. Together, the required responses seem intended to help effectuate the CCPA’s goal of providing consumers with actionable transparency regarding downstream uses of their data. While the additional required responses in the data broker registration form may facilitate data brokers’ compliance with their obligation to offer consumers an opt out of the sale of their personal information, the additional responses again demonstrate the AG’s apparent willingness to go beyond the statute to achieve policy objectives through available tools.

Companies who may be subject to the CCPA should monitor developments, including being on the look out for additional advisories by the AG.

The CCPA took effect January 1, 2020.

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead in Washington, DC.

Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.