CPPA’s Enforcement Division to Review Data Broker Compliance with the Delete Act

News:

SACRAMENTO – The Enforcement Division of the California Privacy Protection Agency (CPPA) is conducting a public investigative sweep of data broker registration compliance under the Delete Act. This law requires data brokers to register with the CPPA and pay a fee annually. CPPA’s Enforcement Division will take appropriate actions against data brokers that have failed to comply.

A data broker, by law, is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” From 2020 through 2023, the California Attorney General maintained the data broker registry; the Delete Act shifted this responsibility to the CPPA effective January 1, 2024. Covered businesses must register by January 31 if they operated as a data broker during the previous year. The penalty for failing to register by the deadline is $200 per day.

“Californians have a right to know who is trafficking in their personal information. That’s why California law requires data brokers to register,” said CPPA’s head of enforcement, Michael Macko. “For data brokers skirting the law, the fine increases with each passing day. Our Enforcement Division will seek to recover this fine because it’s unfair to the data brokers who have complied with their obligations.”

In addition to the annual registration requirement, data brokers must:

  • Disclose the number of consumer deletion requests and the average response time to the requests
  • Report if they collect the personal information of minors, reproductive healthcare data, and precise geolocation data
  • Provide a link on their website informing consumers of their rights under the California Consumer Privacy Act

“The immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy,” said CPPA Executive Director Ashkan Soltani. “It’s crucial for data brokers to register with our Agency, so the public can be informed and empowered to exercise their rights. And starting in 2026, these rights will be even stronger with the new deletion mechanism.”

The Delete Act also requires data brokers to pay an annual fee which funds the registry and the development of a first-of-its-kind deletion mechanism. The mechanism, currently in development, is called the Data Broker Requests and Opt-Out Platform (DROP). Once established, the DROP will allow a consumer to, in a single request, direct all data brokers to delete their personal information. In addition, they will be required to continuously delete the consumer’s personal information every 45 days. DROP will be available to consumers in 2026. Consumers can access the data broker registry on CPPA’s website, and you can submit a complaint to the Agency if you know about a data broker who has failed to register.

About Us

The California Privacy Protection Agency (CPPA) is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act.

Individuals can visit privacy.ca.gov to access helpful and up–to–date information on how to exercise their rights and protect their personal information. In addition, the Agency's website provides important information about CPPA board meetings, announcements, and the rulemaking process.