Information for Data Brokers

The Data Broker Registration statute requires a data broker, as defined in California Civil Code § 1798.99.80, to register with the California Privacy Protection Agency ("Agency") following each year in which a business meets the definition of a data broker. To register, a data broker must complete the registration form and pay the annual registration fee.

A data broker that failed to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by the Agency (Civ. Code § 1798.99.82(d)).

To register as a data broker in 2025, you must be on the Agency's mailing list. Please email databrokers@cppa.ca.gov to be added to that list.

Instructions on how to register in 2025

Data brokers must complete the registration form and remit the annual fee of $6,600 plus a 2.99% associated third party fee for processing electronic payments. The form will be available starting January 1, 2025. If you need a link to the form, please email databrokers@cppa.ca.gov.

Once you have access to the form, follow these steps:

  1. Complete the registration form.
  2. Once you've completed the form, navigate to the payment link. This will appear on the confirmation page after you have successfully submitted the form.
  3. Pay the fee and an invoice will be emailed to you for your records.

2024, 2025 Data Broker Registry

Find the list of registered Data Brokers on the Data Broker Registry page.

2021, 2022, 2023 Data Broker Registry

The previous data broker registries can be accessed at the Office of the Attorney General's Data Broker webpage.

Important Future Deadlines

By July 1, 2025, data brokers must collect and report the following information on their website's privacy policy and include a link to this information in the privacy policy:

  • The number of consumer requests described below that a data broker received, complied with in whole or in part, and denied during the previous calendar year (2024):
    • Requests to delete personal information;
    • Requests to know or access what personal information the data broker was collecting;
    • Requests to know what personal information the data broker was selling or sharing and to whom;
    • Requests to opt out of sale or sharing of personal information; and
    • Requests to limit the data broker's use and disclosure of sensitive personal information.
  • The median and the mean number of days within which a data broker substantively responded to the above requests in the previous calendar year.

Please note that data brokers will need to report these metrics to the Agency when they register in January 2026.

Beginning August 1, 2026, a data broker must access the accessible deletion mechanism at least once every 45 days and process all deletion requests, subject to limited exceptions. The accessible deletion mechanism allows a consumer, through a single verifiable request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.

Beginning January 1, 2028, and every 3 years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with the requirements under the law and must submit the audit report to the Agency upon the Agency's written request. Beginning January 1, 2029, a data broker registering with the Agency must also disclose whether they have undergone the abovementioned audit and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the Agency.

Contact Us

Email databrokers@cppa.ca.gov to join the data broker mailing list or to reach us with questions. We will respond in a timely manner.

Please note: the Agency cannot make changes to current or past registrations, nor can the Agency confirm receipt of a registration check.