Information for Data Brokers
Recent amendments to the Data Broker Registration statute require a data broker, as that term is defined in California Civil Code § 1798.99.80, to register with the California Privacy Protection Agency (“Agency”) on its website by January 31, following each year in which a business meets the definition of a data broker and pays the registration fee.
Data brokers were required to register by January 31, 2024. If you are a data broker and have not yet registered, you must register as soon as possible. A data broker that fails to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by the Agency (Civ. Code §1798.99.82(d)).
To register as a data broker, you must be on the Agency's mailing list. Please email databrokers@cppa.ca.gov to be added to that list.
Instructions on how to register
Data brokers must complete the registration form and remit the $400 fee with the invoice. If you need a link to the form, please email databrokers@cppa.ca.gov.
Once you have access to the form, follow these steps:
- Complete the registration form.
- Once you've completed the form, click on the invoice link. This will appear on the confirmation page after you have successfully submitted the form.
- Download and complete the linked invoice.
- Print invoice and keep a copy for your records.
- Mail the printed invoice and a check or money order for $400 made out to "2024 California Privacy Protection Agency - SB 362" via physical mail to:
California Privacy Protection Agency
Attn: Data Broker Registry Unit
2101 Arena Blvd,
Sacramento, CA 95834
Registration is complete on the date the check or money order ($400) and invoice are postmarked to the Agency, contingent on funds being successfully deposited. A data broker that has not registered by the January 31 statutory deadline may be liable for civil penalties for each day the data broker fails to register.
If you have any questions, please email: databrokers@cppa.ca.gov.
Accessible Delete Mechanism
The Agency will engage the public to gather feedback on the new deletion system:
- April: Industry questionnaire
- May: Solicitation for preliminary written comments from the public
- June: Public online stakeholder session and end of written comment period.
The Agency will update its website to provide more information about these engagement efforts. If you would like to receive updates, email databrokers@cppa.ca.gov to be added to the mailing list.
2024 Data Broker Registry
Find the list of 2024 registered Data Brokers on the Data Broker Registry page.
2023 Data Broker Registry
The previous data broker registries can be accessed at the Office of the Attorney General's Data Broker webpage.
Important Future Deadlines
By July 1, 2024, data brokers must collect and report the following information on their website’s privacy policy and include a link to this information in the privacy policy:
- The number of consumer requests described below that a data broker received, complied with in whole or in part, and denied during the previous calendar year:
- Requests to delete personal information;
- Requests to know or access what personal information the data broker was collecting;
- Requests to know what personal information the data broker was selling or sharing and to whom;
- Requests to opt out of sale or sharing of personal information; and
- Requests to limit the data broker’s use and disclosure of sensitive personal information.
- The median and the mean number of days within which a data broker substantively responded to the above requests in the previous calendar year.
Please note that data brokers will need to report these metrics to the Agency when they register in January 2025.
Beginning August 1, 2026, a data broker must access the accessible deletion mechanism at least once every 45 days and process all deletion requests, subject to limited exceptions. The accessible deletion mechanism allows a consumer, through a single verifiable request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
Beginning January 1, 2028, and every 3 years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with the requirements under the law and must submit the audit report to the Agency upon the Agency’s written request. Beginning January 1, 2029, a data broker registering with the Agency must also disclose whether they have undergone the abovementioned audit and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the Agency.
Contact Us
Email databrokers@cppa.ca.gov to join the data broker mailing list or to reach us with questions. We will respond in a timely manner.
Please note: the Agency cannot make changes to current or past registrations, nor can the Agency confirm receipt of a registration check.