Written By ESR News Blog Editor Thomas Ahearn
On October 11, 2019, California Governor Gavin Newsom signed a measure relating to privacy – Assembly Bill 1202 (A.B. 1202) – that will require “data brokers” that collect and sell personal information about consumers with whom they have no direct relationship to register with California’s Attorney General starting on January 1, 2020.
A.B. 1202 – which amends the California Consumer Privacy Act (CCPA) of 2018 that takes effect January 1, 2020 – defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” ‘Data broker’ does not include:
- A consumer reporting agency (CRA) to the extent that it is covered by the federal Fair Credit Reporting Act (FCRA).
- A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act and implementing regulations.
- An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act Article 6.6 (commencing with Section 791).
The CCPA grants a consumer the right to request a business to disclose the pieces of personal information that it collects about that consumer, the sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
A.B. 1202 would require data brokers to register with the Attorney General “on or before January 31 following each year in which a business meets the definition of data broker,” and the information provided by data brokers would be accessible to the public on a page on the Attorney General’s website. In registering, a data broker shall:
- Pay a registration fee in an amount determined by the Attorney General, not to exceed the reasonable costs of establishing and maintaining the informational internet website.
- Provide the following information: The name of the data broker and its primary physical, email, and internet website addresses, and; Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
Data brokers collect information about consumers – with whom they do not have a direct relationship – from multiple sources that may include internet browsing history, online purchases, public records, location data, loyalty programs, and subscription information, then analyzes and packages the data for sale to a third party.
Data brokers that fail to register as specified under A.B. 1202 would be subject to civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund to offset costs incurred in connection with the law. The penalties, fees, and expenses include:
- A civil penalty of one hundred dollars for each day the data broker fails to register as required by this section.
- An amount equal to the fees that were due during the period it failed to register.
- Expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.
Once the information about data brokers is publicly available through the registry on the Attorney General’s website, consumers could exercise their rights under the CCPA to ask data brokers what information they have about them, ask them to delete it, and opt out of having their data shared.
On June 28, 2018, Governor Jerry Brown signed the CCPA into law to give Californians the ability to better control the personal information that is collected and sold about them and was passed in response to several well-publicized data breaches that affected millions of consumers in recent years.
California is not the first state to require data broker registration. On January 1, 2019, the Vermont Data Broker Regulation took effect and requires that data brokers register with the Vermont Secretary State in order to protect the personally identifiable information (PII) of Vermont residents.
The Federal Trade Commission (FTC) – which protects America consumers from deceptive and unfair business practices – regulates data brokers in the United States. In April of 2012, the FTC issued a report about data brokers that recommended that Congress consider enacting data broker legislation.
In June of 2012, the FTC fined a data broker $800,000 in the first FTC case to address the sale of Internet and social media data in the employment screening context. The FTC found the data broker operated as a CRA did not take certain steps to protect consumers as required under the FCRA.
In April of 2014, two data brokers agreed to settle FTC charges that they violated the FCRA by providing reports about consumers to users such as prospective employers without taking reasonable steps to make sure that they were accurate or that their users had a permissible reason to have those reports.
In May of 2014, the FTC issued a report examining data brokers that claimed data brokers operated with a fundamental lack of transparency and recommended Congress consider enacting legislation to make data broker practices more transparent and accountable to American consumers.
Consumers should not confuse data brokers with professional background screening firms that do not reuse or resell data but provide background checks for employment solely with explicit authorization, disclosure, and permissible purpose under the FCRA that are used only once for an employer with a job applicant’s consent.
Employment Screening Resources® (ESR) – a leading global background check provider – is accredited by the Professional Background Screening Association (PBSA) and undergoes annual SSAE 18 SOC 2® Type II audits to protect consumer information used for backgroun checks. To learn more about ESR, visit www.esrcheck.com.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.
© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.