Formal Comments To The California Privacy Protection Agency Re: Data Broker Rulemaking and Registry Fee Increase
These comments compliment oral comments delivered today at the California Privacy Protection Agency (CPPA) Board Meeting. These comments are my own and are not being made on behalf of any specific companies.
I have two specific requests I am making today for the CPPA Board to consider. The first is a request to delay and/or modify the implementation of the Data Broker Registry fee increase, and the second is a request for clarification regarding the SB 362 regulations related to the expanded definition of what constitutes a ‘data broker’.
Fee Increase Modification Request
Summary of Key Items From November 8 CPPA Board Meeting
The Board approved an increase in the Data Broker Registry fee from $400 to $6600.
The CPPA staff published a ‘Cover Memo’ and presented its proposed budget for the creation of the ‘Deletion Mechanism’ with a request that the board allocate a total budget of $4.4mm for the Deletion Mechanism, with $3.5mm to be funded from the current list of 527 registered data brokers as of the date of the meeting. The Board did not clarify the source of the other $900,000 to be allocated from the overall budget.
In the ‘Cover Memo’ and testimony, the staff presented information that they received as part of a ‘Request for Ideas’ that indicated a range of potential costs for the deletion mechanism from $800,000 to $12,000,000. There were no specific companies identified who submitted these ‘ideas’, nor any technical, operational, or itemized expenditures that explained the variances between these proposals, nor the rationale for why the CPPA staff chose $2.7mm as the budget needed to implement the Deletion Mechanism, plus an additional $384k allocated for the California Department of Technology to manage the project.
In the Cover memo and testimony, the staff presented the need to allocate $1.3mm from the data broker registry fund for three full time staff positions, including positions for an attorney and analyst that appear to be unrelated to implementation of the Deletion Mechanism.
The Staff did not present any budget allocations for new registrants or enforcement actions, and did not indicate whether the approximate $70k received as a result of an enforcement action against 2 data brokers that was approved by the CPPA on November 8th and disclosed on November 14th is included in the $4.4mm total registry fund.
There was a question and answer exchange that inquired about the outcome of any potential surplus funds following implementation of the Deletion Mechanism, yet the CPPA staff's answer vaguely stated “We anticipate being back before the Board this time next year to make an appropriate adjustment based on the revenues we still have”.
In the Cover Memo and testimony, the CPPA staff indicated that they received estimates of between a thousand (1000) to five thousand (5000) potential data brokers that could be registered in 2025, and that potentially eight hundred (800) are currently registered in other states (which exceeds California by more than 250 companies).
Further, In the ‘DROP Proposal’ meeting materials, dated October 4th, the materials indicate that the Procurement Release for the Deletion Mechanism will take place between February - May 2025 and the contract will be approved in early September 2025 with approximately 3 months allocated for ‘Execution of the System’ before the January 1, 2026 implementation date.
With respect to the Data Broker fee increase from $400 to $6600, SB362 Section 1798.99.81(c)requires the CPPA to establish the Data Brokers Registry Fund to offset the “reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86.”
The $6200 registry fee increase approved by the CPPA Board on November 8th is a sudden, surprising, and significant financial burden on many data brokers, and the materials presented to justify this significant increase were vague ‘guestimates’ with additional unnecessary expenditures that calls into question the ‘reasonableness’ of the approved $4.4mm budget.
Specifically, the Board should re-evaluate the budget allocation based on the following facts:
The Board did not publicly share any details related to the ‘Request for Ideas’, notably why the range of proposals was from $800k-$12mm. There was no reference to the names or nature of the businesses they solicited and their capabilities to undertake the proposed engagement, the feasibility of their proposals, the technologies utilized, or the operational budget requirements. As a result, there is no way for potential vendors or interested parties to evaluate the feasibility of the proposed budget or to prepare to bid on the ‘Request for Proposals’ as part of the future Procurement process.
The $1.3mm allocated for the ‘Deletion Mechanism’ staff includes two non-technical positions, including a full time attorney, without specific justification for why such positions are necessary to ‘establish, maintain or provide access’ to the Deletion Mechanism.
The Board should publicly state whether the final vendor award will be based on a ‘lowest responsible’, ‘lowest qualified responsible’, or ‘highest scored responsible’ bidder as defined by CA standards. If the CPPA receives a proposal by a credible vendor that meets all of the criteria specified, then the CPPA should be required to accept a ‘lowest responsible’ proposal.
The CPPA has not publicly specified how a budget surplus associated with either an increase in the number of data broker registrations in January 2025, or if a less expensive vendor is selected to create the Deletion Mechanism, will be allocated. The lack of specificity in the CPPA staff response to this question on November 8th was insufficient to substantiate the ‘reasonableness’ of the allocated budget and the question of the use of surplus funds and must be specified. Any budget surplus based on collected registration fees should be returned pro-rata to the registered data brokers who are funding the creation of the Deletion Mechanism rather than carried over as a ‘subsidy award’ to 2026 data broker registrants.
Further, the CPPA provided no indication what would occur in the event that fewer than 527 data brokers complete their registration by January 31st and there is a budget deficit.
Based on this information, I am requesting that the CPPA Board schedule a meeting before January 1st and vote on the following courses of action:
Maintain the existing $400 data broker registration renewal, and issue a special assessment of the registered data brokers following completion of the Procurement Release based on a ‘lowest responsible’ acceptance criteria for selection of the Deletion Mechanism vendor.
Alternatively, the Board could place all registration fees and enforcement revenue into an escrow account to be used for necessary Deletion Mechanism expenditures, and return any budget surplus funds pro rata to data brokers before establishing a new fee structure for the 2026 calendar year.
Finally, the Board should open a request for comments about 2026 alternative registry fee structures and Deletion Mechanism revenue options that would alleviate the ‘unreasonable’ burden on small businesses, such as tiered fee levels based on annual revenue or California data sales revenue, as well as consideration for additional revenue streams such as the creation of a real-time application programming interface (API) or other custom integrations that could incur additional fees by interested parties.
Data Broker Definition Clarification
The text of SB 362 approved by the California legislature defines a Data Broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” In the CPPAs approved SB 362 regulations Section 7602, the term “direct relationship” has been defined as “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years. A consumer does not have a ‘direct relationship’ with a business if the purpose of their engagement is to exercise any right described under Title 1.81.5 of Part 4 of Division 3 of the Civil Code, or for the business to verify the consumer’s identity. A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.“
There are two aspects of this new definition that requires clarity, and the CPPA should issue a revised set of regulations that explains whether the following circumstances apply to this expanded definition of ‘direct relationship’.
With respect to the “three year” expiration period attached to a ‘direct relationship’, is a business expected to comply with this regulation required to have ‘express knowledge’ of any such interaction history? There are many scenarios where collection or association of any such ‘express knowledge’ may be impracticable or impossible to collect and store alongside data ‘sales’ activities, such as website visitations, email engagement activities, advertising engagement activities, mobile app notifications engagement or app use, or SMS or phone interactions. The CPPA should clarify that any such expiration date on a ‘direct relationship’ is predicated on the express knowledge that the individual has not interacted in the prior three year period, and the lack of any express knowledge of a ‘last interaction’ date is not grounds for enforcement.
With respect to the following reference “but also sells personal information about the consumer that the business did not collect directly from the consumer“, the CPPA should clarify that this statement excludes the use of third party information that is directly associated with first party information that it has previously collected. In other words, if a business ‘appends’ information from a third party to information that it collects itself, then this ‘appended’ information does not trigger the new regulation where it would require that entity to register as a data broker. There are many common scenarios for such activities with broad implications. A common scenario is where a business seeks to better understand its customers by appending third party information such as gender, and then enables other businesses to use that information for mutually beneficial advertising campaigns. For example, many of the largest online publishers (including social media platforms) collaborate with or enable third parties to create demographic or behavioral categories, or even ‘custom match’ audiences for advertisers to use with specific ad targeting campaigns. Under a broad interpretation of this new regulation, every online publication that enables any third party data to be matched with their own first party data would be required to register as a California data broker, which would include the world’s largest media brands. This broad definitional application is highly unlikely to have been the intent of the Legislature when they passed SB 362 and expressly exempted ‘direct’ business relationships in their definition of what constituted a data broker. The CPPA is strongly encouraged to publish revised rules that clarify and exempt any such scenario where first party data is used in conjunction with third party data to avoid such a confusing and conflicting outcome.
Based on this information, I am requesting that the CPPA draft a ‘statement of reasons’ or new regulations that clarifies the definition of “direct relationship” and expressly excludes the combination of first party and third party data.
Update:
On December 23, 2024, the CPPA announced a settlement with two additional data brokers , PayDae, Inc. (“Infillion”) and The Data Group, LLC, for failing to register and pay an annual fee in compliance with the Delete Act.
Shouldn’t this announcement mean that $100,800 will be added to the Data Broker Registry Fund and the 2025 Data Broker Registry fee can now be reduced by $191 per company (based on the 527 registered brokers)? 🤔