Wake Now, Discover That You Are a Data Broker
This post was originally published January 2025 by the Privacy Law Section of the California Lawyer’s Association at https://calawyers.org/privacy-law/wake-now-discover-that-you-are-a-data-broker/. It has been adapted for publication by In-House Privacy, Inc.
California’s SB 362 ‘Delete Act’ is now just one of numerous U.S. laws specifically regulating data brokers, in addition to recent FTC consent decrees with companies engaged in various aspects of data licensing. This article explores the many ways in which companies may unknowingly qualify as a data broker, as well as other state and federal data broker compliance requirements or FTC guidance.
U.S. STATE LAWS UPDATE
States: There are now five (5) states with laws specifically regulating data brokers. While they are quite similar, there are nuances with definitions, exemptions, and enforcement. To quickly summarize, they are (in order of enactment):
Vermont:[1] Requires data brokers to register with the state, implement specific data protection and security standards, and incur penalties of up to $50/day for non-registration. Its most unique aspect is that a data broker security breach may be deemed an ‘unfair or deceptive practice’ under their Consumer Protection Act and lead to specific damages.
California:[2] Requires data brokers to register with the state, report annual data subject rights metrics, undergo a future third-party audit, and incur penalties of up to $200/day for non-registration. Its most unique aspect is the introduction of a ‘Deletion Mechanism’ to be created by the California Privacy Protection Agency by August of 2026 to effectuate consumers’ state-wide requests to delete (and/or be opted-out) of data broker activities. See the California Regulatory Update below for more information.
Nevada:[3] No data broker registration is required. The scope of the law is limited to businesses whose ‘primary’ activity is licensing third-party data, and only requires the designation of an address to collect and honor ‘Do Not Sell’ requests. Its most unique aspect is that it grants data brokers a reprieve for their ‘first failure’ to honor any such requests.
Texas:[4] Similar to NV, it is limited to businesses whose ‘principal source of revenue’ is licensing third-party data. It requires data brokers to register with the state, implement specific data protection and security standards, and incur penalties up to $100/day for non-registration. Its most unique aspect is its requirement that a data broker post a ‘conspicuous notice’ on its websites stating that it is a data broker as specified by the TX secretary of state.
Oregon:[5] Requires data brokers to register with the state and incur penalties of up to $500 per day for non-registration. It exempts businesses licensing data associated with ‘publicly available business professionals.’ Its most unique aspect is its intersection with the Oregon Consumer Data Protection Act[6] which includes a stipulation as part of data subject access requests for data sellers to provide a ‘list of specific third-parties’ who received the data subject’s personal data.[7]
FEDERAL LAWS & FTC UPDATE
FCRA: There’s a misnomer that data brokers have historically been unregulated under federal law, as the Fair Credit Reporting Act (FCRA) has effectively regulated the collection and licensing of data used for broadly defined ‘consumer reports’ for more than fifty years.
PADFA: In addition to the FCRA, there is now another federal law specifically governing data broker activities which is entitled the ‘Protecting Americans’ Data From Foreign Adversaries Act of 2024’ (PADFA).[8] The law prohibits data brokers from licensing ‘personally identifiable sensitive data’ to ‘foreign adversaries’ and includes the following key definitions:
A ‘foreign adversary’ is any entity ‘controlled’ by a foreign adversary country or a business with a controlling interest from residents of foreign adversary countries as per ECFR § 791.4[9] (e.g., Iran, China, Russia, North Korea, others).
A ‘data broker’ is “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.”
The list of ‘personally identifiable sensitive data’ attributes is quite broad, and includes health-related conditions or treatments, race, ethnicity, religion, online behavioral activities, and precise geolocation information.
PADFA does not specify a ‘knowing’ requirement, so every data broker must complete ‘beneficial ownership’ due diligence on every one of their data licensees to ensure compliance. PADFA includes a broad exemption for intermediaries acting as ‘service providers’ on behalf of data brokers, and is exclusively enforced by the FTC.
Federal Trade Commission (FTC): While FTC consent decrees are not considered law or regulation, the FTC recently settled cases with entities engaged in data licensing that are quite novel in many ways, with some serious restrictions on these entities use of data, including:
FTC vs X-Mode Social/Outlogic:[10] The FTC asserted that X-Mode sold ‘raw precise geolocation data’ without receiving any ‘informed consent’, and did not filter out any ‘sensitive’ locations such as medical facilities. The FTC’s assertion of a lack of consent was irrespective of X-Mode’s contractual terms with their licensors requiring them to obtain such consent on X-Mode’s behalf, as well as the fact that mobile operating systems require user consent prior to an app collecting GPS information. As part of the agreement, X-Mode was forced to delete all previously collected precise location data collected without ‘informed consent’ and further requires X-Mode to provide consumers upon request with ‘the identity of any individuals and businesses to whom their personal data has been sold or shared.’
FTC vs InMarket Media:[11] Similar to X-Mode, this settlement was due to the FTC’s assertion that InMarket licensed precise location data with a lack of ‘informed consent’ from end users. The agreement prohibits InMarket from “selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data.” A unique aspect of this case beyond the FTC’s novel classification of InMarket’s ‘places’ location data as ‘sensitive’ is the fact that some of InMarket’s data was collected through their own mobile apps with their own proprietary rights to license this data, in addition to these apps seemingly complying with mobile operating systems app store requirements for acquiring consent in order to collect precise location information.
DIFFERING DATA BROKER DEFINITIONS
As noted, U.S. state and federal laws have slightly different definitions of ‘data brokers’ with these notable differences:
Indirect relationship. All data broker laws include the terms ‘with whom the business [or person] does not have a direct relationship’ or ‘did not collect directly from the individual’. However, as noted above in the case of FTC vs InMarket, this consistent applicability to ‘third-party data’ did not stop the FTC from asserting claims against InMarket who licensed data they collected directly from individuals through their own apps. As a result, even though data broker laws may exempt direct collection ‘first-party’ data licensors, other laws or regulations may yet still be applicable to companies licensing data they collect directly from end users.
Knowledge. California and Vermont hedge their data broker definitions such that a data broker must ‘knowingly’ collect and sell consumer data, while the other states and federal laws do not include any such ‘knowledge’ requirement.
Primary purpose. Nevada and Texas both narrow the scope of their laws to entities (and in Nevada’s case ‘or individuals’) where their revenue is predominantly made through third-party data licensing. California also has a threshold to meet the definition of data brokers, requiring that they must be ‘businesses’ as defined under the California Consumer Privacy Act (namely, a data broker must: ‘derive 50 percent or more of its annual revenues from selling or sharing consumers personal information’ or sell or share the personal information of 100,000 or more (California) consumers or households). The other states (VT, OR) and federal laws have no such ‘threshold’ so all data brokers are in scope regardless of their revenue allocation or quantity of state-specific data sold.
Corporate and affiliate alignment. California’s definition of ‘business’ allows for affiliates or subsidiaries to be deemed data brokers without implicating a parent company, affiliate or subsidiary. In addition, both Oregon and Vermont include the terms ‘business or units of a business’ which narrows the scope of data broker applicability to be a line of business, divisions or affiliates under the same corporate umbrella. Companies with a ‘data broker product’ may wish to spin the entity into its own business entity in order to avoid running afoul of these state requirements.
Households not included. California is the only state that includes the term ‘household’ in its prescriptive requirements under the CCPA, but it chose not to extend any such specificity in its data broker definition. No other U.S. states extend their definition of personal information or data broker registration requirements exclusively to household-level data (even if few data brokers operate exclusively with this data).
CLASSIFYING DEFINITIONAL CATEGORIES
In the Federal Trade Commission 2012 report ‘Protecting Consumer Privacy in an Era of Rapid Change’ data brokers are defined as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.”[12] This is a great starting point to classify the categories of data brokers, as there are numerous use cases in each category that could result in businesses inadvertently being categorized as data brokers.
Differentiating Records. In marketing parlance, this can be referred to as ‘data appending.’ Any businesses that sources third-party data for the purpose of appending it to a first-party’s personal data may be in scope as a data broker. These licensing activities typically involve appending demographic, psychographic, or behavioral data to augment a business’s existing customer identifiers for direct marketing, programmatic, or addressable advertising, customer communications, personalization, measurement, and market research.
Verifying an individual’s Identity. While most identity-related data broker activities, such as credit reporting, background check services, or ‘people-search’ websites are regulated under the FCRA and exempt from certain data broker laws, there are many other identity-related services that are outside the scope of the FCRA. Specifically, companies that may be in scope include:‘Identity resolution’ businesses who attempt to validate the accuracy or deliverability of a first-party’s data through the use of third-party data sources. The intermediaries providing these services typically source the third-party data themselves, and are not ‘instructed by’ the first parties to specifically license this data on their behalf. The intermediaries also combine disparate data sources in order to provide potentially new information directly to the first party, which is akin to brokering a third-party list for the first party’s use.
The following categories of companies may inadvertently now be defined as data brokers:Advertising or marketing agencies where they license third-party data for all of their clients, rather than being instructed by a client to specifically license data on their behalf. The contractual terms of these ‘written instructions’ to direct agencies to procure third-party data must be transparent, and ideally reference the specific data licensor(s).Advertising services that embed third-party data into their applications, notably those that include ‘interest-based’ categories from ‘across websites or apps.’ By selling interest-based attributes, these businesses are prohibited from being considered ‘service providers’ under the CCPA for those data services. Further, if these businesses enable the interest-based or licensed demographic data to be available for use by any other business (and not just the first party who enabled the ‘retargeting’ activity), then the business will be classified as a data broker.
Financial and health-related services. California and other state laws exempt entities regulated under the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). However, there are situations where data collected for, or in association with, a GLBA or HIPAA regulated company will still be subject to state or federal data broker requirements, namely where a covered entity works with an intermediary to engage in ‘lead generation’ activities such as sponsoring sweepstakes or events in conjunction with a partner who then licenses the data to third parties. Just because the ‘covered entity’ financial or health services brand is associated with the collection of the information does not mean that the ‘lead generation’ intermediary collecting and licensing the information is exempt from compliance with data broker requirements.
Marketing services. The term ‘marketing’ can incorporate any third-party data use activities that extends beyond ‘targeting.’ Companies serving as intermediaries between marketers and data providers can easily become data brokers if they are not ‘following specific instructions’ with procurement of third-party data. Some of the categories that may be in scope include:
• Market research providers who may license ‘panels’ of survey respondents and/or their responses for use by businesses or other market research providers where they did not collect the original survey respondent information.
• Measurement providers who license and combine third-party data in order to measure a business’s brand, advertising or marketing performance where the first-party data did not provide them with specific instructions, similar to the ‘agency’ reference above.
• ‘Personalization’ applications such as where a SaaS platform or other service combines specific behaviors or data insights (with or without third-party data) in order to provide the results to unrelated third parties. For example, an email service provider (ESP) may collect the days and time that specific recipients click on links in email ads, and then optimize any of their clients’ email campaigns to automatically target those same recipients at the optimal day/time. In this example, the ESP is licensing email-specific behaviors from across multiple businesses to unrelated third parties for their own use.
A Mixed Category: Business-to-Business Services. Each state treats ‘business professional’ information differently. California specifically requires companies licensing business professional data to comply with its data broker law, while Vermont and Oregon’s laws as well as PADFA specifically exempts ‘publicly available’ business professional data. As a result, determining data broker compliance for business professional data requires careful diligence on the source of any such data, and whether a ‘publicly available’ exemption may apply.
CALIFORNIA-SPECIFIC REGULATORY UPDATE
In a board meeting on Friday, November 8, the California Privacy Protection Agency (CPPA) voted[13] to adopt regulations[14] under the California ‘Delete Act’. These regulations update the data broker registration process, and various applications of the law to distinct types of data brokers.
REGISTRATION UPDATES
While most of the registration process and form will be unchanged from 2024, the regulations include the following additional requirements and clarifications. To summarize, data brokers must:
• Pay the annual registration fee with a credit card (with some exceptions).
• Uniquely register each business that operates as a data broker regardless of status as a parent company or subsidiary (i.e. a parent company of a registered data broker does not need to register as well as the subsidiary unless they, too, operate as a data broker).
• Provide the CPPA with a point of contact – this will not be posted on the public registry.
• Sign registrations under penalty of perjury to affirm that the information submitted on the registration form is true and correct.
EXPANDING THE SCOPE OF THE LAW TO ANY ‘INDIRECT’ DATA SALES
Three year ‘statute of limitations’ on a ‘direct relationship’. The definition of ‘direct relationship’ embedded in SB 362’s definition of ‘data broker’ now includes where “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.” In other words, any first party that ‘sells’ or licenses data will need to register as a data broker for data that is licensed following three years after the initial collection date. This could potentially be mitigated with ‘any’ record of an interaction or other relationship activity, including a website visit or email click-through. However, theoretically this could mean that a first party that licenses their data will be required to ‘audit’ their own databases to ensure that they have engaged with these individuals within the prior three year period or else be forced to either suppress those old identifiers, or register as a data broker.
The CPPA also added the following statement to their modified definition of ‘data broker’ to include the following: “A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.” This language can be interpreted quite broadly, and could include the following potential scenarios:
• A business licenses third-party data (or collaborates with a joint marketing partner), such as appending demographic or behavioral information to its first-party data, and then enables that appended first-party data to be used for third-party data licensing or addressable advertising. This is a common historical practice with catalog mailer ‘coops’ where they share postal lists of their customers with other cataloguers, but append demographics as part of the advertisers list selection. Even though the cataloguer may only be licensing their own first-party customer data, they may be deemed ‘data brokers’ if third-party data is also available for list selection.
• A business uses a third-party ‘identity resolution’ service to enable addressable or targeted advertising on its own media, or in conjunction with third-party media buying. Identity resolution commonly matches additional third-party identifiers with a first-party identifier to expand the scope of matching with advertiser information or to reach an individual across multiple devices. If the media provider ‘sells’ the capability to reach these indirectly collected identifiers, then the business may be deemed to be a ‘data broker.’
• Could this definition even apply to the entire ‘interest based’ or ‘cross contextual behavioral’ advertising industry? Most website publishers do not ‘directly’ collect the attributes associated with website behaviors, but rather rely on third parties. While the website may ‘authorize’ the collection and use of this information for their own media sales, the fact is that another ‘third party business’ will be the entity actually collecting, managing, and selling that behavioral information. As a result, it is conceivable that when a website publisher also ‘sells’ access to behavioral information for ad targeting on their own website that they, themselves, did not collect, then they could be deemed to be a ‘data broker’.
As for next steps, the regulations are sent to the Office of Administrative Law for final approval. If approved, the regulations will go into effect by the start of the January 2025 registration period.
HOW TO REGISTER IN 2025
The registration period begins January 1, 2025 and is expected to be completed by January 31 for existing data brokers that reach the ‘business’ threshold. Once the registration form is submitted on the CPPA website, data brokers will be provided a link to a portal where they can pay the registration fee via credit card and complete their registration. Data brokers will also be required during the 2025 registration period to submit their 2023 consumer privacy rights requests metrics – these are the same metrics that were required to be published in data broker privacy policies in July 2024.
If data brokers have not registered by January 31, 2025, they may be liable for administrative fines for each day the data broker was unregistered. (More below on recent enforcement actions.)
Very Important Update: On November 8th, the Agency Unanimously Approved A Measure To Increase The Annual Data Broker Registration Fee To $6,600
In addition to the regulations, the CPPA voted and approved a measure to increase the annual data broker registration fee from $400 to $6,600 (plus associated third-party fees for processing electronic payment). The steep increase is due to the fact that the Delete Act statutorily requires the annual data broker registration fees to pay for the Delete Act’s one stop mechanism enabling consumers to submit a single opt out or deletion to all registered data brokers. The CPPA has titled this mechanism the Delete Request and Opt-Out Platform (DROP). The Agency must have DROP ready and operable by January 1, 2026, and starting on August 1, 2026, data brokers must access DROP at least every 45 days (see timeline provided by the Agency below).
Prior to the November meeting, the CPPA put out a Request for Information (RFI) seeking preliminary information from potential vendors to create and operate DROP. The Agency received bids with a significant range of costs from $800,000 to $12,000,000. From these informal initial responses, and before ever putting out an official Request for Proposal (RFP) for more concrete costs, the Agency concluded that the budget should be $4,400,000 for 2025 and voted unanimously to approve the $6,200 registration fee rate increase to account for the $3,500,000 necessary to supplement their existing budget. They now expect that the 527 registered data brokers will each pay the significantly increased fee beginning January 1, 2025 in order to collect the necessary funds to use towards creating the DROP. In addition, the Agency has confirmed the following key details:
Regardless of the final operating expenses associated with the DROP, the current fee will not increase within the 2025 calendar year, nor will data brokers receive a pro rata refund if the DROP costs less than the anticipated budget. This is also seemingly regardless of whether there is a dramatic increase or decrease in 2025 registrations.
The CPPA orally noted that they expect to adjust the registration fee again for 2026 once DROP is created, but did not indicate whether any budget overages would carry into the 2026 registration fee, nor how they would determine a ‘maintenance budget’.
As noted below, on Nov 14, 2024, the CPPA announced it had reached settlements with two data brokers who had failed to register, and that they received approximately $69,800 in revenue that, theoretically, should be applied to funding the DROP.[15]
IN A TARGETED ENFORCEMENT SWEEP, THE CPPA FINED TWO UNREGISTERED DATA BROKERS
On October 30, 2024, the CPPA’s enforcement division announced an investigative sweep of unregistered data brokers. In the November 8th Agency board meeting, the Agency voted unanimously to approve settlements with two data brokers, Growbots, Inc. and UpLead LLC, for failing to register and pay the annual registration fee. The companies will pay their registration fees as well as fines of $200 per day for failing to register by the deadline. Growbots will pay $35,400 for allegedly failing to register between February 1 and July 26, 2024; UpLead will pay $34,400 for allegedly failing to register between February 1 and July 21, 2024. In addition to the fee and fines, both companies agreed to injunctive terms, including agreeing to pay the CPPA’s attorney fees and costs.
CONCLUSION
With disparate state laws, a new federal law, new California regulations and recent relevant FTC consent decrees, it is increasingly difficult for companies engaged in sourcing and licensing third-party data to avoid being defined as data brokers. While the compliance complexities vary, the common thread is that data brokers are being forced to be more transparent about their existence, process significantly more privacy rights requests, and be subject to new regulators with specific statutory penalties for non-compliance. More importantly, many businesses that have regularly licensed third-party data and thought they were ‘service providers’ on behalf of their clients now have the eyes of the world upon them and may need to modify their business practices.
ENDNOTES
* Ben Isaacson is a Principal at In-House Privacy, Inc. Ben has been a privacy practitioner since 1996, a CIPP since 2005, and currently serves as a fractional privacy officer, privacy counsel and consultant to a diverse set of clients ranging from early-stage tech startups to public companies with a strong emphasis on adtech/martech and data licensing. www.InHousePrivacy.com
1. Vt. Stat. Ann. tit. 9, ch. 062 (2024). https://legislature.vermont.gov/statutes/chapter/09/062.
2. S.B. 362, 2023-2024 Leg., Reg. Sess. (Cal. 2024). https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362.
3. Nev. Rev. Stat. ch. 603A (2024). https://www.leg.state.nv.us/nrs/nrs-603a.html.
4. Tex. Bus. & Com. Code § 509 (2024). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.509.htm.
5. H.B. 2052, 2023 Leg., Reg. Sess. (Or. 2024). https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/HB2052/Enrolled.
6. S.B. 619, 2023 Leg., Reg. Sess. (Or. 2024). Section 3(1)(a)(B) https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/SB619/Enrolled.
7. Id. Section 3(3) This requirement is ‘at the controller’s option’ and does not require the disclosure of ‘trade secrets.’
8. H.R. 815, 118th Cong. (2024). https://www.congress.gov/118/bills/hr815/BILLS-118hr815enr.pdf.
9 15 C.F.R. § 791.4 (2024). https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-E/part-791/subpart-A/section-791.4.
10. FTC Order Prohibits Data Broker X-Mode Social/Outlogic from Selling Sensitive Location Data, Fed. Trade Comm’n (Jan. 2024). https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data.
11. FTC Order Will Ban InMarket from Selling Precise Consumer Location Data, Fed. Trade Comm’n (Jan. 2024). https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-will-ban-inmarket-selling-precise-consumer-location-data.
12 Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers
13. https://cppa.ca.gov/announcements/2024/20241108_2.html
14. https://cppa.ca.gov/regulations/pdf/data_broker_reg_prop_text.pdf
15. https://cppa.ca.gov/announcements/2024/20241114.html