California’s Data Broker Registry

March 6, 2024
Ash Costello


View profile

California’s data regulator, the California Privacy Protection Agency (CPPA), has launched its Data Broker Registry.  This broker registry is now live, and available here.

Data Brokers are businesses which purchase and sell information about consumers from other businesses, but don’t interact directly with those consumers (‘brokers’).

Information for Data Brokers

The Data Broker Registration Statute was recently updated to require brokers to register with the CPPAs before January 31st following any year in which the broker met the definition of ‘data broker’.  Registration is required annually, and is subject to a registration fee.

Brokers who fail to register by the due date risk attracting fines and costs via administrative  or investigative actions pursued by the CPPA. 

To be eligible to register as a data broker, businesses must have already been included on the CPPA’s mailing list.  

The requirements for brokers will increase over the coming years, as set out in the table below.

July 1, 2024Data brokers’ website privacy policies must disclose statistics about the following consumer requests received during the previous calendar year: 

Requests to delete personal information; Requests to know what personal information the data broker was collecting; Requests to access the personal information the data broker was collecting; Requests to know what personal information the data broker was selling or sharing and to whom; Requests to opt out of sale or sharing of personal information; and Requests to limit the data broker’s use and disclosure of sensitive personal information.

They must also disclose the median and mean number of days taken to respond to such requests, the numbers of requests received, complied with (wholly or partly) or denied.
January 31, 2025The above statistics must be provided to the CPPA.
August 1, 2026From this date onwards, the “accessible deletion mechanism” must be  accessed at least every 45 days. Consumers can use this mechanism to send a verifiable request for the deletion of personal information about that consumer held by the data broker or a related vendor. All deletion requests must be processed (with limited exclusions).
January 1, 2028From this date onwards, and every 3 years afterwards, independent third parties will audit brokers’ compliance with the law and submit the audit report to the CPPA if so requested.   
January 1, 2029From this date onwards, brokers must confirm during their annual CPPA broker registration process whether they have undergone this audit and when (if at all) the audit report was submitted to the CPPA.

Information for Consumers

The brokers registered with the CPPA are visible via the online broker registry.  

Consumers can contact the brokers directly to exercise their rights under the California Consumer Privacy Act, including the right to delete personal information. 

Consumers experiencing issues in exercising their privacy rights can file a complaint with the CCPA here.

From 2026 onwards, consumers can issue a ‘one-stop-shop’ type request to the CPPA for all and any non-exempt personal information held by data brokers to be deleted, rather than contacting each broker separately. 

To receive all the latest insights from gunnercooke to your inbox, sign up below