Kenny Gutierrez and John Pavolotsky of Stoel Rives LLP write:
With the current patchwork of data privacy laws, compliance can be challenging for any business. The compliance landscape may be even more fraught with risk for data brokers, given various data broker registration requirements, the panoply of general state privacy laws, and the specter of federal enforcement. As such, to help mitigate compliance risk, data brokers may want to consider the following:
- Expansive Scope. Data broker is broadly defined. In California, it means, with limited exception, any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Exceptions exist for entities covered by the Federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and data exemptions also exist for entities, and their business associates, to the extent they process electronic personal health information. Put otherwise, an entity may be a data broker even though historically it has not thought itself as such.
- Data Broker Registration Laws. Currently, California, Oregon, Texas and Vermont have generally applicable data broker registration laws. California and Vermont require registration by January 31 of a given year. In recent months, the California Privacy Protection Agency has not been reticent about fining data brokers for failing to register (see: https://cppa.ca.gov/announcements/2024/20241114.html and https://cppa.ca.gov/announcements/2024/20241223.html). The penalty for failing to register on time is $200 per day. Needless to say, registering in February, while still after the deadline, will be much less costly than registering in September.
Read more at Stoel Rives LLP
h/t, JDSupra