The California Privacy Protection Agency (CPPA) announced a plan to enhance enforcement of the California Consumer Protection Act’s (CCPA) requirement for registration by data brokers, as unveiled during its November 2024 meeting. This initiative aims to identify businesses failing to register as data brokers, a designation under the CCPA for entities that knowingly collect and sell the personal information of consumers with whom they have no direct relationship.
The sweep of the data broker registration is intended to look at companies that did not register with the state by January 31, 2024, after meeting the criteria to be designated as data brokers in 2023. According to CPPA’s Executive Director Ashkan Soltani, “It’s crucial for data brokers to register with [the CPPA], so the public can be informed and empowered to exercise their rights” because “[t]he immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy.”
Despite these requirements, many businesses remain unregistered—whether due to uncertainty about their classification as data brokers, a lack of awareness about the law or intentional avoidance of registration obligations. The CPPA’s registry sweep highlights the agency’s commitment to enforcement, underscoring the need for businesses to address their compliance obligations without delay. To comply, data brokers must register through the California Attorney General’s Data Broker Registry, pay an annual fee, and disclose details about their data collection practices. Noncompliance can lead to reputational risks and significant penalties, including a penalty of $200 per day. This announcement is merely a preliminary identification that enforcement of the CCPA, including registration as a data broker, will continue to expand, particularly once the Delete Act takes effect January 1, 2026. The CPPA is expected to provide updates on the registry sweep and other regulatory developments at the next board meeting, which is scheduled for later this week on December 19, 2024. Details regarding virtual attendance are available on the CPPA’s website.
For businesses unsure of their status or struggling to navigate the complexities of the registry requirements, Varnum offers specialized guidance to ensure compliance and minimize risk. Contact Varnum’s Data Privacy team to proactively address these obligations and protect your business from enforcement actions while demonstrating a commitment to regulatory compliance.