As their January 1, 2025, implementation date quickly approaches, we’ve been receiving a lot of questions regarding the recent amendments to California’s data broker law. One area that’s causing particular confusion is whether a business can claim an exemption under the amended definition of a direct relationship with a consumer.
What Constitutes a Direct Relationship?
Previously, the definition of a “direct relationship” was somewhat ambiguous. The recent amendments clarified and narrowed this concept in two key ways:
- Intentional Interaction Requirement: For the exemption to apply, the consumer must have intentionally interacted with the business within the three years before the sale of their personal information. This interaction must involve activities like purchasing services, using services, or obtaining information about products and services. Notably, a request to exercise a privacy right does not count as an intentional interaction.
- Direct Collection of Data: Only data that has been directly collected from the consumer by the business is subject to exemption. This means that if a business sells data acquired from a third party, it does not qualify for the exemption, even if the business otherwise has a relationship with the consumer.
Implications for Businesses
These changes mean that businesses selling personal data need to assess the data they sell, its source, and its age. If the data falls outside these new parameters, businesses that were not previously considered data brokers may now be classified as such in California.
Because they are still under review by the Office of Administrative Law, it’s possible there may be a slight delay in the amendments’ January 1st implementation. However, businesses should not wait to start an assessment of their data collection and sales practices.
It’s important to note that failure to file as a data broker in California when required can result in penalties of $200 per day, along with back fees and investigatory costs. The California Privacy Protection Agency has already begun enforcement against noncompliant businesses. Additionally, the fees for being a California data broker will increase significantly from $400 to $6,600 in 2025. This increase is to cover the costs associated with the development of a unified deletion mechanism that data brokers will need to comply with beginning in August 2026.
If you have any questions about where your business’s compliance obligations under these amendments, we can help. Don’t hesitate to reach out.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.