Are You a Data Broker?

Are You a Data Broker?California law requires companies determined to be data brokers to register with the California Attorney General on its website on or before January 31st after each year the business is determined to be a data broker. The law defines a data broker as “any business that knowingly collects and sells third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.”

The registry entry for a data broker includes the company name, a contact email address for addressing data privacy concerns, the company website, the company physical address, how a consumer may opt out of a sale or submit requests under the CCPA. It also includes how a protected individual can demand the deletion of information posted online under Gov. Code sections 6208.1(b) or 6254.21(c)(1) and websites with additional information about data collecting practices.

Consumers can use this registry to request a copy of any data brokers possess about them and request it be deleted. Data brokers have 45 days to comply with any consumer requests, or they may face fines and penalties. Failure to comply may result in injunction and liability for civil penalties, fees, and costs in actions brought by the Attorney General. Any recovery is to be deposited in the Consumer Privacy Fund.

Solution providers should regularly review their offerings and ensure they follow all country, cross-geographic, local, and regional data privacy directives. They should have personnel, solutions, procedures to address data removal requests and post information on their data collection practices.

Large-scale data removal may have consequences for the dataset’s usefulness for analytics and AI, something insurers and solution providers need to consider and have plans to address. One option is to use synthetic data, e.g., data generated based on statistical sampling of actual confidential data that does not result in breaches of confidentiality or privacy.

However, vendors and insurers need to keep in mind that “de-identification” means straightforward removal of PII from the database as well as assurance that reasonable means cannot be used to deduce an identification. Insurers may also wish to consider the pros and cons of first-party data versus second- or third-party data.

Robust data discovery, classification, and governance are key. Privacy management solutions may incorporate consent management, data protection impact assessments (a requirement under GDPR), data subject access request fulfillment, and legislation-specific compliance modules.

The regulatory burden involved with data privacy compliance will only grow; insurers and solution providers need to plan for this. Third-party data providers should take the following actions immediately actions:

  • Register with the California Office of the Attorney General
  • Stand up personal data privacy governance frameworks, including data sourcing, data dictionaries, and consent journeys
  • Firm up business processes related to consumer requests for personal data

As always, our experts are happy to discuss these issues with our advisory clients. Feel free to reach out to me ([email protected]) or my colleague Steve Kaye ([email protected]).

Add new comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
1 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

How can we help?

If you have a question specific to your industry, speak with an expert.  Call us today to learn about the benefits of becoming a client.

Talk to an Expert

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within
practices.

Get Email Updates