Brief Summary of Bill

Requires data brokers to annually register with the chief privacy officer and provide certain information related to its data collection practices.
Prohibits the acquisition or use of personal information for certain purposes.
Authorizes sole enforcement by the attorney general under the Consumer Protection Act.
Requires the submission of reports concerning approaches to protecting consumer data processed by data brokers.

Background: Data Brokers Overview. Data brokers are companies that collect consumer personal information and resell or share that information with others. These companies collect personal information from a wide range of sources and provide it for a variety of purposes, such as verifying an individual's identity, marketing products, and detecting fraud. These companies generally do not interact with consumers and consumers are often unaware of their existence.

Consumer Protection Act. The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees. The courts may increase awarded damages by up to three times the actual damages sustained. The attorney general (AG) is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state.

State Chief Privacy Officer. The chief privacy officer (CPO) is the director of the Office of Privacy and Data Protection (OPDP), which serves as a central point of contact for state agencies on policy matters involving data privacy and data protection. In addition, the OPDP must serve as a resource to local governments and the public on data privacy and protection.

Summary of Bill: Registration. After meeting the definition of a data broker for one year, a data broker must annually register with the CPO and pay a $250 registration fee. Certain information must be provided to the CPO, such as contact information and whether a consumer may opt out of the collection of their data.

A data broker that fails to register is subject to prescribed penalties, including a civil penalty of $50 for each day, not to exceed a total of $10,000 for each year it fails to register, and a fine equal to the required dues during the period if failed to register.

Data broker means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship. Certain activities conducted by a business do not qualify the business as a data broker.

Acquisition or Use of Personal Information. A person shall not acquire personal information through fraudulent means. A person shall not acquire or use personal information for certain purposes, such as stalking another person, committing a fraud, or engaging in unlawful discrimination.

Enforcement. A violation of the act is an unfair or deceptive act in trade or commerce and an unfair method of competition for applying the CPA. This act may be enforced solely by the attorney general under the CPA.

Reports. The CPO, in consultation with the AG, shall submit reports to the Legislature concerning the implementation of this act. The reports must also review and consider additional legislative and regulatory approaches to protecting consumer data subject to data broker activities. A preliminary report is due on or before December 1, 2021. An update to the preliminary report is due on or before October 1, 2022.

Staff Summary of Public Testimony: PRO: Overall, transparency is lacking in the data broker industry. Consumers should know the processing activities related to their personal information. This bill holds companies accountable for their data use practices.

CON: The bill includes overbroad requirements on companies that are unnecessary, impracticable, and burdensome on the ecosystem. We have concerns with some of the definitions and have provided the committee with amendments.