Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
If you’ve been dealing with California Consumer Privacy Act (CCPA) compliance, you may have come across the term “data broker” and wondered exactly what it means. In the context of data privacy, data broker sounds vaguely ominous and maybe even illegal. In fact, many businesses commonly deal with data brokers, and there is nothing about this that prevents you from complying with the CCPA or other privacy laws.
The CCPA itself does not mention data brokers, but current regulations identify them as a type of third party to whom a business might be disclosing consumers’ personal information. In doing so, it points to California’s data broker law, Civil Code section 1798.99.80, which defines a data broker as:
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
A “direct relationship” is established when the consumer knows who they are dealing with and transmits their information directly to that party. For example, a business has a direct relation with its customers, and a website has a direct relationship with its visitors.
Often, data brokers are sources of personal information, such as when a business purchases an email list or other sales leads. What tends to cause more complications for compliance (more on this below) is when businesses disclose information to a data broker. This may mean simply trading personal information for cash, but far more commonly it involves swapping personal information in exchange for access to software or a much larger database of personal information from other sources (sometimes called “data cooperatives”).
The term is often misunderstood to apply to any big tech company that deals in personal data. For example, Google collects personal information from billions of people, often without having a direct relationship with them (as when a Google Ads tracker is used to deliver targeted advertising). However, Google does not sell that data to anyone else, so it is not a data broker.
If you’re not sure whether you’re dealing with a data broker, one easy way to check is to search the California Data Broker Registry. Data brokers that trade California consumers’ data are required to register with the state, so theoretically the company in question should be listed if it is a data broker. Of course, if a company is not listed in the registry, it may be that it simply failed to register as required.
There’s nothing inherently wrong with dealing with data brokers, and no data privacy law prohibits businesses from disclosing or receiving personal data from a data broker.
The primary effect on compliance stems from whether disclosing personal data to a third party amounts to a sale. If it is a sale of personal information, businesses typically must disclose this fact and offer consumers a method for opting out.
If you’re thinking, “I know my business doesn’t sell personal information because we don’t receive any money,” it’s actually more complicated than that. Several laws, including the CCPA, define a sale as exchanging personal data for “monetary or other valuable consideration.” This means that receiving some other tangible benefit besides money—such as a discount on software or access to a database—is enough to convert the exchange into a sale.
Here’s a breakdown by jurisdiction.
Privacy laws in these states use the broader definition of sale—i.e., the exchange of personal data for monetary or other valuable consideration. Disclosing personal information to a data broker for some kind of benefit like a discount or access to personal information from other businesses will be considered a sale, even if your business does not receive money from the deal.
Due to the nature of what a data broker does, authorities in these jurisdictions will probably presume that any disclosure to a data broker amounts to a sale. That is, if a business was not receiving any benefit from the exchange, it probably wouldn’t be sending the data in the first place.
In these states, a disclosure of consumers’ personal data is only considered a sale if the business receives monetary consideration in return. It is far less common for businesses to receive cash in exchange for personal data, so most of the time deals with data brokers in these jurisdictions will not be considered selling.
Europe’s General Data Protection Regulation (GDPR) does not specifically address the sale of personal data, but it does still grant data subjects some opt-out rights. A person in any of these countries can object to the processing of their data, and the business may only continue the processing if it has compelling grounds to do so that outweighs the person’s privacy interests. In the case of disclosing data to a data broker, the privacy interests would strongly outweigh the business’s interests.
Additionally, European data laws prohibit businesses from sending promotional communications to data subjects without their consent in most situations. This means that if a business purchases an email list or other type of contact information, it cannot send any communications to anyone on the list located in Europe.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.