Full Report
An analysis of four states with data broker registry laws found that hundreds of brokers are registered as such in one state but not in others. The post Many data brokers aren’t registering across state lines, privacy groups say appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: State Data Broker Registration and Disclosure Requirements
## Overview
This summary focuses on the state-level regulatory landscape governing "data brokers"—third-party companies that collect, buy, or acquire personal data on Americans without a direct relationship, and subsequently sell or license that data. The core issue highlighted is the inconsistency in how various states define a data broker, leading to a compliance gap where companies registered in one state may evade registration requirements in others.
## Key Details
- Issuing Authority: State Legislatures (e.g., California, Texas, Oregon, Vermont)
- Effective Date: Varies by state legislation (The article notes current enforcement scrutiny based on existing laws).
- Jurisdiction: Specific U.S. States currently enforcing data broker registration laws (CA, TX, OR, VT are explicitly mentioned).
- Status: In Effect (Individual State Laws)
## Requirements
### Mandatory Requirements
1. **Registration:** Businesses meeting the specific statutory definition of a data broker in a given state must register with that state authority.
2. **Disclosure:** Registered data brokers are typically required to provide specific information to the government regarding their data collection and selling practices.
3. **Definition Adherence:** Organizations must align their activities with the specific legal definition of a "data broker" within each state they operate in or collect data from.
### Recommended Practices
1. **Cross-Jurisdictional Assessment:** Companies operating across multiple states (especially CA, TX, OR, VT) should conduct a thorough assessment against **all** relevant state definitions to ensure proactive compliance, regardless of self-identification in one state.
2. **Monitoring Legal Changes:** Actively track pending federal privacy bills or complementary state laws that may introduce centralized definitions or registration requirements.
## Affected Organizations
- Industries: Any business entity that engages in the mass collection and resale/licensing of personal data without a direct consumer relationship.
- Organization Size: Not explicitly determined by size, but by business activity (data brokering).
- Geographic Scope: Currently focused on entities interacting with residents of California, Texas, Oregon, and Vermont, but the principle applies to any state adopting similar legislation.
## Compliance Timeline
- **Current:** Compliance with individual state registration and disclosure laws (CA, TX, OR, VT) is presently required if an organization meets those state's definitions.
- **Ongoing:** Continuous monitoring required due to discrepancies in state definitions and potential future federal legislation (which could create a national registry).
- **Hypothetical:** If a federal framework emerges, compliance deadlines would be governed by that subsequent legislation.
## Implementation Guidance
### Assessment Phase
- Compare the company’s data collection and selling activities against the precise statutory language found in California, Texas, Oregon, and Vermont data broker laws.
- Determine if the organization meets the criteria for unregistered entities that might be targeted by investigative efforts.
### Implementation Phase
- For definitions met, complete and file necessary state registrations.
- Establish robust internal controls to track changes in business models that might trigger or exempt registration requirements in specific states (e.g., ceasing to broker data).
### Validation Phase
- State investigators and privacy advocates are currently cross-referencing existing state registries to identify gaps, suggesting external scrutiny is likely.
## Technical Requirements
The article does not detail specific technical controls, but implicit technical needs involve:
1. **Data Mapping:** Comprehensive documentation of data sources, collection methods (internet mining, purchasing from third parties), and data destinations (third-party sales/licenses).
2. **Policy Transparency:** Ensuring privacy policies, opt-out mechanisms, and points of contact are clearly available as required by state statutes.
## Penalties & Enforcement
- Fines: Not specified in the article, but non-compliance usually includes monetary penalties associated with violating state consumer protection or privacy acts.
- Other Consequences: Increased scrutiny from State Attorneys General (AGs), potential litigation, and reputational damage, especially if highlighted by privacy advocacy groups.
- Enforcement: Currently driven by state AG offices, which are being urged by organizations like the EFF to aggressively investigate discrepancies between state filings.
## Related Standards
- **Data Broker Definitions:** The primary framework challenge is the lack of a *federal* standard definition, forcing reliance on disparate state definitions (e.g., required direct relationship vs. principal source of revenue).
- **Policy Action:** Future federal legislation (e.g., Congressional efforts) may introduce standardized requirements or a national registry.
## Resources
- Official Documentation: Links to specific state statutory definitions (e.g., CA, TX, OR, VT laws—reference links within the original text).
- Guidance Documents: Analysis by the Privacy Rights Clearinghouse and EFF detailing registry discrepancies.
- Tools: The EFF provided a spreadsheet detailing registered data brokers across the four states for comparison.
## Practical Recommendations
1. **Legal Interpretation:** Immediately engage legal counsel to interpret the specific data broker definitions across all relevant jurisdictions where the company operates or targets consumers.
2. **Proactive Registration:** If operations border on meeting the definition in multiple states, register proactively to avoid enforcement actions based on self-identification in other jurisdictions.
3. **Advocate for Clarity:** Support industry efforts toward establishing a clear, unified federal definition to decrease current compliance ambiguity.