Companies that sell data during the course of their business do not always realize that they are considered a “data broker” under some U.S. state laws, and that their data broker activities may require registration with some states. With increased attention being paid to individual privacy rights and the recent enactment of new state privacy laws in the U.S., it is an opportune time for companies to determine whether they are data brokers so that they can focus their compliance efforts on the various requirements, if applicable.
Generally speaking, a data broker is a business that (i) collects personal information of consumers with whom they have no direct relationship, whether by purchasing the data or collecting the data themselves from publicly available websites, and (ii) sells the data to a third party for their use. Although there is currently no specific federal law that is aimed at data brokers, legislation has been introduced in Congress, and the SEC and FTC have used their existing regulatory authority against companies in the data broker space.
U.S. states are also paying increased attention to data brokers, building on the existing data broker laws in California, Vermont and Nevada, with new legislation introduced to specifically regulate this activity. There are also newer U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia that provide consumers with the right to opt-out of the sale or sharing of data, with which many data brokers likely need to comply.
If you think you may be a data broker, you should consult with legal counsel to determine whether you are required to comply with existing state data broker requirements, such as:
- In California, data brokers are required to register with the Attorney General’s office annually and pay a fee, plus potential penalties for not doing so by January 31 of each year.
- In Vermont, data brokers need to complete an annual registration with the Secretary of State’s office. Vermont also has certain minimum data security requirements.
- In Nevada, a data broker has to establish a designated request address through which a Nevada consumer can ask to opt out of the sale of their covered information. Certain consumers will have the right to make verified opt-out requests at any time and the broker will have 60 days to respond to verified requests, although they may be able to extend the response window by 30 days with adequate notice to the consumer.
Companies that buy and sell data should be prepared for increased legal and compliance obligations on data broker activities.
For assistance with these and other privacy-related compliance requirements, please contact Lakshmi Sarma Ramani at [email protected].
Lakshmi Sarma Ramani is a Partner on our Washington D.C.-based team. Lakshmi has over 20 years of significant transactional experience representing a wide range of for-profit and non-profit companies and handles a full range of legal matters, including data privacy and compliance.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.
