Section 1798.99.82 - Registration with California Privacy Protection Agency(a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following: (1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers' Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information: (A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers' precise geolocation.(E) Whether the data broker collects consumers' reproductive health care data.(F) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G) A link to a page on the data broker's internet website that does both of the following: (i) Details how consumers may exercise their privacy rights by doing all of the following: (I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following: (i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows: (1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows: (1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers' Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.Ca. Civ. Code § 1798.99.82
Amended by Stats 2023 ch 709 (SB 362),s 3, eff. 1/1/2024.Amended by Stats 2020 ch 14 (AB 82),s 4, eff. 6/29/2020.Added by Stats 2019 ch 753 (AB 1202),s 2, eff. 1/1/2020.