Not a Data Broker? California May Disagree

Figuring out data broker status should be straightforward, but in reality determining whether your company falls into this category can get complicated fast. Gone are the days where you could assume data brokers were simply businesses selling consumer information to advertisers. California law now extends this group beyond monetary transactions to any company that collects, shares, or monetizes personal information without a direct relationship with the data subjects.

Could your company be in scope under this expanded definition? Let's explore this topic and provide some tips and resources to help you assess where your organization fits.

Who is a Data Broker according to California Law?

Under California law, a data broker is defined as a business that knowingly collects and sells personal information about consumers with whom the business does not have a direct relationship. This definition contains hotly debated terms that create a gray zone around data broker status.

What is a "Direct Relationship" with a Consumer?

The CPPA requires you to track whether your relationship with a consumer is direct. For example, a direct relationship could mean an individual is a customer of your product, or opted into marketing with your brand. But even companies who have a direct relationship could still be considered data brokers if they sell data sourced from third parties about a consumer, or if they sell the data of consumers who they haven't interacted with in over three years.

What Does it Mean to "Sell" Data?

Important: "Selling" data is not limited to financial transactions. The law also treats the exchange of data for value, such as sharing information in return for analytics or advertising services, as selling.

As a result, many companies that do not think of themselves as data brokers may still fall into this category.

Practical Data Broker Examples

Marketing analytics providers that package or resell consumer browsing, app usage, or geolocation behavior into audience insights or advertising segments.

Lead generation firms that collect and distribute consumer contact or demographic information to multiple clients for sales or marketing purposes.

SaaS vendors that provide "data enrichment" or "identity resolution" services by matching, appending, or validating client records with information from external databases.

List brokers and aggregators that compile consumer or business contact lists for resale or campaign targeting.

Affiliate networks that track referrals, clicks, or purchases across multiple websites and share user identifiers with advertisers.

Behavioral advertising platforms that share pseudonymous identifiers or device fingerprints across publishers to target users across sites or apps.

Credit, risk, or identity verification services that resell consumer data or insights to lenders, insurers, or employers beyond the original collection purpose.

Background check or people-search websites that make consumer profiles or public record data available to third parties.

Data marketplaces and B2B "intent data" providers that sell signals derived from corporate or employee-level digital activity to sales and marketing teams.

Social media listening or sentiment analysis vendors that collect and distribute user-generated content from public sources for brand monitoring or competitive intelligence.

If your business provides services that include the transfer or enhancement of consumer data outside of a direct relationship, you may qualify as a data broker in California.

How Can I Determine if My Company is a Data Broker?

Key Questions to Ask

Consider these questions to evaluate your data broker status:

Do we collect personal information from California residents without having a direct relationship with them? A good example of an indirect relationship might be a list of prospective customers purchased from a third party.
Do we retain user data for 3 or more years after our last direct interaction with the consumer? If you aren't tracking direct relationships, or don't have a data retention policy in place, you are at higher risk.
Do we disclose or "sell" this data to other parties, either for money or other value? Consider whether your company passes cookie data to third parties for targeted advertising, cross-site tracking, or analytics where you receive any benefit from the exchange.

If you can answer affirmatively to any of these questions, you may be a data broker. When in doubt, consult legal counsel to determine whether your business practices will be considered data brokerage in California.

Key Compliance Requirements

Registration: Companies must register and renew annually.
DROP: You must honor opt out and deletion requests submitted by California residents to the centralized portal.
Documentation: Businesses must maintain records of requests and compliance actions.
Penalties: Fines for noncompliance include $200 per consumer per day, along with the risk of legal action.

Why Early Identification Matters

Determining whether your company qualifies as a data broker now will make compliance much easier later. Early registration signals good faith, and preparation for DROP ensures smoother operations when requests begin to arrive.

You can also use this information to more accurately weigh the risks and benefits of certain business practices. If you determine your collected PII, data retention policies, and use of a tracking pixel may classify you as a data broker today even though data brokerage is not a significant part of your business model, your business can take steps to divest from these processes or better contain them.

Beyond legal compliance, this is also an opportunity to evaluate how your organization handles data. Consumers expect transparency and accountability in how their information is collected and shared. By taking proactive steps, your company can reduce regulatory risk and build stronger trust with customers.

Final Thoughts

Ready or not, California is shaking up the way businesses interact with data to better protect consumer privacy. As privacy professionals juggling all sorts of compliance obligations, we need to examine our own data practices early, so that we can prepare our teams for the reality that many businesses now fall within the definition of a data broker.

If you are uncertain, start with a thorough data flow review, consider your business relationships, and consult with legal counsel. The sooner your organization identifies its role under this law, the better positioned you will be to remain compliant, avoid fines, and build trust with users.

Read the Original Article

View on DataGrail

Need Help with Privacy Compliance?

SPMA provides expert guidance on data privacy, security compliance, and risk management for businesses of all sizes.

Schedule a Consultation