California Privacy in 2025: Key Changes Affecting Data Brokers

As we close out the first quarter of 2025, one thing is unmistakable: California’s regulatory efforts continue to center on data brokers. 

So far this year, the California Privacy Protection Agency (CPPA) proposed newly-released changes to data broker regulations, reached its sixth settlement with a data broker, added a new Board member, and, most recently, named a new Executive Director. Below, we summarize several key recent updates that provide insight into future compliance considerations–especially for data brokers.

New Proposed Data Broker Regulations Advance to Formal Rulemaking

On March 6 and 7, the CPPA Board held a two-day public meeting focused on proposed regulations concerning the Delete Request and Opt-Out Platform (DROP) pertaining to data brokers. Ultimately, the Board unanimously voted to authorize CPPA staff to advance the regulations to formal rulemaking.

As a short background, the California DELETE Act requires businesses that knowingly collect and sell the personal information of a California consumer with whom the business does not have a “direct relationship” to register as a data broker. The DELETE Act requires the CPPA to create a statewide DROP, allowing consumers to submit a single request to delete their personal data from all registered data brokers. The proposed DROP regulations aim to create a centralized system for consumers to request data deletion and opt out of data sales from registered data brokers. Under these regulations, data brokers will be required to integrate with the DROP platform, honor consumer requests submitted through it, and comply with associated enforcement mechanisms. 

The newest round of proposed revisions to the DROP regulations include three key updates to the concept of a “direct relationship” discussed at the March meeting. First, the CPPA proposed expanding the definition of “direct relationship” to eliminate the requirement that a consumer’s interaction with the business must occur within the preceding three years. 

Second, the CPPA introduced an intent requirement, inserting the statement that “[a] business does not have a “direct relationship” with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business.” In clarifying this point for the Board at the March meeting, CPPA staff suggested that a consumer making an online purchase may not intend to interact with cookies or reveal the consumer’s geolocation information, in which case such information collection would not constitute a “direct relationship.” 

Finally, the proposed regulations clarify that collecting personal information directly from a consumer in one context does not automatically exempt a business from being classified as a data broker; if the business sells personal information obtained outside a direct, “first party” relationship, it still qualifies as a data broker. On this point, Philip Laird, the General Counsel for the CPPA, explained that the intent behind these proposed revisions is to stress that a direct relationship is an “information specific event,” where certain data collected by a business may occur as a result of a direct relationship (for example, a consumer visiting a website to purchase a pair of shoes), but certain other data collected “‘outside of your awareness’ or ‘without your intent’ is always going to be indirect [and constitute a data broker relationship].” 

For next steps on the DROP regulations, CPPA staff will make requested clarifications before opening the 45-day public comment period. The CPPA anticipates opening the public comment period in April and could vote on finalizing the regulations as early as June. In any event, the CPPA Board and staff expressed a keen desire to have these regulations finalized and effective by January 1, 2026 to coincide with the date on which the DROP will be accessible to consumers.

New CPPA Enforcement Possibilities Include Shutting Down Data Brokers

The DELETE Act requires data brokers to pay an annual fee and register in the CPPA’s Data Broker Registry. Data brokers who fail to register face stringent penalties, including fines of $200 per day for each day of non-compliance. In October 2024, the CPPA announced an investigative sweep against data brokers who fail to comply with registration requirements. On February 27 of this year, the CPPA announced its sixth settlement with Background Alert, a data broker which allows users to search for individuals using their first name, last name, and state. For a fee, Background Alert would search public records (birth records, arrest records, etc.) and draw conclusions from those records to identify new information, for example, identifying potential family members or people who “may somehow be associated with” the searched-for individual.

However, this latest CPPA enforcement action is no ordinary settlement. For the first time in a CPPA data broker settlement action, the settlement requires the data broker to shut down its operations through 2028. In the event Background Alert does not comply, it will face a $50,000 fine. This crystallizes a new avenue for enforcement for the CPPA. 

Perhaps more importantly, though, this settlement sets the precedent that inferences—including inferences based entirely off of public records—“constitute Personal Information” and must receive applicable protections under the CCPA and the DELETE Act. Although the CCPA carves out publicly available information from its definition of "personal information," determining when an inference made from such information could be considered personal information can be complex, so it is advisable to consult with legal counsel.

CPPA Adds Members and Hints at Upcoming Action on Revised Draft Regulations

The March CPPA Board meeting was the first one to take place since the comment period for the draft regulations closed on February 19 and was also the initial meeting for new Board member Dr. Brandie Nonnecke, PhD, an artificial intelligence expert. Later in March, the CPPA named Tom Kemp its new Executive Director. Kemp, a key player in the passage of the CPRA and the DELETE Act, will be sworn in on April 1, 2025. 

This positions the CPPA well for its upcoming April and June meetings, where the CPPA anticipates making significant progress in discussing the draft rulemaking package on risk assessment regulations, cybersecurity audit regulations, and automated decision-making technology regulations. Although the CPPA will now have the DROP regulations to shepherd through the rulemaking process as well, the CPPA expressed confidence that it can make significant progress in all of these rulemaking areas–perhaps even finalizing them.

                                    *                       *                       *                       *

If the March CPPA Board meeting serves as any indication, 2025 could be a pivotal year for California privacy law, as multiple sets of regulations may be finalized throughout the year, offering numerous opportunities for companies to comment on proposed regulations. Perkins Coie has been involved in rulemaking since the CCPA was passed and will continue to assist clients seeking practical changes to the draft regulations.