Will brands need to register as data brokers?

The California Privacy Protection Agency's upcoming board meeting brings two interconnected developments that could dramatically expand who qualifies as a data broker under California law. An announced enforcement sweep on unregistered data brokers signals the CPPA's intent to actively enforce existing registration requirements. But the larger shift is proposed rule language that would classify any company purchasing or licensing third-party data—and then selling it—as a data broker, regardless of whether that company also has a direct first-party relationship with consumers. The implications for ordinary brands are significant. Retailers and other consumer-facing businesses that supplement their customer data with licensed third-party data could now be classified as data brokers with respect to that externally sourced data. Under this interpretation, registration and compliance obligations historically limited to companies in the data brokerage business would extend to virtually any company engaged in common data enrichment or digital advertising practices. Most of these companies do not think of themselves as data brokers—and may not have taken steps to register. The Delete Act compounds this risk further. If a consumer submits a deletion request through California's centralized mechanism, all registered data brokers—including newly classified brand registrants—must comply. That requires companies to identify precisely which data in their systems was sourced from third parties versus collected directly from consumers, maintain records of that distinction, and honor deletion requests accordingly. This is a data governance and provenance challenge that most brands have not yet begun to address, and the timeline to compliance is short.

**Colleen:** Hey. Hey. So never a dull moment. The, California Privacy Protection Agency is meeting next week. What do you think they'll talk about? **Alysa:** We talk about California a lot, but, to me, it seemed that the CPPA was saying, wait a second. You actually really really need to pay attention to us. Because one, they announced an enforcement sweep on data brokers. So that is something and I'm getting questions a lot. Well, is it just companies who haven't registered? Like what do you think the angle was? But pair that with their meeting that they're gonna have next week where, among other things, they've got rules that they're going to be talking about for a vote. You might have a direct relationship with a consumer. Right? First party relationship. But if you are appending data, if you're purchasing or licensing data from another source and you are selling that data, then the CPPA is saying you are a data broker in that circumstance. **Colleen:** Whether you register or not? **Alysa:** Whether you register or not. Then you get into issues if those rules becomes the finalized language of the role, which it looks like it's headed that way. Once that is, enforceable, so many more companies are going to have to register as a data broker. So that is a big deal. Like, companies who intuitively do not think of themselves as a data broker given the way that definition has been structured up to now. But two, you think about the impact of the Delete Act and this one button press for all data brokers who are registered, consumer can do that one button to say delete all my data by all data brokers. That's a big data provenance issue for companies. It was already one for data brokers, but think of your first party retailer. They are going to really need to know what data in their environment they got from not from the consumer, but from another data broker because that would be subject to deletion, and they'd have to have records demonstrating that they complied with the law. So I think there's a big impact here that is just not yet known really by by most, and it's gonna be a big deal. **Colleen:** Is that the wow. That's crazy. Is that the big use case? You're a first party retailer. You're anybody with first party direct relationship with a consumer, but you have a ton of data that you got from data brokers and third parties. That doesn't make you a data broker. It just makes you responsible for deleting that data or, no, it doesn't make you one? **Alysa:** No. Under the the proposed change to the rule, it says you are a data broker. You're a data broker. As to that data, you are a data broker. **Colleen:** This is So just think of an identity perspective. Right? Like, a brand perspective, what brand wants to say it's a data broker? Oh, that's crazy. **Alysa:** Okay. And so what let's stay tight on it. This is breaking news. So they we're gonna get more intel next Friday? We're gonna get more intel next Friday, but consider that to be a headline, and we absolutely will be talking about that more. **Colleen:** Gotcha. Awesome. Thanks, Lisa, as always.