In early October, California enacted an amendment to its existing privacy laws that will allow Golden State consumers to submit a global opt-out directive to stop data brokers from collecting and processing information about them. Currently, the laws in California require that consumers register separately with each data broker in order to control their information. The new law will also provide a uniform timeframe for data brokers to respond to consumer data access requests, and it moves enforcement from the state's DOJ to its newly created privacy regulator (CPPA).
Why It Matters
California continues to set the bar high for privacy compliance in the US. While most companies will not be subject to this law, it does have some troubling ambiguity in it. “Data brokers” are defined as companies that “knowingly collect and sell” consumer personal information in the absence of a “direct relationship” with the consumer.
The term “direct relationship” is not defined, and could give rise to questions about whether certain service providers or contractors (i.e., a behind-the-scenes supplier) may be counted as “data brokers” depending on how the CPPA handles enforcement. Companies that “sell” consumer information but are not consumer-facing may wish to seek advice on whether they could inadvertently be classified as “data brokers” under a broad reading of the law.
/Passle/5fe0c4f453548a10fc881e09/MediaLibrary/Images/2025-10-09-14-47-09-526-68e7caed09520928935393cf.png)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-09-30-13-12-56-565-68dbd758f6347a2c4b9a81ab.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-09-02-15-10-27-674-68b708e3a631091b7967ef21.jpg)