Civil Code section 1798.99.82
(a)
On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b)
In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1)
Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2)
Provide the following information:(A)
The name of the data broker and its primary physical, email, and internet website addresses.(B)
The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C)
Whether the data broker collects the personal information of minors.(D)
Whether the data broker collects consumers’ names, dates of birth, ZIP Codes, email addresses, or phone numbers.(E)
Whether the data broker collects consumers’ account login or account number in combination with any required security code, access code, or password that would permit access to a consumer’s account with a third party.(F)
Whether the data broker collects consumers’ drivers’ license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(G)
Whether the data broker collects consumers’ mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers (VIN).(H)
Whether the data broker collects consumers’ citizenship data, including immigration status.(I)
Whether the data broker collects consumers’ union membership status.(J)
Whether the data broker collects consumers’ sexual orientation status.(K)
Whether the data broker collects consumers’ gender identity and gender expression data.(L)
Whether the data broker collects consumers’ biometric data.(M)
Whether the data broker collects consumers’ precise geolocation.(N)
Whether the data broker collects consumers’ reproductive health care data.(O)
Whether the data broker has shared or sold consumers’ data to a foreign actor in the past year.(P)
Whether the data broker has shared or sold consumers’ data to the federal government in the past year.(Q)
Whether the data broker has shared or sold consumers’ data to other state governments in the past year.(R)
Whether the data broker has shared or sold consumers’ data to law enforcement in the past year, unless that data was shared pursuant to a subpoena or court order.(S)
Whether the data broker has shared or sold consumers’ data to a developer of a GenAI system or model in the past year.(T)
Up to three, but no fewer than one, of the most common types of personal information that the data broker collects, if the data broker does not collect the information described in subparagraphs (D) and (G).(U)
Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(V)
A link to a page on the data broker’s internet website that does both of the following:(i)
Details how consumers may exercise their privacy rights by doing all of the following:(I)
Deleting personal information, as described in Section 1798.105.(II)
Correcting inaccurate personal information, as described in Section 1798.106.(IV)
Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V)
Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI)
Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii)
Does not make use of any dark patterns.(W)
Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i)
The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii)
The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iv)
The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(X)
Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c)
A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1)
An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2)
An amount equal to the fees that were due during the period it failed to register.(3)
Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(d)
A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1)
An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2)
Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e)
Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.(f)
For purposes of this section, the following definitions apply:(1)
(A)“Foreign actor” means either of the following:(i)
The government of a foreign adversary country.(ii)
A partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a foreign adversary country.(B)
For purposes of subparagraph (A), “foreign adversary country” has the same meaning as “covered nation” as defined in Section 4872 of Title 10 of the United States Code.(2)
“Developer of a GenAI system” means a business, person, partnership, corporation, or other entity that designs, codes, produces, or substantially modifies a GenAI system.(3)
“Generative artificial intelligence system” or “GenAI system” means an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system’s training data.
Source:
Section 1798.99.82, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.99.82. (updated Jan. 1, 2026; accessed Dec. 29, 2025).
