Home · Synthesis · cl-us-state-privacy-data-broker

Data broker registration and obligations (US states)

CCPAOCPATDPSA

Primary statement

Data broker registration per CCPA California Delete Act SB 362 (registration with CPPA + DROP one-stop deletion mechanism by Aug 2026) + Texas TDPSA broker provisions + Oregon OCPA data broker registration. Data brokers — entities knowingly collecting and selling personal information about consumers with whom they have no direct relationship — face increasingly specific obligations.

Audit-fatigue payoff

A unified data broker compliance programme — CPPA registration + DROP integration + state-specific broker addenda — satisfies data broker requirements across all 3 contributing frameworks.

Strictness matrix

Scope
Scope: California Delete Act registers data brokers with CPPA (transferred from AG); requires DROP one-stop deletion mechanism from Aug 2026. Plus Oregon registration + Texas broker provisions. Ceiling source: ccpa:CCPA.DeleteAct.1798.99.82 Rationale: California Delete Act + state extensions form the broadest broker scope.
Threshold
Threshold: data broker definition (knowingly collect + sell + no direct relationship). Self-determination of broker status triggers registration. CPPA registration is the binary qualifier. Ceiling source: ccpa:CCPA.DeleteAct.1798.99.82 Rationale: California Delete Act broker-status threshold is uniquely strict.
Method
Method: data broker status self-assessment + CPPA registration (California) + DROP integration (by Aug 2026) + Oregon registration + Texas broker provisions + per-state addendum + transparency disclosures. Ceiling source: ccpa:CCPA.DeleteAct.1798.99.82 Rationale: California Delete Act + state laws combined are most prescriptive.
Frequency
Registration: annual renewal with CPPA. DROP integration: continuous (real-time deletion mechanism). Broker status re-assessment: annual. Ceiling source: ccpa:CCPA.DeleteAct.1798.99.82 Rationale: Annual CPPA registration is the audit-defensible cadence.
Evidence
Evidence: data broker status assessment + CPPA registration certificate + DROP integration evidence + Oregon registration (if applicable) + Texas broker compliance + transparency disclosures. Ceiling source: ccpa:CCPA.DeleteAct.1798.99.82 Rationale: California Delete Act evidence with CPPA registration is comprehensive.

Auditor test pattern

Step 1: Conduct data broker status self-assessment. Step 2: If broker, verify CPPA registration. Step 3: Verify DROP integration prep (or operational from Aug 2026). Step 4: Verify per-state registrations + addenda.

Common findings

Common findings: (1) Broker status self-assessment never conducted; (2) CPPA registration absent for entities meeting broker definition; (3) DROP integration prep not started; (4) Per-state broker registrations missed.