818.501.4343May 21, 2025
The California Privacy Protection Agency (CPPA) is cracking down on companies that don’t register or follow data transparency regulations.
In early 2025, the CPPA settled with a data broker that must pay a $50,000 fine or shut down its California operations for three years. This is just one of many settlements since 2024.
Did you know that employers who collect, share or sell employee or consumer data may also be subject to a data broker’s registration requirements? Businesses that fall under the data broker umbrella may also be subject to $200-per-day fines from the CPPA for not registering.
Is your business at risk? If so, you need to check whether your company requires registration under the California Consumer Privacy Act (CCPA) and related amendments.
Here’s what you need to know about how to avoid compliance mistakes and how working with an employer law firm can help you stay ahead of legal risks.
What Is a Data Broker?
According to the CCPA, a data broker is a company that consumers don’t interact with directly but one that buys and sells information about consumers from and to other businesses.
Where you get the data doesn’t matter. It may be from website cookies, third-party sources, social media, surveys, public records or employees themselves. All of these sources are subject to CCPA requirements.
Data brokers are traditionally thought of as external vendors, but any business today may unintentionally fall under the classification based on how they collect and use personal information.
That’s why you need to evaluate the type of data your business collects and compare it to the CCPA definition.
Why Employers Should Be Paying Attention
Here are a few reasons your business needs to be aware of the recent enforcement activity:
You May Already Be a Data Broker
Even if you’re not actively selling consumer data, the act of sharing personal information for a benefit can put your business under the definition of a data broker, according to California law. For example, sharing consumer data for targeted job advertising or workforce analytics could put you in the CPPA’s crosshairs.
Employee Data Is Included
The definition of “personal information” under California law is broad and can include employee names, job titles, email addresses, geolocation data, health data and employment history. If you share such data with third parties, you may be required to comply with data broker laws, even if the data is for internal HR purposes.
The CPPA Is Cracking Down
The biggest reason you need to be paying attention to recent CPPA activity is that the agency is taking enforcement action. You don’t want to find out the hard way that you’ve been racking up the $200 daily fine for months and have to pay tens of thousands in penalties all at once.
What the Law Requires
If your business is a data broker under California’s definition, you must follow these requirements:
Annual Registration With the CPPA
Data brokers must register annually with the California Privacy Protection Agency. As part of the registration process, you must disclose what type of personal information you collect and share, what you use it for and whether consumers can opt-out.
Expanded Disclosures
The CPPA is adding new disclosure requirements for the collection of sensitive personal information, which includes precise geolocations, union membership, biometric data and information about a person’s ethnic or racial origin.
Transparency and Opt-Out Mechanisms
You must offer clear opt-out options and be transparent about the data you collect. Lack of transparency can expose your business to big fines and other penalties.
Risks to Your Organization
Failure to comply can introduce serious risks to your business such as:
Legal Fines and Penalties
The most obvious risk of non-compliance is the fine or penalty. Failing to register with the CPPA carries a $200-per-day fine. More serious violations come with bigger penalties that can hurt your bottom line.
Reputational Damage
Failure to comply with privacy laws can erode trust among employees, applicants and customers alike. Public enforcement actions can deter top talent from working at your organization, resulting in fewer applications.
Filling important vacancies is hard enough. Don’t make it any harder.
Class-Action Liability
Businesses that don’t implement opt-out procedures or properly disclose data collection may be subject to class-action litigation. If your lack of compliance affected a large group of people, the result could be a costly and lengthy legal case.
Best Practices to Protect Yourself
Fortunately, there are a few things you can do to protect yourself from the recent CPPA activity:
Do a Data Audit
Step one is to take stock of the data you collect and manage. Identify and categorize all employee and customer information so you can manage it properly.
Review Third-Party Agreements
Review agreements with vendors and service providers that access or process personal information for your business. Make sure your agreements have data privacy terms and require vendors to use information responsibly and transparently.
Update Notices
Update your employee and job applicant privacy notices to include information on data sharing and opt-out rights. Make sure your notices are CPPA compliant.
Consult an Employer Law Firm
An employer law firm can help you with CCPA litigation and protect your reputation. An experienced employer attorney will determine if the CPPA registration requirements apply to your business and if so, help you register and comply.
Working With an Employer Law Firm Can Help Your Business
The California Privacy Protection Agency is not slowing down on data brokers. With that being the case, you need to determine if your business is a broker and proactively strengthen your compliance.
Working with a trusted employer law firm can help you stay on top of recent enforcement activity and adjust your compliance policies as new provisions are added. This means less risk of fines and a better reputation with consumers, employees and job seekers.
At Pearlman, Brown & Wax, LLP, we know how overwhelming California’s constantly changing laws can be. Our team of experienced employment law attorneys is here to help you make sense of it all, so your business stays compliant, protected, and ahead of the curve. Let’s talk about how we can support you. Reach out today to schedule a consultation.