RatedWithAI

RatedWithAI

Accessibility scanner

Blog/CCPA for AI

Does Your AI Product Make You a Data Broker Under CCPA?

Published June 24, 2026 · 9 min read

Most AI founders think "data broker" means a company like Acxiom or LexisNexis — not their SaaS startup. But California's data broker laws are written broadly, and certain AI business models walk directly into data broker classification without realizing it. If you do, annual registration and consumer deletion-request obligations apply.

Here's how to determine whether your AI product qualifies, what the obligations are if it does, and how California's Delete Act tightened the requirements further.

The Core Definition

California's data broker statute (AB 1202, codified at Civil Code §1798.99.80) defines a data broker as a business that knowingly collects and sells or shares personal information about consumers with whom the business does not have a direct relationship, for monetary or other valuable consideration.

Three elements need to be true simultaneously:

1
Knowingly Collects
You gather personal information intentionally — not incidentally. A server log that captures IP addresses doesn't automatically qualify, but a product designed to aggregate person-level profiles does.
2
Sells or Shares
The personal data flows to third parties. Under CCPA's broad "sale" definition, this includes sharing for valuable consideration that isn't money — ad targeting, data co-ops, API access in exchange for partnership benefits, and audience syndication all potentially count.
3
No Direct Relationship
The individuals whose data you hold are not your customers. If you're processing data about your own paying users to provide your service, that's a service-provider relationship. If you're processing data about people who've never interacted with your product, that's the data-broker pattern.

AI Business Models That Commonly Cross the Line

Several AI product categories regularly trigger data broker classification. If your product falls into any of these patterns, you should do a formal legal analysis rather than assuming you're not a broker.

B2B Lead Intelligence / Prospecting AI

High Risk

AI tools that compile professional profiles, contact data, or firmographic enrichment from public sources and sell API access or downloads. The individuals whose data appears in these tools have no direct relationship with the vendor — this is textbook data broker territory.

AI-Powered Audience Targeting Platforms

High Risk

Products that ingest behavioral signals, model audience segments, and share those segments with advertisers. If the people in the segments aren't your direct users and data flows to third-party ad platforms for valuable consideration, you're likely a broker.

AI Screening and Background Check Tools

High Risk

Tenant screening, employment background check, and candidate intelligence platforms that compile third-party data on individuals who haven't consented to your collection. Multiple compliance obligations stack here (FCRA, CCPA data broker, and potentially EU AI Act high-risk).

SaaS That Processes Data Only for Its Own Users

Low Risk

An AI writing assistant, code tool, or CRM where the only personal data processed belongs to the subscriber who uses the product, and that data isn't shared with third parties for their own use. This is a service provider, not a data broker.

AI Analytics Sold to Enterprises (About Their Customers)

Medium Risk

Depends on data flows. If the enterprise customer's customer data stays within that enterprise's stack and you're a service provider, likely not a broker. If your AI combines data from multiple enterprise clients to build cross-client profiles or benchmarks that are resold, the analysis changes.

AI Data Enrichment APIs

High Risk

Products that accept an email or name and return additional personal attributes — employer, income estimate, social profiles, location history. You're selling personal information about people who have no relationship with you, which is the core data broker pattern.

What Data Broker Registration Requires

If you qualify as a California data broker, registration with the California Privacy Protection Agency (CPPA) is annual and mandatory. The CPPA maintains a public registry. Here's what registration and ongoing compliance involves:

  • Annual registration with the CPPA by January 31 each year
    Fee: $US 400–800 (scaled by business size). Failure to register: civil penalties up to $200/day.
  • Public registration entry with name, contact, privacy policy link, and data categories collected
    Entry is searchable in the CPPA registry — consumers can find and contact you.
  • Honor consumer rights requests: access, deletion, correction, opt-out of sale/share
    Deletion requests must be honored. If the data is necessary for the purpose you collected it for, there may be exceptions, but most broker data doesn't qualify.
  • California Delete Act: honor centralized deletion requests from CPPA's automated mechanism
    The Delete Act (SB 362) creates a single opt-out mechanism. Brokers must check it at least every 45 days and act on all matched deletion requests.
  • Annual cybersecurity audit (if over threshold)
    Brokers above certain size/risk thresholds face mandatory annual security audits — a CPRA-era obligation that overlaps with broker status.

The California Delete Act: What Changed

SB 362 (the Delete Act, signed October 2023) tightened the data broker framework significantly. Before it, consumers had to contact each broker individually to request deletion — an impossible task given that hundreds of brokers exist. The Delete Act created a centralized mechanism operated by the CPPA through which consumers submit a single request that applies to all registered brokers simultaneously.

For brokers, this means the deletion request volume will increase substantially once the centralized system is fully operational. AI companies that registered as brokers assuming low consumer engagement with deletion rights need to build automated workflows to handle the centralized feed — manual processes won't scale.

Delete Act Requirements for Registered Brokers

  • Check the CPPA's centralized deletion mechanism at least once every 45 days
  • Process all matched deletion requests for consumers whose data you hold
  • Confirm deletion within 45 days of the request being submitted
  • Maintain records of deletion requests and actions for audit purposes
  • Notify any service providers or contractors who received the data to delete as well

Exemptions and Edge Cases

Several categories of businesses may qualify for exemptions from the California data broker statute even if they otherwise fit the definition:

FCRA-regulated entities

Consumer reporting agencies operating under the Fair Credit Reporting Act have a partial exemption from the CCPA's data broker registration requirements for activities regulated by the FCRA. This covers credit bureaus and formal background-check agencies — not most AI enrichment tools.

Financial institutions under GLBA

Banks and similar financial institutions subject to the Gramm-Leach-Bliley Act for the data categories covered by GLBA have an exemption. AI tools serving those institutions as service providers may benefit indirectly, but the AI tool itself typically doesn't qualify.

Pure first-party data use

If every person whose data you process is a direct customer or user of your product and data never flows to third parties for independent use, you're not a data broker regardless of what your AI does with the data internally.

Journalists and public interest research

Limited exemption for journalistic, news, and certain research activities. Not applicable to commercial AI products that monetize personal data.

Frequently Asked Questions

What makes an AI company a data broker under California law?

Knowingly collecting personal information about people with whom you have no direct relationship, and selling or sharing that data for monetary or other valuable consideration. The 'no direct relationship' element is key — it distinguishes data brokers from SaaS companies that only process their own customers' data.

Do AI SaaS companies that process customer data qualify as data brokers?

Generally no — acting as a service provider for your direct customers' data is not data brokering, even if you use AI to process it. The broker classification requires sharing data about people who aren't your customers with third parties.

What is the California Delete Act for data brokers?

SB 362 (2023) requires registered data brokers to honor deletion requests submitted through a centralized CPPA-operated mechanism. Consumers submit one request; all registered brokers must check the feed every 45 days and process matching deletion requests.

What happens if I fail to register as a California data broker?

Civil penalties of up to $200 per day of non-registration, enforceable by the California Attorney General and CPPA. Beyond the daily fine, unregistered brokers may also face claims for each CCPA violation that flows from not honoring consumer rights.

The Test Most AI Founders Skip

The fastest way to check your status: list every entity that receives personal data from your product. For each one, ask whether the person whose data it is has any relationship with that recipient. If they don't — if data flows to buyers, partners, or advertisers without the subject's direct relationship with them — you need to dig into whether that constitutes a sale or sharing under CCPA.

Data broker classification isn't intuitive, and the consequences of missing it are compounding: daily registration penalties, CCPA violation exposure, and — once the centralized Delete Act mechanism is fully live — a flood of deletion requests that unregistered companies are legally obligated to honor but operationally unprepared to process.