Mini-Data Broker Requirements: businesses that annually buy, share, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.