With the Delete Act, California Enacts Another Groundbreaking Privacy Law
In Short:
The Situation: California has enacted a groundbreaking new privacy law aimed at data brokers—entities that sell information about consumers with whom they do not have a direct relationship. Under the Delete Act (SB 362), data brokers must allow California consumers to delete their personal information through a "one-stop-shop" mechanism and must adhere to enhanced registration and transparency requirements.
The Result: Data brokers have to engineer their systems to process consumer deletion requests submitted through the "one-stop-shop" mechanism that the California Privacy Protection Agency ("CPPA") will develop. Even if a data broker is registered under the existing California data broker registration law, the Delete Act requires new transparency disclosures about data broker practices.
Looking Ahead: Though data brokers do not have to adhere to the deletion mechanism provisions of the law until 2026, the enhanced registration and transparency requirements will go into effect as soon as January 31, 2024, and require prompt attention. Given the stiff penalties the CPPA can levy under the law, data brokers should begin considering how the law will impact their operations.
Background
California's newest consumer privacy law, the Delete Act, was signed into law on October 10, 2023. The Delete Act provides consumers with the right to request the deletion of their personal information held by various data brokers subject to the law through a single request. The law also modifies the existing registration requirements for data brokers and imposes a new audit requirement.
The Delete Act defines a "data broker" as a "business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The definition exempts entities covered under the federal Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, the federal Health Information Portability and Accountability Act, California's Insurance Information and Privacy Protection Act, and the California Confidentiality of Medical Information Act.
While California, Vermont, Oregon, and Texas have existing data broker registration laws, the Delete Act is more expansive. Key new requirements applicable to data brokers under the Delete Act are discussed below.
The CPPA is the New California Data Broker Regulator
The Delete Act positions the CPPA as the new California data broker regulator. Prior to the Delete Act, data brokers were required to register with the California Attorney General and were subject to enforcement action by the Attorney General for violating the registration requirements. With the passage of the Delete Act, the registration and enforcement responsibilities have shifted to the CPPA.
Deletion of Consumer Personal Information
By January 1, 2026, the CPPA is required to create a free "accessible deletion mechanism" that allows consumers "through a single verifiable request" to delete their personal information from "every data broker." Consumers would be able to selectively exclude specific data brokers from their request, as well as modify a previously submitted request. Additionally, a consumer's authorized agent would be allowed to make a deletion request through such mechanism.
Starting on August 1, 2026, once every 45 days the registered data brokers will be required to access the deletion mechanism to process new deletion requests and to delete any new personal information of consumers who have previously submitted deletion requests. The CPPA will assess a fee on data brokers to access the mechanism.
Modified Registration Requirements
The Delete Act also modifies the existing California data brokers registration requirements. Currently, data brokers are required to register with the California Attorney General. Starting in January 2024, data brokers must register with the CPPA instead. Data brokers also must provide additional information than previously required, such as information and metrics related to processing consumer privacy requests under the California Consumer Privacy Act; whether they collect certain categories of information (minors' information, precise geolocation of consumers, and reproductive health information); and provide a website link where California consumers can exercise their privacy rights.
If a data broker is exempt because of the applicability of federal or California laws noted above, it is still required to describe whether and to what extent it is regulated under the exempted laws.
Audit Requirements and Penalties
The Delete Act imposes a new audit requirement and stiff penalties for violations. Starting January 1, 2028, data brokers will be required to undergo an independent audit every three years to certify their compliance with the law. The CPPA may request such audits and data brokers must keep audit records for at least six years. Data brokers will also be subject to a $200 per day fine for failing to register and/or for each failure to delete a California consumer's personal information. The CPPA also is empowered to seek any expenses it incurred in investigating noncompliant data brokers.
Five Key Takeaways:
1. The deletion provisions of the law do not go into effect until August 1, 2026. However, the enhanced registration and transparency requirements will be effective by January 31, 2024.
2. The penalty for violations is $200 per day.
3. Data brokers should start developing and implementing relevant compliance strategies for these new requirements.
4. Other states may soon follow California's lead with the Delete Act and enact similar laws.
5. The Delete Act will bring further regulatory and public scrutiny to data brokers.