Gov. Gavin Newsom, D-Calif., signed Senate Bill 362, also known as the Delete Act, into law on October 10. SB 362 is a bill that directs the California Privacy Protection Agency (CPPA) to establish a bulk deletion mechanism linked to the state’s data broker registry. This mechanism will allow 45 million Californian residents to submit a single request to delete their personal data from the databases of the approximately 500 data brokers registered to operate in the state.
By January 1, 2026, data brokers must process new deletion requests submitted under this mechanism every 45 days, starting August 1, 2026. The new law shifts data broker registration in the state from the California Department of Justice to the CPPA, amending certain aspects of California’s existing Data Broker Registration law. According to the Delete Act’s definition, data brokers are companies that collect, use, and sell personal data without a consumer’s knowledge. The statute also creates a “do not track” list prohibiting data brokers from collecting users’ data downstream.
What Are Data Brokers?
A data broker is any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with exceptions for certain entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and certain other laws as defined in the California Civil Code § 1798.99.80(c). Notably, “sell” has a broader definition as outlined in Section 1798.140 of the CCPA, meaning that the Delete Act will apply to data brokers who disclose personal information for monetary and non-monetary consideration.
Establishment of a Data Deletion Mechanism
The Delete Act requires the CPPA to establish an accessible data deletion mechanism by January 1, 2026. It allows California consumers to submit a single verifiable consumer request to delete their data across all data brokers. In addition, data brokers must instruct service providers and contractors to honor deletion requests.
Audit Requirements
The Delete Act mandates that data brokers undergo an independent audit once every three years to verify their compliance with the act. However, this audit requirement does not take effect until January 1, 2028. These audit and compliance obligations are in addition to the required risk assessments and cybersecurity audits imposed by the CCPA regulations.
Enhanced Data Broker Disclosure Requirements
The Delete Act requires data brokers to register annually with the CPPA and disclose the following:
- Their name and primary physical, email, and website addresses.
- Metrics regarding the number of CCPA consumer requests and Delete Act deletion requests received and denied during the prior calendar year, as well as the average number of days it took them to respond to such requests substantively.
- Whether they collect minors’ personal information, consumers’ precise geolocation, or consumers’ reproductive healthcare data.
- A link to a webpage on the data broker’s website explaining how consumers may exercise their CCPA consumer rights.
- Whether and to what extent they are regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, California’s Insurance Information and Privacy Protection Act, or California’s Confidentiality of Medical Information Act.
- Beginning January 1, 2029, whether they have undergone a third-party audit to determine their compliance with the Delete Act and, if so, the most recent year they submitted an audit report and related materials to the CPPA.
Data brokers must comply with the enhanced disclosures by the next registration period on or before January 31, 2024.
Enforcement
The Delete Act mandates that data brokers register with the CPPA and pay fees for registration and access to the deletion mechanism. Data brokers failing to comply with the registration requirements will be subject to fines of at least $200 per day, plus the amount equal to the fees due during the period of non-compliance and the expenses incurred by the CPPA in the investigation and administration of the action “as the court deems appropriate.” Registered data brokers will also be subject to administrative fines of $200 per deletion request for each day they fail to delete the information as required under SB 362, plus the expenses incurred by the CPPA in the investigation and administration of the action.
Key Takeaways
- Bulk Deletion Mechanism: The Delete Act directs the CPPA to establish a bulk deletion mechanism connected to the state’s data broker registry, allowing California residents to submit a single request to have their personal data deleted from the databases of registered data brokers, with limited exceptions.
- Deletion Timelines: The CPPA is required to establish this bulk deletion mechanism by January 1, 2026. Data brokers must process new deletion requests under this mechanism every 45 days, starting August 1, 2026.
- Definition of Data Brokers: Data brokers are businesses that knowingly collect and sell the personal information of consumers with whom they do not have a direct relationship, encompassing monetary and non-monetary transactions, with exceptions for entities covered by certain federal laws.
- Data Deletion Mechanism: The CPPA will create an accessible data deletion mechanism allowing consumers to submit a single verifiable request to delete their data across all data brokers, and service providers and contractors must also honor deletion requests.
- Audit Requirements: Starting January 1, 2028, Data brokers must undergo an independent audit every three years to verify their compliance with the Delete Act, in addition to the risk assessments and cybersecurity audits required by the CCPA regulations.
- Enhanced Disclosure Requirements: Data brokers must annually register, providing various disclosures, and these requirements will apply as of the next registration period, on or before January 31, 2024.
- Enforcement: Data brokers must register and pay fees; non-compliance can result in fines. Registered data brokers may also face administrative penalties if they fail to delete information as required by the Delete Act.
The Delete Act aims to enhance privacy protections and transparency related to data brokers’ activities in California, giving consumers more control over their personal data. These regulations are in addition to existing data privacy laws like the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA).
