California Enacts Law Requiring Data Brokers to Participate in “One-Stop Shop” For Consumers to Request Deletion of Their Data
Key Takeaways: The California Delete Act marks a significant change to the regulation of data brokers with respect to registration and disclosure requirements. Additionally, data brokers will be obligated to participate in a public deletion mechanism analogous to the National Do Not Call Registry, and will be required to fulfill consumers’ requests for data deletion.
On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, also known as the Delete Act, into law. This legislation will materially affect how data brokers handle personal information while giving consumers greater control over their data. In this article, we explain key components of the Delete Act and its potential implications for businesses.
Background
The Delete Act (the “Act”), was introduced by State Senator Josh Becker in an attempt to address a critical gap in the California Consumer Privacy Act of 2018 (“CCPA”) that allowed consumers to request data brokers to delete information obtained directly from consumers, but did not require data brokers to delete personal information obtained from sources other than the consumer. A data broker is defined in the Act as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” A “direct relationship” with a consumer is not defined in the Act, and businesses will need to assess the nature of their relationship and interactions with consumers to determine whether they qualify as a data broker under the Act. The Act excludes entities covered by the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), Insurance Information and Privacy Protection Act (“IIPPA”), as well as entities, or business associates of entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”).
Key Provisions of the Delete Act
Registration and Disclosure Obligations
Under the Act, all data brokers will be required to register with the California Privacy Protection Agency (the “CPPA”) before January 31 of each year. Data brokers must also pay a yearly registration fee, the amount of which is yet to be determined by the CPPA. This shifts the oversight authority from the California Department of Justice to the CPPA in order to make the regulatory process more efficient and streamlined, as the CPPA is also responsible for oversight of the California Consumer Privacy Act.
The Act significantly expands disclosure requirements for data brokers. In addition to the existing requirement for data brokers to provide their name, address, email, and website address upon registration, data brokers will now also need to submit detailed information about their data collection practices, including metrics related to consumer privacy requests, collection of minors’ information, precise geolocation data, and reproductive health data. Additionally, data brokers must offer information on whether and to what extent they are regulated under specified state and federal laws. Data brokers must also submit a link to the page of the data broker’s website that addresses the data broker’s personal information collection practices and opt-out rights for consumers. (Data brokers that are subject to the California Consumer Privacy Act should be well prepared to comply with this requirement, as the California Consumer Privacy Act also requires this information to be posted on a business’s website.)
Brokers will also now have to disclose certain metrics related to compliance with consumer requests, including the number of requests received, responded to, and denied, and the timelines for responding to those requests. This information, along with information about its basis for denying requests, must be included on the data broker’s website. A link to the website page must be included in the data broker’s privacy policy.
Deletion Mechanism
One of the most important aspects of the Act is that it requires the CPPA to create a public “one-stop shop” deletion mechanism by January 1, 2026. This mechanism will allow consumers or their authorized agents to submit a single, verifiable request for the deletion of their personal information by all of the approximately 500 data brokers registered in California. Consumers will also have the option to omit specific data brokers from their request, if preferred. This process, which was inspired by the National Do Not Call Registry, will be free to consumers and accessible online.
Effective August 1, 2026, data brokers will be obligated to access this deletion mechanism every 45 days. Upon receiving a request, the data broker must delete any personal information of the consumer held by the data broker or associated service provider or contractor within 45 days, subject to certain deletion exemptions under the California Consumer Privacy Act. If a deletion request cannot be verified via the CPPA's mechanism, data brokers must instead process the request as an opt-out of the sale or sharing of personal information under the California Consumer Privacy Act. The data broker must also direct all service providers or contractors associated with the data broker to delete all personal information they possess related to the consumer. Additional information as to how data brokers can access and process deletion requests submitted through the universal mechanism is expected to be released closer to the August 1, 2026 effective date.
Ongoing Duty to Delete
The Act imposes a perpetual obligation on data brokers to delete consumer data. After complying with a deletion request, data brokers must continue to delete any personal information of the consumer obtained after the deletion request at least once every 45 days, unless the consumer specifies otherwise.
Audits and Compliance
Beginning January 1, 2028, data brokers must submit to audits by independent third parties to ensure compliance with the Act. These audits must be conducted every three years and require data brokers to maintain records for at least six years. Audit results must be submitted to the CPPA upon request.
Penalties for Non-Compliance
Data brokers found in violation of the Delete Act may face significant penalties, including administrative fines of $200 per day for failure to register, comply with deletion requests, and pay registration fees. Additionally, violators may be required to pay the costs of CPPA investigations and agency actions.
Additional Potential Regulations
The Act also grants the CPPA the authority to promulgate additional regulations for its implementation and administration.
What Happens Next?
The Act's provisions will be implemented in stages, as specified above. The Act will impose a major shift in data privacy regulations. For businesses, especially data brokers, adapting to new compliance requirements, including expanded disclosure obligations, ongoing deletion responsibilities, and potential audits will be burdensome. For consumers, the Delete Act will provide a streamlined and accessible way to assert their privacy rights. It will address concerns about data brokers' practices, including the sale of sensitive personal information, and provides a powerful tool to protect individual privacy.
Conclusion
The passage of California's Delete Act will likely bring major changes to data privacy law. With the potential for this legislation to become a model for other states, it highlights the importance of remaining up to date on ever-changing data privacy regulations. Businesses should be actively preparing to meet their obligations under the Act.
Koley Jessen will continue to monitor developments related to this law and advise as updates become available. If you have questions on whether your business needs to comply with the law or what steps you must take to comply, please contact one of the specialists in our Data Privacy and Security Practice Area.
*Special thanks to law clerk Luke Schnepel for his contributions to this article.