On Tuesday, October 10, 2023, California Gov. Gavin Newsom signed into law Senate Bill 362, also known as the Delete Act, which amends certain aspects of California’s existing Data Broker Registration law. By January 1, 2026, the Delete Act will enable California consumers – as defined under the California Consumer Privacy Act (CCPA), as amended – to make a single personal information deletion request to a centralized database that is binding on all data brokers1 that maintain the consumer’s personal information. In addition, there will be new disclosure and audit requirements imposed on data brokers under the Delete Act.
This law has the potential to significantly impact the data broker business with domino effects hitting the targeted advertising, artificial intelligence, and machine learning ecosystems, and any other industries or business models that are heavily reliant on third party data. As of October 13, 2023, approximately 527 organizations are registered as data brokers in California’s data broker registry. We provide more details about the act’s requirements below.
Establishment of data deletion mechanism
The Delete Act requires the California Privacy Protection Agency (CPPA) to establish an accessible data deletion mechanism by January 1, 2026, to allow California consumers to submit a single verifiable consumer request to delete their data across all data brokers.
Beginning on August 1, 2026, the Delete Act will require data brokers to access the CPPA’s online deletion system at least once every 45 days to review and process new deletion requests. Data brokers also will have to delete any new personal information that they have collected about California consumers who have already submitted relevant deletion requests once every 45 days (unless the consumer requests otherwise or an exemption applies), and data brokers are prohibited from selling or sharing (as such terms are defined under the CCPA) that consumer’s personal information in the future. In addition, data brokers will need to direct service providers and contractors (where applicable) to honor deletion requests.
The Delete Act requires data brokers to undergo an independent audit once every three years to verify their compliance with the act, but this audit requirement does not begin until January 1, 2028.
Enhanced data broker disclosure requirements
The Delete Act requires data brokers to register annually with the CPPA and disclose the following:
- Their name and primary physical, email and website addresses (which are currently the only disclosure requirements under the California’s existing Data Broker Registration law).
- Metrics regarding the number of CCPA consumer requests and Delete Act deletion requests that they received, complied with (in whole or in part), and denied (in whole or in part and the basis for denial) during the prior calendar year, as well as the average number of days it took them to substantively respond to such requests.
- Whether they collect minors’ personal information, consumers’ precise geolocation or consumers’ reproductive healthcare data.
- A link to a webpage on the data broker’s website that explains how consumers may exercise their CCPA consumer rights.
- Whether and to what extent they are regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, California’s Insurance Information and Privacy Protection Act, or California’s Confidentiality of Medical Information Act.
- Beginning January 1, 2029, whether they have undergone a third-party audit to determine their compliance with the Delete Act and, if so, the most recent year that they submitted an audit report and related materials to the CPPA.
These enhanced disclosure requirements will be required as of the next registration period for data brokers (i.e., on or before January 31, 2024).
The Delete Act transfers enforcement authority of California’s data broker registration requirements (and compliance with the Delete Act more generally) from the California attorney general to the CPPA. It also doubles the fines under California’s Data Broker Registration law – per the Delete Act, data brokers who fail to register with the CPPA are subject to penalties including an administrative fine of $200 per day for each day the data broker failed to register, an amount equal to the fees due during the period the data broker failed to register, and any fees related to an administrative action brought by the CPPA. Data brokers also are subject to fines of $200 for each deletion request for each day they fail to delete information as required under the Delete Act.
- A “data broker” is defined as any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with exceptions for certain entities to the extent they are covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and certain other laws; see California Civil Code § 1798.99.80(c). Notably, “sell” has the broader/non-intuitive definition as set forth in Section 1798.140 of the CCPA – meaning that the Delete Act will apply to data brokers who disclose personal information for both monetary and non-monetary consideration. ↩︎