Keypoint: Pending the Governor’s signature, the California Delete Act requires all data brokers to register with the CPPA next year and comply with a one-stop consumer deletion mechanism by 2026.
Last week, the California legislature passed the Delete Act (SB 362) (the “Act”) which amends California’s existing data broker law to subject all data brokers to new registration and disclosure requirements, and a one-stop mechanism for consumer deletion requests. In the below post, we analyze the Delete Act and the changes it makes to the existing data broker law.
Application
The Act does not change the existing definition of data broker, which is defined as any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Act utilizes the California Consumer Privacy Act’s (CCPA) definitions of business, collects, third party, consumer, sell, and personal information. As with the current law, the Act does not define what constitutes a “direct relationship.”
The Act excludes entities covered by (i) the Fair Credit Reporting Act (FCRA), (ii) the Gramm-Leach-Bliley Act (GLBA), or (iii) the Insurance Information and Privacy Protection Act (IIPPA). It also excludes an entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under California Civil Code § 1798.146.
Change in Regulator
Under the current law, data brokers must register and pay an annual fee with the California Attorney General’s Office. If enacted, the Act will transfer oversight authority of data brokers to the California Privacy Protection Agency (CPPA), requiring data brokers to register with the CPPA for an undetermined fee by January 31st each year they meet the above “data broker” definition.
Additional Disclosure Obligations
The law currently requires data brokers to provide their name, primary physical, email and internet website addresses, and any additional information or explanation the data broker chooses to provide concerning its data collection practices. In practice, the Attorney General’s Office requires data brokers to also identify how consumers can opt out of sales or submit requests under the CCPA and make a deletion request under Government Code §§ 6208.1(b) or 6524.21(c)(1). The Attorney General’s Office is required to maintain a website with a list of registered data brokers.
The Act significantly increases the amount of information a data broker must disclose to the CPPA when registering, including metrics on its processing of consumer privacy requests, whether it collects the personal information of minors, whether it collects consumers’ precise geolocation, and whether it collects consumers’ reproductive health care data. The Act and the CCPA do not define “minors” or “reproductive health care data.” Data brokers also must provide a link to a page on their websites that describes how consumers may exercise their CCPA privacy rights and does “not make use of dark patterns.” Finally, data brokers must disclose whether, and to what extent, they are regulated by FCRA, GLBA, IIPPA, HIPAA and California’s Confidentiality of Medical Information Act.
In addition, data brokers must annually compile and disclose in their privacy policies metrics on the CCPA requests they receive. Specifically, data brokers must compile the number of requests received, the median and mean number of days it took to respond, and the number of requests it denied, including the basis for the denial. These disclosure obligations are similar to those applicable to businesses that collect the personal information of 10,000,000 or more California residents found in CCPA Regulation 7102.
New Deletion Mechanism
Most significantly, the Act requires the CPPA to create a public “deletion mechanism” by January 1, 2026, through which a consumer or authorized agent can submit a single verifiable consumer request that every data broker delete the consumer’s personal information. The CPPA must provide this mechanism at no cost to consumers and make it accessible online, similar to the National Do Not Call Registry.
Beginning August 1, 2026, data brokers must access the deletion mechanism at least once every 45 days and, within 45 days of receiving a request from a consumer (or authorized agent), delete the consumer’s personal information (subject to CCPA deletion exemptions). Where a data broker denies the request because it cannot be verified via the CPPA’s mechanism, the data broker must process the request as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA. Data brokers must also direct all associated service providers or contractors to take similar steps, whether it be to delete the requesting consumer’s personal information or to process the request as an opt-out.
The CPPA may also charge data brokers a fee for accessing the deletion mechanism.
Ongoing Duty to Delete
Under the Act, a data broker’s obligation to delete is ongoing. After a data broker receives and complies with a consumer’s deletion request, it must continue to delete any personal information collected from that consumer at least once every 45 days unless the consumer requests otherwise.
Audits
Starting January 1, 2028, and every three years after, data brokers must undergo an audit by an independent third party to ensure compliance with the Act. Data brokers must maintain records of any compliance audit for at least six years and, upon request, submit audit results to the CPPA within five business days. Beginning January 1, 2029, data brokers must disclose their audit results when registering with the CPPA.
Regulations
The Act authorizes – but does not mandate – the CPPA to adopt regulations to implement and administer the Act.
Penalties
Data brokers that violate the Act will be liable for (1) administrative fines of $200 per day the data broker fails to (i) register with the CPPA, or (ii) comply with a single deletion request; (2) unpaid registration fees; and (3) the expense of an investigation and agency action by the CPPA.
Subject to the compliance dates outlined above, the Act would go into effect immediately upon Governor Gavin Newsom’s signature.
[View source.]
