[co-author: Isaiah Alba, Law Clerk]
California lawmakers recently passed a law that would expand data broker registration requirements and make it easier for consumers to be “forgotten.” The Delete Act, which would amend the state’s existing Data Broker Registration law, would give consumers access to a central place where they can submit a single request for deletion of their data by all roughly 500 registered data brokers. While Governor Newsom has not indicated whether or not he will sign SB 362, there will be significant pressure for him to do so before the October 14 deadline. What are the five biggest questions data collection businesses have as we wait to see what becomes of The Delete Act?
Who Would Be Subject to This Law?
SB 362 defines “data brokers” as businesses that knowingly collect and sell personal consumer information. This definition does not, however, include consumer reporting agencies, financial institutions, insurance institutions, or entities that process certain medical information.
Any entity that meets the definition of a data broker would be required to register with the California Privacy Protection Agency, or CPPA, the new agency established recently to enforce the California Consumer Privacy Act (CCPA) on or before January 31 of each year. The registration process would include payment of a registration fee and disclosure of certain information about the data broker’s data collection practices.
In addition to their contact information, data brokers would have to disclose to the CPPA the types of data they collect, metrics on the number of data requests received and accepted or denied, and information relating to recent audits. The law would also require data brokers to maintain a website that informs the public about the broker’s data request metrics and the ways in which consumers may exercise their privacy rights.
What is a Deletion Request?
SB 362 would require the CPPA to establish a webpage by January 2026 that displays data broker registration information and contains an accessible deletion mechanism. This mechanism would enable consumers to make a single, verifiable request to have all registered data brokers delete their personal information.
By August 2026, every data broker must access this mechanism at least once every 45 days. Within 45 days of receiving such request, they must delete all relevant personal information as well as direct associated service providers or contractors to whom the data broker provided the data or that are storing the data on the data broker’s behalf to do the same.
Moreover, until the consumer alters or revokes their deletion request, data brokers must continue to repeat this process and not sell or share any new personal information of the consumer they may collect. That means such request by consumers will not only apply to previously collected data but to any data collected about them in the future.
What are Valid Reasons for Data Brokers to Deny Deletion Requests?
The Delete Act provides several exceptions to a data broker’s obligation to comply with deletion requests. One such exception is where a data broker meets one of the eight exceptions under the CCPA for when a business subject to the CCPA is not required to comply with a deletion request. That means the data broker can decline the consumer’s request if it can show that maintaining the data is “reasonably necessary” to fulfill one of those eight CCPA exceptions.
This part of the Delete Act has apparently caused some confusion. That’s because one of those eight CCPA exceptions to a deletion request – which appear to have been incorporated into the Delete Act – is where retaining the data is necessary for the business or its service providers to “complete the transaction for which the personal information was collected.”
Some commentators pointed to this quoted language from the CCPA to suggest that this can create a loophole for data brokers. They might be able to argue that they collected the data for the purpose of selling it, which means they obviously need to retain it for the purpose for which they collected it.
This led the author of the Delete Act, Senator Josh Becker, to send a letter to the Senate Journal clarifying “his” legislative intent after the bill was already on its way to the Governor’s desk. He states in his letter that this CCPA transaction-related exception should be interpreted within the context of the CCPA as only pertaining to completing the transaction for which the data was collected “from the consumer” (presumably adding those three words to the CCPA text that are nowhere to be found!), as data brokers do not collect data directly from consumers and therefore have no transaction-related purpose for retaining the data.
What are the Consequences for Failure to Comply?
If a business subject to the Delete Act fails to properly register as a data broker, it may face an administrative fine of $200 for each day it failed to register while still doing business as a data broker, plus costs equal to the registration fees that were due and the expenses incurred by the CPPA in its investigation and enforcement action. In addition, failure to comply with a proper deletion request can result in an administrative fine of $200 for each day that each deletion request was violated, plus any reasonable expenses incurred by the CPPA.
What Does this Mean for the Data Collection Industry?
The bill’s imposition of additional reporting, procedures, fees, and fines will likely cause data brokers to experience an increased cost of doing business. Moreover, even though SB 362 only directly regulates data brokers, it is likely that a variety of other California businesses will feel these financial effects since so many industries heavily utilize data brokers.
The broadest impact, however, is that – eventually and assuming a significant portion of the population utilizes their newfound right of deletion – there may be substantially less consumer data for marketing use by businesses. Although it’s hard to immediately quantify what this could mean for the data industry and those reliant on it, it does not seem to be the “doomsday” scenario some are painting. This bill merely provides consumers a more efficient way of having data brokers delete their personal information. This basic function has already been available to the public, just in a less streamlined manner, so its impact may only be that consumers who already want to be “off the grid” will have a more effective way of choosing to do so.
The bill currently awaits signing by Governor Newson. He has a deadline of October 14 to approve or reject it. Although its effect (should it be signed into law) may not be as substantial as some believe it to be, the possibility that a large amount of consumer data would be out of reach for businesses might be reason enough for these industries to oppose its signing. Even though it wouldn’t be effective until 2026, companies should seek legal guidance sooner rather than later given the law’s significant and detailed obligations.