On October 10, Governor Newsom signed SB 362, a law requiring any business that meets the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.
SB 362—also known as the Delete Act—requires the California Privacy Protection Agency (CPPA) to establish a one-stop-shop deletion mechanism that allows individuals to submit centralized deletion requests that data brokers must universally honor beginning August 1, 2026. In 2028, data brokers will be subject to audits by independent third parties to demonstrate compliance with the Delete Act. The law does not specify how such an ambitious centralized opt-out tool will work.
What businesses are subject to the law?
The Delete Act defines “data broker” as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The term “direct relationship” is not defined. The law excludes certain entities to the extent they are covered by the familiar set of federal and state laws governing data, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Confidentiality of Medical Information Act and California Insurance Information and Privacy Protection Act.
Enhanced registration and disclosure requirements
While data brokers will not be required to honor deletion requests required under the law until August 1, 2026, data brokers must register with the CPPA on or before January 31 of each year in which they meet the definition of “data broker,” as they have been required to do with the California Attorney General’s Office since the state’s data broker registration law went into effect in 2020.
The Delete Act will also require the CPPA to make registration information publicly accessible on its website—such as is currently done by the state Attorney General’s Office. The registration obligation requires data brokers to disclose information similar to what is required in privacy policies, including whether they collect the personal information of minors, whether they collect precise geolocation information and how consumers may exercise their privacy rights under the California Consumer Privacy Act (CCPA). The Delete Act also requires data brokers to explicitly disclose whether they collect consumers’ reproductive health care data. Additionally, data brokers will be required to publish the number of rights requests received under the CCPA as well as median and mean response times. This is in addition to disclosing these metrics in their privacy policies along with the reasons for denying a request, in whole or in part, and whether or not deletion was required, in whole or in part, pursuant to an exemption.
Fees and penalties
The Delete Act requires data brokers to register with the CPPA and pay fees not only for registration but also to access the deletion mechanism. Data brokers that fail to comply with the registration requirements will be subject to fines of at least $200 per day, the amount equal to the fees due during the period it failed to register and the expenses incurred by the CPPA in the investigation and administration of the action “as the court deems appropriate.” Registered data brokers will be subject to administrative fines of $200 per deletion request for each day they fail to delete the information as required under SB 362 as well as the expenses incurred by the CPPA in the investigation and administration of the action.
Key takeaways
The eventual establishment of a one-stop-shop deletion mechanism that all data brokers must follow is a major disruption of the complex ecosystem for data monetization and analytics. The Delete Act's enhanced registration and transparency requirements will further increase public and regulatory scrutiny facing data brokers and other industry stakeholders. If your business buys or sells consumer data, you should immediately evaluate whether your business is subject to the act, if you have not already done so under California's predecessor data broker registration law. Notably, businesses that are subject to the law but have not yet registered will have a little over three months to complete the registration requirements. We will continue to provide updates and guidance on these and other consumer privacy laws as they develop.
