What the CPPA Has to Say About the Delete Act and the DROP

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

 

The California Privacy Protection Agency recently published materials in advance of its upcoming discussion of the Delete Act Regulations, which regulate the centralized data broker Delete Request and Opt-out Platform (the “DROP”).

Key takeaways from the FSOR Q&A:

Liability and Verification:

  • Unlike under CCPA, under the Delete Act, the agency itself verifies residency and certain identifiers, reducing the need for data brokers to independently verify requests.
  • The Agency intends to use technical safeguards, such as third-party verification and multi-factor authentication, to ensure accuracy of deletion requests and identifiers transmitted to data brokers.
  • The CPPA declines to provide a safe harbor for data brokers who act in good faith, but later discover a deletion was unauthorized, though it will consider facts and circumstances in enforcement.
  • The CPPA removed the 50% match rate threshold for consumer deletion list identifiers, making it 100% to ensure a more precise match and reduce the likelihood of erroneous deletions.

Scope of deletion:

  • Deletion must include inferences and all personal information associated with a matched identifier, unless exempted. The CPPA will provide educational materials to clarify exemptions and the scope of deletion rights.
  • If multiple consumers share an identifier (e.g., a business phone number), data brokers must opt out all associated consumers from sale/sharing, but not necessarily delete all records, to avoid over-deletion.
  • Data brokers must report the status of deletion requests and maintain deletion lists to prevent re-collection or re-sale of deleted data.

Downstream and retention:

  • The CPPA acknowledges concerns about operational burdens, especially for small and mid-sized data brokers, but maintains that standardization and periodic access to DROP are necessary for effective implementation.
  • Retention of data should be limited to the minimum necessary for compliance.
  • The Delete Act does not contain a provision treating contractors and service providers as separate entities from the data broker for the purposes of the delete request.
  • Data brokers must direct their service providers and contractors to delete records associated with a matched identifier in the data broker’s records; data brokers must also report the status of deletion requests.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Fox Rothschild LLP

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide