California's Delete Act: a first of its kind data broker law

On October 10, 2023, California Governor Gavin Newsom signed SB 362 into law. The “Delete Act” is intended to bridge a gap in consumer privacy rights – whereas the California Privacy Rights Act (the CPRA) grants consumers the right to request deletion of personal information collected directly from them, the Delete Act creates pathways to request deletion of data collected by data brokers indirectly or in aggregate form from other sources.

The Delete Act aligns more closely with CPRA requirements than existing data broker laws. Prior to the passage of the Delete Act, only California and Vermont had enacted laws specifically targeting data brokers. See Cal. Civ. Code §§ 1798.99.80-88, Vt. Stat. Ann. tit. 9, §§ 2446-2447. However, these laws lacked constraints on data broker actions and did not establish new consumer protections. Instead, they mandated brokers to annually register with a state enforcement agency and disclose specific information about their data collection and processing practices.

Though most obligations of the Act do not go into effect until 2026, data brokers are required to update their public disclosures to meet the Act’s disclosure obligations as early as January 21, 2024, as described in greater detail below.

Applicability

The Delete Act applies solely to “data brokers” as defined by the CPRA. Data brokers are entities that knowingly collect and sell to “third parties the personal information of a consumer with whom the business does not have a direct relationship.” Cal. Civ. Code §1798.99.80(c). This likely includes entities that receive personal information received from third parties and compile that data into a form that can be used to enrich data sets of third parties, such as by adding data appends to a third party’s data set for marketing purposes.

The Delete Act exempts many entities that are regulated under other state or federal laws, including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the California Insurance Information and Privacy Protection Act (IIPPA), and “an entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146” of the California Civil Code (i.e., HIPAA covered entities). Id.

Accessible Deletion Mechanism

The Delete Act directs the California Privacy Protection Agency (CPPA) to launch – by January 1, 2026 – an online mechanism allowing California consumers to request the deletion of their data by all data brokers registered in California, referred to as the “accessible deletion mechanism.”

Specifically, the mechanism will enable consumers to submit a single deletion request, whether personally or through an authorized agent, to all data brokers registered in California. Consumers will have the choice to exclude specific registered data brokers from their deletion request and may also modify opt-out requests 45 days after submitting earlier requests.

Data brokers registered in California will then be required to access the mechanism to review whether an individual has submitted a deletion request at least every 45 days. Cal. Civ. Code 1798.99.86(b)(3). Notwithstanding limited exceptions described below, data brokers will be required to process all verifiable deletion requests within a 45-day period and will be required to instruct service providers and/or contractors to delete all personal information relating to opted-out consumers. Cal. Civ. Code 1798.99.86(c)(1).

Exceptions to Deletion Requests

Where a consumer’s request cannot be verified, such as when the consumer has not submitted enough information to enable the data broker to verify their identity, the data broker must treat the deletion request as a request to opt-out of the sale or sharing of their personal information under the CPRA. The data broker must also instruct all service providers and/or contractors to treat the request as an opt-out for selling and sharing.

Data brokers are also not required to honor a deletion request where it is reasonably necessary for the data broker to maintain the personal information to fulfill services requested by the consumer, ensure the security and integrity of a consumer’s personal information, debug or identify and repair errors that impair existing intended functionality, exercise free speech, or engage in other actions permitted by the CPRA. Cal. Civ. Code 1798.105(d), 145, 146.

Key Dates & Obligations

The deletion mechanism must be established by the CPPA by January 1, 2026.

Deletion requests submitted through the mechanism must be honored by data brokers beginning August 1, 2026. Data brokers will be required to access the accessible deletion mechanism at least once every 45 days and to delete the personal information of consumers who have requested such deletion from their datasets. Cal. Civ. Code 1798.99.86(c).

Beginning January 1, 2028, data brokers must undergo audits conducted by independent third parties on a three-year basis to evaluate the data broker’s compliance with the Delete Act. Cal. Civ. Code 1798.99.86(e)(1). Upon written request from the CPPA, data brokers will be required to submit the audits and any related materials to the Agency for review within 5 business days. Data brokers will be required to maintain the audits and related materials for at least 6 years after they have been prepared.

Finally, prior to the accessible deletion mechanism becoming operational, data brokers will be required to update their public disclosures prior to the next registration period for data brokers (i.e., on or before January 21, 2024) to contain the following (Cal. Civ. Code 1798.99.82(b)(2)):

• The data broker’s contact information, including name, primary physical address, email address, and website addresses;
• A compilation of the number of data subject rights requests received, complied with, or denied under the CPRA annually, along with information about average response times for handling such requests;
• Whether the data broker collects the personal information of minors, precise geolocation, or data about a consumer’s reproductive healthcare;
• A link to the webpage on the data broker’s website that explains how consumers may exercise their CPRA rights;
• Whether the data broker is regulated under FRCA, the GLBA, HIPAA, IIPPA, or the California Confidentiality of Medical Information Act; and
• Beginning January 1, 2029, whether the data broker has undergone a third-party audit to determine its compliance with the Delete Act.

The Delete Act places enforcement authority squarely with the CPPA, which is also tasked with enforcing the CPRA. Failure to comply with the Delete Act may result in administrative fines of $200 per day that a data broker fails to register with the Agency, as well as $200 per deletion request for each day the data broker fails to delete consumer personal information, reimbursement to the Agency for unpaid registration fees, and expenses incurred in connection with the investigation and Agency enforcement action. Cal. Civ Code 1798.99.82(d).

How to Prepare for Compliance

As one would expect, the majority of the Delete Act compliance obligations fall on data brokers processing the personal information of California consumers. However, entities that obtain consumer data from data brokers, such as through data appends or data enrichment for marketing purposes, should also implement measures to vet data broker compliance with the Delete Act to minimize compliance risks.

Data brokers processing personal information about California consumers should:

• Assess whether the Delete Act applies;
• Put in place mechanisms to register annually with the CPPA, which will require updating privacy policy disclosures to match the disclosure obligations listed above;
• Begin mapping personal information maintained and processed by the data broker to understand how personal information is being collected and used, and the relationship to the consumer whose personal information is being processed;
• Compile information about how and where personal information is stored on that data broker’s systems and devices;
• Implement data governance frameworks to guide the data broker’s processing of personal information, particularly as they relate to data deletion;
• Implement and maintain internal policies to operationalize the review of the accessible deletion mechanism, deletion of Personal Information every 45 days, and verification that no personal information of opted-out consumers is being sold or shared, unless the consumer subsequently removes their name from the accessible deletion mechanism; and
• Beginning in 2025, engage a third-party vendor to conduct independent audits every 3 years, and to put in place 6-year retention policies for those audits.

Please contact the BCLP Privacy Team if your organization is interested in learning more about the Delete Act as well as the potential compliance obligations that may impact your organization.