The state of California is on the verge of amending its current data broker law with Senate Bill 362, also known as the Delete Act ("the Act"). The Act passed in the Assembly's Committee on Privacy and Consumer Protection and has currently been referred to the Assembly's Committee on Appropriations.

If passed into law, the Act would build on the compliance obligations that entities designated as "data brokers" are required to follow under both California's data broker law and the California Privacy Rights Act (CPRA). For example, the Act would require data brokers to provide additional information as part of their annual registration with the state of California, including whether the data broker collects consumers' precise geolocation data and their reproductive health data. The new law would also provide consumers a way to delete their personal information from every data broker in the state through a single consumer request, which could potentially raise operational costs for data brokers. Finally, the Act give the California Privacy Protection Agency (CPPA) enforcement authority over its data broker provisions, raising the potential compliance risks for businesses subject to the law given that the new agency may be looking to establish its reputation as an aggressive regulator.

In this post, we break down the Act's legislative history, outline the current obligations for data brokers under California law, and discuss key takeaways of the Act. To stay up-to-date about data privacy and cybersecurity news, you can subscribe to our blog here.

Legislative History

The Act was introduced by Senator Josh Becker in February 2023. It was passed by the California State Senate on May 31, 2023. In June 2023, the bill unanimously passed out of the Assembly's Committee on Privacy and Consumer Protection and was referred to the Assembly's Committee on Appropriations. Senator Becker announced on August 2, 2023, that the CPPA supports the bill with a unanimous Board vote. As of August 16, 2023, the bill has placed on the Assembly's suspense file calendar. It will be considered at a single hearing, without public comment or attendance, in which the Committee on Appropriations will compare the estimated costs of the bill against California's available revenue.

Current Obligations on Data Brokers Under California Law
Currently under the CPRA, Californians can request that a business (including a potential data broker) delete their personal information. They can also request that a business opt them out of the "sale" or "sharing" of their personal information. Both of these provisions (if exercised) would limit how a data broker could potentially use a California resident's personal information as part of their business offerings.

Meanwhile, under California's current data broker registration law, data brokers are required to register annually with the state attorney general. This registration is publicized and must include contact information, as well as provide for a mechanism for consumers to opt-out of the sale of their personal information.

If passed into law, the Act would build upon these current obligations for data brokers under California law. We have outlined the key provisions of the Act below.

Key Provisions

  • Definition of data broker - The Act would apply to data brokers, defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the businesses do not have a direct relationship. There is an exception for entities that collect personal information and are already covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Insurance Information and Privacy Protection Act.
  • Registration with and disclosure to the California Privacy Protection Agency - Data brokers must register with the CPPA annually. To register, a data broker is required to share its physical, email, and website addresses with the agency. Data brokers must disclose to the CPPA the type of information they collect, including specifically disclosing whether they collect the personal information of minors, consumers' precise geolocation, and consumers' reproductive health data.
  • Establishment of deletion mechanism - Under the Act, by January 1, 2026, the CPPA will establish an accessible deletion mechanism that will allow consumers, with a single verifiable consumer request, to request every data broker that maintains their personal information to delete that information. Beginning August 1, 2026, data brokers will be required to process all such deletion requests and direct service providers and contractors to do the same. Beginning July 1, 2026, after a consumer has submitted a deletion request and the data broker has deleted the consumer's data, the broker must (1) delete all personal information of the consumer at least once every 31 days and (2) not sell or share new personal information of the consumer unless the consumer requests otherwise.
  • Required notice of consumer privacy rights - Data brokers must have a link on their website that outlines how consumers may exercise their privacy rights. These rights must include all of the following:
    • Deleting personal information,
    • Correcting inaccurate personal information,
    • Learning what personal information is being collected and how to access that personal information,
    • Learning what personal information is being sold or shared and to whom,
    • Learning how to opt out of the sale or sharing of personal information,
    • Learning how to limit the use and disclosure of sensitive personal information.
  • Explicit prohibition dark patterns - The Act specifies that the website page outlining consumer privacy rights as outlined above may not make use of any dark patterns. Other regulators, such as the FTC have focused on dark patternsrecently, and it appears that California is doing the same.
  • Annual reporting requirement - Under the Act, each year, data brokers must compile the number of consumer requests received, complied with, and denied. If requests were denied in whole or in part, data brokers must disclose the reason for doing so. Reasons for denial outlined in the Act include that the request was unverifiable, the request was not made by a consumer, or that the request called for information exempt from disclosure; data brokers may also provide other grounds for their denial. Data brokers must also provide the mean and median number of days within which the entity substantively responded to requests received. These metrics must be posted on the data brokers' websites and must be linked in the entity's privacy policy.
  • Penalties - Data brokers who fail to register with the CPPA are potentially liable for an administrative fine of $200 for each day the data broker fails to register, as well as for administrative fees related to any administrative action brought by the CPPA. As a comparison, the fine for failing to register under the current data broker registration law is $100 for each day the business fails to register. For non-compliance with the Act, data brokers are potentially liable for $200 for each deletion request for each day the entity fails to delete information as required.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.