In a key move to further expand consumer data rights, California Gov. Gavin Newson signed The Delete Act (S.B. 362) (the Act) into law on October 10, 2023. The Act amends California's data broker registration law (Cal. Civ. Code 1798.99.80 et. seq) to include new registration requirements and a singular mechanism for consumers to request that data brokers delete their personal information. Below we have outlined key provisions of the Act that data brokers should be aware of.
Scope. The current law applies to "data brokers," which are defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."1 Current law exempts consumer reporting agencies subject to the Fair Credit Reporting Act (FCRA), financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and entities covered by the Insurance Information and Privacy Protection Act.2 The Act amends the scope slightly to clarify that "entities" covered by the FCRA and GLBA are exempt as well as an entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under HIPAA3 or the Confidentiality of Medical Information Act.4
Transfer of Regulatory Authority. Currently, the California Attorney General is tasked with enforcement and oversight of data brokers, including the maintenance and publishing of a data broker registry.5 The Act transfers this authority to the California Privacy Protection Agency (CPPA) and expands its requirements. Data brokers must register with the CPPA and pay an unspecified registration fee by January 31 each year.6
Singular Deletion Mechanism and Deletion Obligations. In its most significant provision, the Act requires the CPPA to create an "accessible deletion mechanism" (CPPA deletion mechanism) by January 1, 2026 that provides a singular means for consumers to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.7 This CPPA deletion mechanism must be available to consumers and their authorized agents without charge and make it accessible online. It must also allow consumers to "selectively" exclude certain data brokers from the deletion request.8 The Act gives the CPPA the option to charge data brokers a fee to access to the CPPA deletion mechanism.9
Starting August 1, 2026, data brokers must access the CPPA deletion mechanism at least once every 45 days to process consumer deletion requests and must delete the consumer's personal information within 45 days of receiving a request.10 If the data broker denies a consumer request because it cannot be verified through the CPPA deletion mechanism, it must process the request as an opt-out of the "sale" or "sharing" (as such terms are defined under the CCPA) of the consumer's personal information.11 Also beginning August 1, 2026, after a consumer has submitted a deletion request and the data broker processed it, the data broker must "delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise" unless an exception applies.12
Registration Requirements. The Act expanded the amount of information that data brokers must disclose when registering with the CPPA to include:
- Certain specified metrics related to deletion on CCPA rights requests received during the previous calendar year.
- Whether the data broker collects the personal information of minors.
- Whether the data broker collects consumers' precise geolocation.
- Whether the data broker collects consumers' reproductive health care data.13 Additionally, data brokers must provide a link to a page on their website that provides certain specified information including a description of how consumers can exercise their rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, CCPA) and "[d]oes not make use of any dark patterns."14
Audits. Beginning January 1, 2028, a data broker must undergo an audit by an independent third party to determine compliance with the Act every three years.15 Data brokers are required to maintain a record of any compliance audits for six (6) years and provide the audit results to the CPPA upon request.16 Beginning January 1, 2029, data brokers must also disclose whether the data broker has undergone an audit as described required by the Act and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials.17
Privacy Policy Disclosures. In addition to providing certain metrics to the CPPA, the Act requires data brokers to disclose some of these metrics in its privacy policy. Such metrics include the: (i) number of CCPA consumer rights requests and deletion requests through the CPPA deletion mechanism; (ii) the median and mean number of days within which the data broker responded to such requests; and (iii) the number of requests that the data broker denied, the reason for the denial and the number of requests in which deletion was not required.18
Penalties. The Act increases the current $100 penalty to $200 for each data that a data broker fails to register with the CPPA. The Act also adds an administrative fine of $200 per deletion request for each day that a data broker fails to delete the personal information.
Please contact a member of Akin's cybersecurity, privacy and data protection team to learn more about how this Act and its requirements may affect your company.
footnotes
1 Cal. Civ. Code § 1798.99.80 (c).
2 Cal. Civ. Code § 1798.99.80 (c) (1-3).
3 "HIPAA" refers to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and their implementing regulations (codified at 45 C.F.R. parts 160 and 164). A "covered entity" is a health plan, a health care clearinghouse or a health care provider (like a hospital, nursing home or outpatient clinic) that engages in standard HIPAA transactions, like electronic billing. 45 C.F.R. § 160.103. "Business associate" is defined to include a person (other than a member of a covered entity's workforce) or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. Id.
4 Cal. Civ. Code § 1798.99.80 (c)(4).
5 The current data broker registry has approximately 500 companies.
6 Cal. Civ. Code § 1798.99.81.
7 Cal. Civ. Code § 1798.99.86 (a)(b).
8 Cal. Civ. Code § 1798.99.86 (a)(3).
9 Cal. Civ. Code § 1798.99.86 (f)(1).
10 Cal. Civ. Code § 1798.99.86 (c)(1).
11 Cal. Civ. Code § 1798.99.86 (c)(1)(B).
12 Cal. Civ. Code § 1798.99.86 (d)(1).
13 Cal. Civ. Code § 1798.99.82 (b)(2).
14 Cal. Civ. Code § 1798.99.82 (b)(2)(G).
15 Cal. Civ. Code § 1798.99.86 (e)(1).
16 Cal. Civ. Code § 1798.99.86 (e)(2-3).
17 Cal. Civ. Code § 1798.99.82 (b)(2)(F).
18 Cal. Civ. Code § 1798.99.85 (a)(b).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
