On 10 October 2023, the Governor of California, Gavin Newsom, announced that he had signed Senate Bill 362 for a law relating to data brokers (“Delete Act”). On 11 October 2023, the California Privacy Protection Agency (“CPPA”) issued a statement welcoming the Delete Act. The CPPA noted that the Delete Act transfers the administration, enforcement and rulemaking authority over California’s data broker registry from the California Department of Justice to the CPPA.
What is the Delete Act?
The Delete Act was introduced to give California residents greater control over their personal information and how it is used by data brokers.
Data brokers sell millions of consumers’ data points to the highest bidder. That information includes purchasing data which can be accessed by retailers and used to serve targeted ads.
The Delete Act amends certain aspects of California’s existing data broker registration law.
Among other things, the Delete Act requires the CPPA to establish an accessible deletion mechanism that allows a consumer, through a single, verifiable consumer request, to ask that every data broker that maintains any personal information to delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
A “data broker” is defined as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” – which is a broad definition.
The Delete Act requires a data broker to register with, pay a registration fee to, and provide information to the CPPA, instead of the California Attorney General.
By 1 August 2026, data brokers will be required to check for any new deletion requests at least once every 45 days and process those requests. The Delete Act will not prohibit a data broker from continuing to collect the personal data of consumers who have exercised their rights, but once a request has been made via the process established by the CPPA, the data broker will be required to delete any new data that is collected at least once every 45 days.
From 1 January 2028, and every 3 years thereafter, data brokers would be required to undergo an independent third-party audit to determine whether they are compliant with the Delete Act and submit the audit report to the CPPA upon request. Any data broker found not to be compliant with the Delete Act would be liable for administrative fines, fees, expenses and costs.
How does the Delete Act relate to the California Consumer Privacy Act (“CCPA”) and Consumer Privacy Rights Act (“CPRA”)?
The CCPA and CPRA establishes a consumer’s right to request that a business deletes all personal information collected from them and requires organisations to inform consumers of this right.
A business that receives such a request from a consumer must delete, and direct any third-party service providers to delete, the consumer’s personal information from its records.
This right to deletion is not an absolute right which means that businesses have some exceptions in respect of what they are required to delete (e.g., they would not be required to delete personal information which is necessary to complete a transaction with the data subject).
The Delete Act goes further than the CCPA and CPRA because it will allow consumers to make one single deletion request via the CPPA which will be issued to all data brokers which have been processing the consumer’s personal data.
We can see from the Delete Act that California residents are gaining even more protection against data brokers, and it will be interesting to see whether other jurisdictions will follow this trend and be even more friendly to data subjects.
What should businesses be doing?
We recommend that businesses check whether they are required to comply with the Delete Act and if so, record key dates for its implementation and keep monitoring the CPPA’s website for guidance and information.
We also recommend that businesses start updating their privacy notices and put in place internal processes to ensure compliance with their obligations under the Delete Act.
Aria Grace Law CIC
We have an array of highly experienced lawyers who specialise in data protection law. Our lawyers can advise you across multiple jurisdictions and collectively have over 50 years’ experience in this field and have advised on over 100 data subject requests. If you’d like to get in touch with our team, please contact us on firstname.lastname@example.org.
Article by Puja Modha (Partner) and Sarah Davies (Paralegal) – 14 December 2023