In September 2023, the California Legislature passed Senate Bill 362, the "Delete Act," which introduces new requirements for "data brokers" that will streamline consumers' ability to delete their personal information. Like the national "Do Not Call" registry, the Delete Act will create a centralized mechanism where consumers can submit a single delete request that all registered data brokers in California must honor. Governor Newsom has not yet signed the law (he has until October 14th), and while he has not yet given a clear indication of his intent, most observers expect the bill to become law.

The Delete Act applies only to "data brokers," a type of entity defined under a 2019 law as a business that "that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Under this 2019 law, data brokers have been required to, among other things, (a) register annually with the state of CA and be placed on a public, searchable registration list, (b) pay a registration fee, and (c) allow consumers to opt out of the sale of their personal information.

If the Delete Act becomes law, data brokers will be subject to the following requirements:

  • Registration. Register annually with the California Privacy Protection Agency (CPPA), and pay the annual registration fee.
    • The CPPA was created as a result of the passage of the California Privacy Rights Act, and is now the new enforcement entity for most things privacy-related in California.
  • Registration Requirements. As part of their registration, data brokers must provide various information, such as the type of data collected, whether they collect data from minors, precise geolocation information, and/or reproductive health data.
  • Honor Deletion Requests. Honor consumers' deletion requests. By January 1, 2026, the CPPA will create a mechanism whereby consumers can submit a single deletion request to a centralized site, and all data brokers must delete any personal information they have about the requester.
    • Data brokers must process all deletion requests that have been submitted within 45 days, and direct their service providers and contractors to do the same.
    • Because data brokers are, by definition, in the business of constantly buying data from consumers, every 45 days on an ongoing basis, they must delete all personal information of consumers who have previously submitted a deletion request.
  • Consumer Notice. Data brokers must have a link on their websites that explains how consumers can exercise their privacy rights, including how to delete and correct their personal information, and learn about what personal information is being collected, how it's shared, how to opt out of the sale/sharing, and how to limit any use or disclosure of sensitive personal information.
    • These are similar to the existing requirements for privacy policies under the CPRA.
  • Annual Reporting Requirement. Data brokers must annually compile a report of the number of consumer requests received, complied with, and denied (and if so, explain why). They must also report on the mean and median number of days it took to respond substantively to requests.
  • Penalties. Violations of the Delete Act are the following:
    • $200 per day that a data broker fails to register with the state, as well as administrative fees related to any action brought by the CPPA.
    • $200 per day that a data broker fails to honor a deletion request.

Takeaways

Businesses in California should consider the following obligations and best practices:

  • Assess your activities, and register as a data broker if necessary. Entities that meet the "data broker" definition already have obligations today, including the obligation to register or pay a penalty of $100 per day that they failed to do so. Registration is easy, inexpensive, and is relatively "low hanging fruit" towards privacy compliance.
  • Review and modify privacy notices. All companies – data brokers and otherwise – should conduct a comprehensive review of the data they collect, how they share it, how they use it, how they can honor consumer rights regarding it, if necessary, and update their privacy policies accordingly.
  • Consult privacy counsel and third party vendors to build compliance tools. Today, simply posting a privacy policy is insufficient to comply with the growing number of privacy laws and their detailed requirements. Companies may need to implement backend functionality to ensure that they can receive data subject requests to delete, access, correct, and opt-out of the sale/sharing of personal information. Privacy counsel and privacy vendors can help explain these requirements, and offer various customizable tools and ongoing assistance to ensure that such requests can be received in a timely, traceable fashion, and that sites operate appropriately to honor consumers' rights.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.