INTRODUCTION
On October 10, 2023, Governor Gavin Newsom took a significant step in the world of data privacy by signing the California Delete Act, officially known as SB 362, into law. This landmark legislation places new obligations on a group known as “data brokers” and marks a pivotal moment in the world of data privacy regulations. The California Delete Act mandates the California Privacy Protection Agency (CPPA) to establish a one-stop-shop deletion mechanism. This mechanism, set to go into effect on August 1, 2026, will allow individuals to submit centralized deletion requests, which data brokers must universally honor.
Data brokers must now make new disclosures and, starting in 2026, respond to bulk deletion requests submitted via the CPPA’s mechanism. Unlike current deletion requests, which are specific to individual businesses, the Delete Act necessitates these requests to be honored by all businesses registered with the CPPA as data brokers simultaneously. This will result in a significant increase in the volume of deletion requests data brokers must process. Moreover, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits.
EXPANSIVE DEFINITION OF DATA BROKER
The law’s broad definition of “data broker” means that it applies to numerous businesses that may not typically consider themselves engaged in data buying and selling. A data broker is defined as a business that knowingly “collects” and “sells” the personal information of a California resident without a direct relationship with that individual. The definitions of “collect” and “sell” are expansive, including actions such as buying, renting, gathering, obtaining, receiving, or accessing personal information. “Sell” extends to any disclosure of personal information to a third party in exchange for a benefit.
While “direct relationship” is not explicitly defined, it presumably includes a business’s relationship with its consumers and individuals accessing its website. First-party cookie data disclosure does not categorize a business as a data broker. However, passing third-party sales leads to other businesses without data usage restrictions likely constitutes a data broker.
Businesses are not considered data brokers “to the extent that” they are covered by specific statutes such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act (for financial institutions), Insurance Information and Privacy Protection Act, and the Confidentiality of Medical Information Act. The extent of these exemptions remains somewhat ambiguous.
CURRENT REGULATIONS
Other data broker statutes were already in effect in California and Vermont, along with comprehensive data protection laws like the California Consumer Privacy Act and similar state laws in Colorado, Connecticut, and Virginia. These laws mandated data brokers to register with state regulators, pay fees, and comply with data security standards. State regulators published lists of registered data brokers, making their status public.
NEW PROVISIONS IN THE DELETE ACT
The Delete Act introduces new provisions gradually. Starting on January 31, 2024, data brokers registering in California must provide additional information, which will be publicly accessible. This includes data on whether the business collects personal information of minors, precise geolocation data, and reproductive health data. From July 2024, data brokers must gather additional data concerning the number of data subject rights requests they receive and their response times. They must report this information in their annual registration, a requirement that previously applied only to businesses with 10 million or more consumers.
STRINGENT REQUIREMENTS STARTING IN 2026
The most demanding provisions take effect in 2026. By January 1, 2026, the CPPA must create a mechanism allowing consumers to submit verifiable requests to have their personal information deleted by any registered data broker. Starting in August 2026, data brokers must access this mechanism every 45 days and honor deletion requests. They must ensure personal information is deleted within this timeframe and relay these requests to their service providers and contractors. From January 2028, data brokers must undergo third-party audits of their compliance with the statute and submit the audit results to the CPPA the following year.
PENALTIES FOR NON-COMPLIANCE
Non-compliance with the Delete Act carries significant penalties. Failure to register with the CPPA results in an administrative fine of $200 per day for each day a data broker fails to register. For failing to meet the deletion requirements, the fine is $200 for each unaddressed request multiplied by the number of days it remains unresolved. Given the likelihood of a high volume of deletion requests, non-compliance could lead to substantial fines.
STEPS TO TAKE
Businesses must begin by assessing whether they fall within the definition of a data broker. Given the broad terms and lack of clarity surrounding the definition, this may pose a challenge. Additionally, they must consider the risk of failing to register when required against the cost of compliance. If a business qualifies as a data broker, it should proactively start developing systems and processes for handling bulk deletion requests, recognizing that the one-off approach will no longer be feasible.
In conclusion, the California Delete Act, or SB 362, represents a significant shift in data privacy regulations, creating extensive requirements for data brokers and imposing substantial penalties for non-compliance. As the law rolls out its various phases, businesses must adapt, ensure compliance, and uphold the rights and privacy of California residents. The Delete Act has far-reaching implications, and it is essential for businesses to navigate this new landscape successfully.
