The Bottom Line
- Data brokers stand to permanently lose access to California consumers’ personal information.
- Although the Delete Act’s data deletion and audit requirements do not take effect until 2026 and 2028, respectively, the enhanced reporting requirements will apply to the next registration period on or before Jan. 31, 2024.
- The penalties for failing to register as a “data broker” will double to $200 per day.
California is poised to enact a one-stop global deletion request option that all “data brokers” operating in the State would be required to follow. The “Delete Act” would amend certain aspects of the existing Data Broker Registration law (the 2019 Act) and empower the California Privacy Protection Agency (CPPA) to develop a system to allow consumers to make a single data deletion request that is binding on all data brokers registered in California.
The measure defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Delete Act was passed by the Legislature and is awaiting Gov. Gavin Newsom’s signature.
Data Deletion Mechanism
While the California Consumer Privacy Act (CCPA) allows California consumers to request that businesses delete their personal information, consumers have to make such requests individually, business-by-business. Moreover, the CCPA limits its data deletion right to personal information “which the business has collected from the consumer,” exempting data that may have been bought or acquired indirectly. These provisions have shielded data brokers from widespread deletion requests that would otherwise hinder their ability to transact with data collected from many different sources.
However, under the Delete Act, the CPPA is tasked with creating an “accessible deletion mechanism” that allows consumers to make a single deletion request binding on all of the roughly 500 data brokers registered in the State. The law calls for the CCPA to create this mechanism by Jan. 1, 2026. Then, beginning on August 1, 2026, data brokers must access it at least once every 45 days and process any deletion requests received from consumers via the mechanism. After processing a consumer’s deletion request, data brokers would be required to continue deleting any personal information collected about that consumer once every 45 days, and would be prohibited from selling or sharing new personal information about the consumer in the future. Therefore, deletion would essentially be permanent, and a data broker could not reacquire the data from other sources.
Beginning Jan. 1, 2028, and every three years after, a data broker must undergo an audit by an independent third party to verify its compliance with these obligations and submit a report to the CPPA after the audit.
New Reporting Requirements
The 2019 Act required data brokers to register with the State of California and be publicly listed on a registry. Registration requires a data broker to provide its name and primary physical, email and internet website addresses, and encourages the data broker to voluntarily provide additional information about its data collection practices. The Delete Act expands upon these requirements significantly. Data brokers now need to provide the following additional information:
- Whether the data broker collects precise geolocation, reproductive health care data or minors’ personal information.
- A link to a webpage on the data broker’s website that explains how consumers may exercise their CCPA rights.
- Metrics on the number of CCPA requests and Delete Act deletion requests that the data broker received, complied with and denied during the prior calendar year, as well as the average number of days it took the data broker to substantively respond to such requests (these metrics must also be made available on the data broker’s website privacy policy).
- Whether the data broker is regulated by the federal Fair Credit Reporting Act, Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act; or California’s Insurance Information and Privacy Protection Act or Confidentiality of Medical Information Act.
- Starting in 2029, whether the data broker has undergone a third-party audit to determine its compliance with the Delete Act and, if so, the most recent year that the data broker submitted an audit report and related materials to the CPPA (third-party audits are required starting in 2028).
Enforcement
Going forward, the CPPA will replace the California Attorney General as the agency in charge of managing and enforcing the State’s data broker registration regime. The Delete Act doubles the 2019 Act’s penalty amounts, levying fines of $200 for each day that a data broker fails to register with the CPPA or delete information when requested, as required by the law.