Freshfields’ Christine Lyon and Jackson Myers analyze California’s newly signed Delete Act and how it could affect state residents’ personal data.
The California Consumer Privacy Act charted new territory in the US by giving broad data rights to California residents, including the right to request deletion of their personal information. A newly signed bill, Senate Bill 362, or the Delete Act, will make it even easier for California residents to exercise their deletion rights with companies deemed to be data brokers.
The new law builds landmark privacy protections on top of California’s existing data broker law. Most notably, it will allow state residents to request deletion of their personal information by all covered data brokers by a single click of a button. The Delete Act will impose substantial new obligations on data brokers, including extensive disclosures of their privacy practices, ongoing deletion of data on a continuous basis, and periodic third-party audits.
Data Broker Definition
Companies may see the term data broker and assume it doesn’t apply to them. However, the law’s definition of the term is much broader than one might initially expect.
Under the new law, a data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law incorporates definitions of key terms—including “business,” “collects,” “consumer,” “sell,” and “personal information”—from the CCPA.
Practically, this means if a company is subject to the CCPA and engages in any type of “sale” of personal information under the CCPA, the company should evaluate whether it’s “selling” personal information of any California residents with whom it doesn’t have a direct relationship. If so, the company is likely a data broker. Roughly 500 data brokers are already registered on the California Data Broker Registry.
While the definition of data broker is essentially unchanged from California’s existing data broker law, data brokers’ obligations are now significantly expanded.
Existing Law
California’s current data broker law came into effect in January 2020 but hasn’t required much of data brokers beyond completing a simple annual registration and paying a registration fee. Essentially, it laid a foundation for future regulation of data brokers—a day that has now come.
New Obligations
The Delete Act rewrites existing data broker law to include new obligations that will take effect at different times. Looking ahead, data brokers will need to prepare for the following:
January 2024: Expanded disclosure and administrative fine
Starting in January, data brokers will be required to provide more detailed information in their annual registrations, including answering pointed questions about whether they collect personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health data.
They also must identify whether they’re regulated by certain laws that can provide exemptions from CCPA obligations. The current administrative fine for failing to register as a data broker will double to $200 per day for each day the data broker fails to register.
July 2024: Disclosure of metrics regarding handling of requests
By July 1, 2024, data brokers will need to start publishing detailed metrics about the volume of CCPA requests received during the previous calendar year, how many of those requests they complied with and how many they denied (with a further breakdown based on the legal grounds for the denial), and the median and mean number of days within which they substantively responded to such requests. Data brokers must start including these metrics in their annual registrations and disclose them within their privacy policy.
August 2026: Honoring deletion requests
The new law requires the CPPA to create, by Jan. 1, 2026, an accessible deletion mechanism that allows a consumer to request that any or every data broker delete any personal information that they hold about the consumer.
By Aug. 1, 2026, data brokers must start accessing the accessible deletion mechanism regularly (at least once every 45 days) and processing all deletion requests made through it. Beyond processing the consumer’s deletion request, the law also limits the data broker’s ability to retain, sell, or share any new personal information that it may receive about that individual in the future.
The new law authorizes the CPPA to bring administrative claims for failure to honor deletion requests as required. A data broker can be liable for an administrative fine of $200 for each deletion request for each day the data broker fails to delete information as required, plus reasonable expenses incurred by the CPPA in the enforcement action.
January 2028: Periodic, independent third-party audits
Beginning Jan. 1, 2028, a data broker must undergo an audit by an independent third party every three years to determine compliance with the law. The data broker must submit a report of the audit results to the CPPA within five business days of receiving a request from the CPPA, and must maintain these materials for at least six years.
Starting Jan. 1, 2029, data brokers will need to state in their annual registration whether they have undergone such an audit and the most recent year they have submitted the audit materials to the CPPA.
Takeaways
The Delete Act is California’s next major step in regulating the data sharing economy. Beyond providing the accessible deletion mechanism, the law will shine a light on the practices of data brokers by requiring them to disclose whether they engage in certain sensitive privacy-related practices, and to report statistics about how well and promptly they honor CCPA requests.
This information now will be going directly to the CPPA, the agency that was purpose-built to enforce the CCPA, and now the Delete Act. This further raises the stakes for companies that fall within the broad sweep of data brokers under the new law.
This article originally appeared in Bloomberg Law on October 18, 2023.