On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).
We discuss these and other features of the Delete Act in further detail below. As we highlight, there is a lack of clarity in several key provisions of the Act that may present challenges to implementation and operationalization of the law by businesses that must comply with its provisions. Businesses that have determined that they meet the definition of data broker, and those that are exploring their status as one, should review the Act closely, and should do so soon; the Delete Act provides key changes to the existing California’s Data Broker Registration law, some of which go into effect starting January 2024 (see the Timeline immediately below). Of course, this amendment will also affect businesses that acquire data from, or otherwise do business or receive services from data brokers, including through such businesses’ contractual obligations to heed deletion and opt-out requests passed through to them by data brokers.
Timeline:
Jan. 31, 2024: Registration deadline for businesses qualifying as data brokers (based on 2023 activities).
July 1, 2024: Data brokers must add specific consumer request metrics from the prior calendar year “within the data broker’s privacy policy posted on their internet website and accessible from a link included in the data broker’s privacy policy.”
????: Adoption of regulations by the CPPA? The CPPA is not required to, but is expressly authorized to, adopt regulations “to implement and administer” the Delete Act.
Jan. 1, 2026: CPPA must establish “accessible deletion mechanism.”
August 1, 2026: Data brokers must begin processing deletion requests made through the accessible deletion mechanism.
January 1, 2028: Data brokers must undergo an independent third-party audit (then, and every three years thereafter) to determine compliance with the data broker law.
January 1, 2029: Registration submission will require data broker to state whether it has undergone the required audit, and if so, the most recent year that the data broker has submitted an audit report to the CPPA.
When is the Act in effect?
The Act became effective immediately upon Governor Newsom’s signature on October 10, 2023, with some provisions becoming operative in the very near future, and others not becoming operative for 2+ years. Many provisions will require action on the part of data brokers re-registering (or registering for the first time) by the annual calendar year deadline of January 31. Other provisions, including the CPPA’s requirement to implement the deletion mechanism, and data brokers’ obligation to process requests received through it, are not operative until 2026. There is a mandatory audit provision (discussed in further detail below) that becomes operative in 2028.
What organizations qualify as a data broker?
The definition of “data broker” remains unchanged from the original data broker law: “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The terms in italics borrow the corresponding definitions from the CCPA.
To break it down, to qualify as a data broker, organizations must:
- Qualify as a CCPA “business”,
- Collect personal information of a consumer with whom the business does not have a direct relationship, AND
- Sell that personal information to third parties.
After the Sephora case in which the Office of the Attorney General of California settled with the retailer in the first public enforcement under the CCPA, there is more clarity in the market and in the law around the definition of “sale.” This is particularly true in respect of what constitutes “or other valuable consideration” in the context of online tracking technologies such as pixels. Organizations should certainly keep this scope of “sale” in mind when analyzing the applicability of the data broker definition.
Interestingly, although the Delete Act was passed 3 years after the concept of “sharing” was added to the CCPA through the amendments in the California Privacy Rights Act (CPRA), the Delete Act does not amend the definition of “data broker” to invoke the concept of share or sharing. This is in stark contrast to the CCPA where, aside from the respective definitions of “sale” and “share” and their cognate terms, the concepts of “sale” and “sharing” are inextricable. The legislature’s choice not to do the same in the definition of data broker, particularly where the Delete Act was passed three years after the CPRA’s amendments, provides some potential ambiguity in the data broker definition as it sits alongside the CCPA. Moreover, this may provide fodder for legitimate arguments, based on foundational statutory interpretation rules, for companies whose activities qualify as “sharing” – the legislature’s decision not to marry the sale and share concepts in principle and effect in every provision outside of their respective definitions could, arguably, mean that it intended to exclude sales that also constitute sharing from the analysis of whether an entity qualifies as a Data Broker. This, of course, also requires an assumption that all “shares” are “sales” (but in the context of “cross-contextual behavioral advertising”), which is not conclusive.
The amendment provides exemptions to the definition of data broker to an entity “to the extent that it is covered by ”the federal Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or the Insurance Information and Privacy Protection Act (IIPPA) and the Confidentiality of Medical Information Act (CMIA) are not considered data brokers under the Act. The “to the extent that it is covered by” language used in the Delete Act does not align with the corresponding exemptions under the CCPA . There is also a HIPAA-related exemption tied to Section 146 of the CCPA, that is not drafted identically to the HIPAA exemption in Section 145 of the underlying law. As such, there are seemingly inconsistencies in what data and what regulated entities are exempt from the Delete Act and thus the underlying Data Broker Law.
How does the Delete Act change the existing registration requirements?
In the current data broker law, the only information required during registration is (A) The name of the data broker and its primary physical, email, and internet website addresses. and (B) Any additional information or explanation the data broker chooses to provide concerning its data collection practices. The Delete Act adds substantially to the information that is needed to be provided during registration, including, but not limited to:
- Metrics regarding the number of consumer requests received and statistics regarding the treatment of the requests (similar to the requirement for entities that process > 10 million consumers’ PI).*
- Whether the data broker collects the personal information of minors.
- Whether the data broker collects consumers’ precise geolocation.
- Whether the data broker collects consumers’ reproductive health care data.
- Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
- A link to a page on the data broker’s internet website that (1) Details how consumers may exercise their privacy rights and (2) does not make use of any dark patterns.
- Whether and to what extent the data broker or any of its subsidiaries is regulated by GLBA, FCRA, HIPAA, or other laws that are the subject of CCPA exemptions and exemptions in the data broker law as amended by the Delete Act.
*The request metrics need not be added to a data broker’s privacy policy starting July 1, 2024, and will not need to be included in a registration submission on January 31, 2024 (rather, the requirement will come into play for 2025 registrations).
What obligations does the CPPA have as to the accessible deletion mechanism?
The CPPA must, by Jan. 1, 2026, establish an accessible deletion mechanism that “allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.”
That mechanism must allow consumers to request that data brokers delete any personal information related to the consumer (which is, for obvious reasons, broader than the scope of CCPA deletion requests – i.e., personal information collected directly from a consumer). Consumers must be able to selectively exclude specific data brokers from a deletion request and will have the option to alter a previous request after at least 45 days have passed since the original request was made. The accessible deletion mechanism will be free to consumers and must allow authorized agents to make requests on a consumer’s behalf.
The CPPA must create a page on its website where the registration information provided by data brokers and the accessible deletion mechanism will be accessible to the public.
What are data brokers’ obligations as to requests made through the accessible deletion mechanism?
Beginning August 1, 2026, data brokers must access the accessible deletion mechanism at least every 45 days and do all of the following:
- “Within 45 days after receiving a request made pursuant to [the Delete Act], process all deletion requests made pursuant to [the Delete Act] and delete all personal information related to the consumers making the requests consistent with the requirements of [the Delete Act].” This requirement is unclear –for example, when is a request considered to have been received? On the day when the data broker accesses the mechanism in the 45-day period as required? When the request is made by the consumer? In the absence of any clarification, data brokers should access the mechanism on a more frequent cadence so as to avoid requests piling up during the 45-day period and having little time to process them. Hopefully, the CPPA will provide some help here on the lack of clarity in these provisions.
- When a request is denied because the request cannot be verified, process the request as an opt-out of sale or sharing, “as provided for under Section 1798.120 and limited by Section 1798.105, 1795.145, and 1798.146.”
- Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A). Notably, this is narrower than Section 1798.105 of the CCPA which requires notification of third-party sale and sharing recipients to delete personal information.
- Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
In addition to deleting pre-existing data, the Delete Act also provides a broad and sweeping Do Not Sell/Share requirement as to data collected in the future. In particular, data brokers must also refrain from selling or sharing new personal information of any consumer who has made a deletion request using the CPPA’s mechanism, “unless the consumer requests otherwise or selling or sharing is otherwise permitted by the CCPA.”
What steps to verify a request are data brokers allowed to take?
It is not clear. The mechanism must allow the consumer to make “a single verifiable consumer request” to ALL data brokers. However, the designation of a request as a “verifiable consumer request” depends on an individual data broker/business to “verify, using commercially reasonably methods, pursuant to [the CCPA regulations]” that the requestor is “the consumer about whom the business has collected information.” See Cal. Civ. Code Section 1798.140(ak). A different section does state that the accessible deletion mechanism “shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer.” But it is unclear how the accessible deletion request would so allow data brokers to verify a request. Naturally, the data broker’s ability to verify will depend on the information provided to the accessible deletion mechanism. There are also no details regarding how agent requests must be handled, aside from a requirement that they must be. Perhaps the CPPA will issue regulations that will assist in the implementation of these requirements.
What are the requirements relating to audits?
Beginning on January 1, 2028, a data broker must undergo an audit by an independent third party to determine compliance with the Act. Such audit must be undertaken every three years, and the data broker must submit a report and any materials related to the audit to the CPPA within five business days of a written request.
What are the consequences of not complying with the Act?
Failure to register: The CPPA may bring an administrative action against data brokers that fail to register, which may include an administrative fine of $200 for each day the data broker fails to register, an amount equal to the fees that were due during the period the data broker fails to register, and expenses incurred by the CPPA in the investigation and administration of the action against the data broker. In contrast, the current Data Broker Registration law provides that data brokers that fail to register with the California Attorney General will be subject to injunction and be liable for civil penalties, fees, and costs in an action brought by the Attorney General. This includes a civil penalty of $100 for each day the data broker fails to register, an amount equal to the fees that were due during the period it failed to register, and expenses incurred by the Attorney General in the investigation and prosecution of the action.
So, the Delete Act made the CPPA the enforcing authority, rather than the Attorney General, and increased the administrative fine by $100 per day. In addition, the Delete Act provides for an administrative action against data brokers that don’t register, rather than a civil action brought in the name of the people of the State of California.
Failure to process deletion requests: If a data broker fails to process requests through the accessible deletion mechanism, it is liable for administrative fines and costs in an administrative action brought by the CPPA. The fines may consist of an administrative cost of $200 for each deletion request for each day the data broker fails to delete information, and reasonable expenses incurred by the CPPA in the investigation and administration of the action against the data broker. The current Data Broker Registration law does not provide for deletion requests from consumers, or any obligations on behalf of data brokers to process such requests.
Are regulations forthcoming under the Act?
The Act provides for rulemaking by the CPPA to administer and implement the Act. The CPPA is not required to, but is expressly authorized to, adopt regulations “to implement and administer” the Delete Act. (which notably is a narrower proviso than it is provided under the CCPA, i.e., “further the purposes of the [CCPA]).” Presumably, any regulations promulgated by the CPPA would touch on the accessible deletion mechanism, the most consequential aspect of the Delete Act, and be adopted prior to 2026. Given the law is riddled with ambiguities, we can only hope that the CPPA issues regulations clarifying what businesses’ obligations will be.