On October 10, 2023, California Governor Gavin Newsom signed S.B. 362, the Delete Act (the “Act”), into law. The new law represents a substantive overhaul of California’s existing data broker statute, which requires data brokers to register with the California Attorney General annually. The passage of the Act follows a renewed interest in data broker activity nationwide, including a request for comments from the Consumer Financial Protection Bureau and the introduction of similar legislation at the federal level. Below, we outline a number of key provisions:
- Definition of “Data Broker.” Like the existing law, the Act defines “data broker” as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” and includes exemptions for certain entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act. The new law adds exemptions for entities governed by the Confidentiality of Medical Information Act and Health Insurance Portability and Accountability Act.
- Registration Requirement. The Act also retains the registration requirement in the current data broker law. However, it transitions responsibility for these registrations to the California Privacy Protection Agency (“CPPA”) from the Attorney General. It also adds several specific registration requirements, including information about the business’ responses to rights requests under the California Consumer Privacy Act (“CCPA”) and Delete Act as well as information on whether the data broker collects the personal information of minors, precise geolocation data, and reproductive health care data, among other things.
- Metrics on Consumer Rights Requests. The Act builds on existing CCPA requirements for large businesses to disclose metrics on their responses to consumer rights requests, making these requirements applicable to all data brokers and expanding them.
- Accessible Deletion Mechanism. Most notably, however, the Act requires the creation and use of a new deletion mechanism for California consumers by January 1, 2026. The CPPA is responsible for creating this “accessible deletion mechanism,” which will allow consumers to make a single deletion request to all data brokers that maintain their personal information at one time. Beginning August 1, 2026, data brokers will be required to access the mechanism at least once every 45 days, process all pending deletion requests, and direct their service providers and contractors to also delete the personal information. If the data broker acquires new personal information from a consumer who has made a deletion request, it is prohibited from selling or sharing such information and must refresh the initial deletion request every 45 days.
- Exemptions. The Act incorporates the CCPA exemptions for deletion requests, including the provision of requested goods or services, compliance with laws, and internal uses that are reasonably aligned with the expectations of the consumer and compatible with the context in which the consumer provided the information. However, if a request is denied under one of these exemptions, the personal information may only be processed for the exempted purposes moving forward. While requests can be denied if they cannot be verified, such requests must still be processed as a request to opt-out of sale or sharing under the CCPA.
- Audit Requirement. Beginning January 1, 2028, the Act requires data brokers to undergo an audit by an independent third party every three years to determine compliance with the deletion requirements, which must be submitted to the CPPA upon request.
- Penalties. The Act also imposes an administrative fine of $200 per day—an increase from $100 per day under the current data broker law—for each day the data broker fails to register or answer a deletion request from the deletion mechanism.