On October 10, 2023, California Governor Gavin Newsom signed S.B. 362, the Delete Act (the “Act”), into law.  The new law represents a substantive overhaul of California’s existing data broker statute, which requires data brokers to register with the California Attorney General annually.  The passage of the Act follows a renewed interest in data broker activity nationwide, including a request for comments from the Consumer Financial Protection Bureau and the introduction of similar legislation at the federal level.   Below, we outline a number of key provisions:

  • Definition of “Data Broker.”  Like the existing law, the Act defines “data broker” as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” and includes exemptions for certain entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act.  The new law adds exemptions for entities governed by the Confidentiality of Medical Information Act and Health Insurance Portability and Accountability Act.
  • Registration Requirement.  The Act also retains the registration requirement in the current data broker law.  However, it transitions responsibility for these registrations to the California Privacy Protection Agency (“CPPA”) from the Attorney General.  It also adds several specific registration requirements, including information about the business’ responses to rights requests under the California Consumer Privacy Act (“CCPA”) and Delete Act as well as information on whether the data broker collects the personal information of minors, precise geolocation data, and reproductive health care data, among other things.
  • Metrics on Consumer Rights Requests.  The Act builds on existing CCPA requirements for large businesses to disclose metrics on their responses to consumer rights requests, making these requirements applicable to all data brokers and expanding them.
  • Accessible Deletion Mechanism.  Most notably, however, the Act requires the creation and use of a new deletion mechanism for California consumers by January 1, 2026.  The CPPA is responsible for creating this “accessible deletion mechanism,” which will allow consumers to make a single deletion request to all data brokers that maintain their personal information at one time.  Beginning August 1, 2026, data brokers will be required to access the mechanism at least once every 45 days, process all pending deletion requests, and direct their service providers and contractors to also delete the personal information.  If the data broker acquires new personal information from a consumer who has made a deletion request, it is prohibited from selling or sharing such information and must refresh the initial deletion request every 45 days.
  • Exemptions.  The Act incorporates the CCPA exemptions for deletion requests, including the provision of requested goods or services, compliance with laws, and internal uses that are reasonably aligned with the expectations of the consumer and compatible with the context in which the consumer provided the information.  However, if a request is denied under one of these exemptions, the personal information may only be processed for the exempted purposes moving forward.  While requests can be denied if they cannot be verified, such requests must still be processed as a request to opt-out of sale or sharing under the CCPA.
  • Audit Requirement.  Beginning January 1, 2028, the Act requires data brokers to undergo an audit by an independent third party every three years to determine compliance with the deletion requirements, which must be submitted to the CPPA upon request. 
  • Penalties.  The Act also imposes an administrative fine of $200 per day—an increase from $100 per day under the current data broker law—for each day the data broker fails to register or answer a deletion request from the deletion mechanism.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Sarah Parker Sarah Parker

Sarah Parker is an associate in the firm’s Washington Office. Her practice focuses on privacy, advertising, and consumer protection regulatory matters and government investigations.

Sarah also maintains an active pro bono practice, with a focus on criminal justice and civil rights litigation.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state…

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state, federal, and international data protection laws. He proactively counsels clients on the substantive requirements introduced by new laws and shifting enforcement priorities. In particular, Andrew routinely supports clients in their efforts to launch new products and services that implicate the laws governing the use of data, connected devices, biometrics, and telephone and email marketing.

Andrew assesses privacy and cybersecurity risk as a part of diligence in complex corporate transactions where personal data is a key asset or data processing issues are otherwise material. He also provides guidance on generative AI issues, including privacy, Section 230, age-gating, product liability, and litigation risk, and has drafted standards and guidelines for large-language machine-learning models to follow. Andrew focuses on providing risk-based guidance that can keep pace with evolving legal frameworks.