Continuing to pave the way for enhanced privacy rights for California consumers, on October 10, California Governor Gavin Newsom signed into law S.B. 262, colloquially known as the California Delete Act (the “Delete Act” or the “Act”)). [1] The Delete Act is the first of its kind in the United States, providing California-based consumers with a more streamlined, user-friendly way to request deletion of their personal information from data brokers.
In California, there are currently over 500 registered data brokers making it difficult and time-consuming for California consumers to broadly exercise their deletion rights under the California Consumer Privacy Act (the “CCPA”). The Delete Act simplifies this process by allowing consumers to make such requests in a single instance as opposed to sending individualized requests to each registered data broker. Specifically, the Act directs the California Privacy Protection Agency (“CPPA”) to, prior to January 2026, establish an accessible deletion mechanism that allows a consumer, through a single verifiable consumer request, to simultaneously request that every California-registered data broker delete their personal information from their repositories and direct their associated service providers or contractors to do the same.
While the Delete Act is being praised by consumer privacy advocates nationwide, organizations that rely heavily on third party data are expressing growing concern with the Act’s onerous reporting and compliance obligations as well as its potential influence on other state legislatures to enact similar, consumer-favorable laws.[2]
Background
As noted above, the Delete Act builds upon the consumer deletion rights first conferred to California residents under California’s pioneer privacy legislation, the CCPA, and shifts data broker reporting and compliance mechanisms to the CPPA (as opposed to the California Attorney General, with whom data brokers are currently required to register under California laws).
The Delete Act was drafted by State Senator Josh Becker, who championed the Act as protecting California citizens’ most private information. In his view, “[d]ata brokers possess thousands of data points on each and every one of us, and they currently sell reproductive healthcare, geolocation and purchasing data to the highest bidder. The Delete Act protects our most sensitive information.” Privacy advocates championed the bill, largely agreeing with Becker and arguing that the prior regulations were essentially toothless because they were too difficult to use as a consumer. Now, they argue, consumers are afforded a one-stop-shop to protect their personal information as they see fit.
Delete Act Requirements
As noted above, the Delete Act shifts oversight of California’s current data broker regulations, which currently require data brokers to follow certain registration and deletion procedures, collection restrictions and transparency requirements, from the Attorney General to the CPPA. The Delete Act applies to “data brokers” defined under California law as businesses (as such term is defined under the CCPA) that knowingly collect and sell to third parties the personal information of a consumer with whom the businesses do not have a direct relationship, and thus will broadly cover any company that collects, uses or “sells” consumer personal information without such consumer’s knowledge.
Specifically, the Delete Act requires entities meeting the definition of a data broker to:
- Beginning in January 2024, annually register with the CPPA, in connection with which data brokers are required to disclose the type of personal information they collect (including whether they collect the information of minors, consumers’ precise geolocations or consumers’ reproductive health care data),[3] and pay a registration fee;
- Compile and disclose in its privacy policy metrics regarding (i) the number of consumer CCPA rights requests it received, complied with or denied (including the grounds for such denial) during the previous calendar year and (ii) the median and mean number of days within which the data broker substantively responded to such requests during the previous calendar year;
- Publish on its internet website, avoiding use of dark patterns, (i) details of how consumers may exercise their CCPA privacy rights requests, including the rights to access, delete, correct, opt-out and limit the use and disclosure of their sensitive personal information and (ii) the metrics discussed above or a link thereto;
- Beginning August 1, 2026, access the accessible data deletion mechanism established by the CPPA at least once every forty-five (45) days and either (i) process all such deletion requests or where the deletion request cannot be verified, process such request as a consumer opt-out request with respect to the “sale” or “sharing” of such consumer’s personal information and (ii) direct all services providers or contractors associated with the data broker to either process the deletion or opt-out request;
- Continuously ensure deletion of the requesting consumer’s personal information at least once every forty-five (45) days; and
- Beginning in January of 2028 and every three (3) years thereafter, undergo independent audits to ensure compliance with the Delete Act and submit resulting reports to the CPPA within five (5) days upon written request.
For any company that the CPPA believes to be a broker that then fails to register, the CPPA may levy a fine of up to $200 per day for each day that it remains out of compliance (double the current fine under existing California data broker laws), in addition to imposing administrative fees related to any administrative action brought by the CPPA. Further, data brokers will also be subject to fines of up to $200 for each deletion request for each day the data broker fails to delete the requesting consumer’s personal information.
Conclusion and Key Takeaways
The Delete Act does not come unchallenged. The first hurdle the CPPA will encounter is cost; specifically, some industry professionals are speculating that the cost of creating a deletion request mechanism as prescribed under the Act alone is projected to be approximately twenty (20) times the CPPA’s proposed budget. In any event, both sides of the debate agree that there is more the CPPA will have to clarify before the Delete Act comes into force, including difficult operational questions such as the methods by which entities will conduct consumer identity verification.
Organizations that rely heavily on third party data will be significantly impacted by the reporting and deletion obligations arising under the Delete Act; accordingly, such organizations should begin to take steps to determine whether they might qualify as a data broker and, if so, prepare to register with and report information and metrics about their data processing activities to the CPPA as set forth above. The Delete Act’s mandates will further require organizations to not only to ensure that they can verify, honor and stay up-to-date with consumer deletion requests, but also to trace the origin of such data to ensure they can pass on consumer deletion requests to their service providers and contractors where required.
[1] The full text of the California Delete Act is available here.
[2] Notably, California has been at the forefront of different types of privacy legislation, and several states have promptly followed suit.
[3] Registration information will be made publicly available on a website managed by the CPPA.