Everything You Need to Know About California Delete Act
Harsh Sahu
CTO
May 2024 | 10 mins
The California Delete Act first introduced by the state senator Josh Becker. According to him, the act’s basic premise is “every Californian should be able to control who has access to their personal information and what they can do with it”.
This act doesn’t come as a surprise because data brokers spend their days and nights building dossiers with millions of people's reproductive healthcare, geolocation, and purchasing data so they can sell it to the highest bidder.
In this blog, you will get to know what data broker means in the California data deletion act, what are the various of the act, certain exemptions and how it can also impact certain sectors.
The California Delete Act, also known as Senate Bill 362 (SB 362), set to go into effect from January 1, 2024, is a legislative measure aimed at enhancing California consumer privacy by giving individuals greater control over their personal information held by data brokers.
It is a build up from the previously enacted data regulation laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
The delete act is a positive approach to safeguard consumer privacy by giving them control over their personal and sensitive data. Californians will be able to request deletion of their data and also understand why certain data were collected by data brokers. All the personal data collected will undergo a scrutiny and Californians will have all the rights over their data.
Key provisions of the California Delete Act, which amplifies Californians control over their personal information collected by data brokers includes:
A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom it does not have a direct relationship.
California is the first state to pass a law to create an accessible deletion mechanism for consumers to delete their personal information held by data brokers in a single step.
Administration, enforcement, and rule-making authority over California’s data broker registry will transfer from the California Department of Justice to the California Privacy Protection Agency (CPPA) effective January 1, 2024.
By January 1, 2026, the CPPA must establish an accessible deletion mechanism allowing consumers to direct all data brokers to delete their personal information through a single request.
Data brokers must process deletion requests and delete all relevant personal information within 45 days of receiving the request, starting August 1, 2026.
Data brokers are prohibited from selling or sharing a consumer’s information after a deletion request, unless the consumer requests otherwise.
Data brokers must register annually with the CPPA, pay a registration fee, and provide specified information, including details on how they handle consumer data deletion requests.
Non-compliance with registration requirements or the deletion mechanism can result in administrative fines and costs.
Starting January 1, 2028, data brokers must undergo an independent audit every three years to ensure compliance with the deletion mechanism requirements.
Data brokers must submit audit reports to the CPPA upon request and maintain these reports for at least six years.
The CPPA will create a public website providing information about registered data brokers and the accessible deletion mechanism.
The CPPA is authorized to charge fees to data brokers for accessing the deletion mechanism, with collected fees deposited in the Data Brokers’ Registry Fund.
Data brokers failing to comply with the accessible deletion mechanism or registration requirements are liable for administrative fines, fees, expenses, and costs.
The CPPA and state courts can use funds from the Data Brokers’ Registry Fund to cover enforcement and administrative costs.
Consumers can request deletion of their personal information held by data brokers and associated service providers or contractors.
The deletion mechanism must be accessible and usable by consumers with disabilities and allow consumers to verify the status of their deletion requests.
Entities covered by federal laws like the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and certain healthcare privacy regulations are excluded from the definition of "data broker."
To qualify as a data broker under the California Delete Act, a business must meet the following criteria:
The business knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship. This means the business gathers personal data and engages in transactions involving this data without directly interacting with the individuals whose information is being sold.
Certain entities are excluded from being classified as data brokers under this Act. These exclusions include:
Businesses that qualify as data brokers must register annually with the California Privacy Protection Agency (CPPA). This registration involves providing specific information about their data practices and paying a registration fee.
Under the California Delete Act, data brokers are businesses that collect and sell personal information about consumers with whom they do not have a direct relationship.
Here are some examples of entities that can be considered data brokers:
Companies that collect consumer data from various sources (online activities, surveys, purchase histories) and sell it to advertisers and marketers for targeted advertising campaigns.
Websites that gather public records and other data to create profiles on individuals, which they then sell to people looking to find information about others.
While their primary activities are regulated under the Fair Credit Reporting Act (FCRA), any additional services where they sell consumer data not covered by the FCRA can fall under the data broker category.
Companies that collect and sell non-HIPAA protected health information, such as wellness data from fitness apps or diet tracking tools.
Companies that compile data about property owners, their transaction history, and other related information to sell to real estate agents, developers, or investors.
Firms that collect data from various sources to provide comprehensive background checks for employers or landlords, especially those not covered under specific federal regulations.
Companies that collect data on consumer phone usage and location and sell this information to third parties for marketing or other purposes.
Businesses that gather information about consumer shopping habits, purchase histories, and preferences and sell this data to manufacturers and retailers for market analysis.
These entities typically operate without direct interaction with the consumers whose data they collect and sell, making them subject to the regulations imposed by the California Delete Act if they operate within the state's jurisdiction.
Under the California Delete Act, consumers can request the deletion of various types of personal information held by data brokers. This encompasses a broad range of data categories that data brokers might collect, store, and sell.
Here are the key types of data that can be deleted under the Act:
Names, addresses, phone numbers, email addresses, Social Security numbers, driver's license numbers, passport numbers, and other unique identifiers.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Physiological, biological, and behavioral characteristics, including DNA, fingerprints, faceprints, and voiceprints.
Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
Precise physical location information about a consumer.
Audio recordings, photos, and video footage.
Employment history, performance evaluations, and disciplinary records.
Records related to education, including grades, transcripts, and other academic information.
Profiles reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Information such as racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, sexual orientation, and precise geolocation.
The process to delete your personal information collected by data brokers is simple:
Consumers can submit a single verifiable deletion request to the California Privacy Protection Agency's accessible deletion mechanism, which will then direct all data brokers to delete the consumer's personal information.
Consumers can verify the status of their deletion request through the accessible deletion mechanism.
The deletion mechanism will not charge consumers for making a deletion request.
Data brokers may retain certain data if it is required to comply with legal obligations or if the deletion is otherwise exempt under the California Consumer Privacy Act (CCPA) or related laws.
The Accessible Deletion Mechanism is a key feature of the California Delete Act, designed to enhance consumer privacy by simplifying the process of requesting the deletion of personal information held by data brokers.
Here are the key aspects of the Accessible Deletion Mechanism:
Allows consumers to submit a single verifiable request to delete their personal information across all registered data brokers.
The California Privacy Protection Agency (CPPA) is required to establish this mechanism by January 1, 2026.
The mechanism must be user-friendly and accessible to all consumers, including those with disabilities. This ensures that all consumers can easily request the deletion of their personal data.
Consumers will not be charged for making a deletion request through this mechanism.
The Accessible Deletion Mechanism aims to streamline and simplify the process of deleting personal information, making it easier for consumers to exercise their privacy rights and maintain control over their personal data.
The key functionalities of the accessible deletion mechanism include:
Consumers can request the deletion of all personal information held by data brokers and their associated service providers or contractors through a single, verifiable request.
Consumers can alter a previous deletion request after at least 45 days have passed since the last request.
Data brokers must process deletion requests within 45 days of receiving them and delete all relevant personal information. Data brokers are also required to access the mechanism at least once every 45 days to process new deletion requests.
Consumers can verify the status of their deletion requests through the mechanism, ensuring transparency and accountability.
After processing a deletion request, data brokers must direct all related service providers and contractors to delete the consumer’s personal information. Data brokers must continue to delete the consumer’s personal information at least once every 45 days unless the consumer requests otherwise or if specific exemptions apply.
After a consumer’s data has been deleted, data brokers are prohibited from selling or sharing the consumer’s information unless the consumer consents.
Starting January 1, 2028, data brokers must undergo an independent audit every three years to ensure compliance with the deletion mechanism and other related provisions.
Consumers can file complaints with the CPPA if they believe a data broker has failed to comply with their deletion request or other provisions of the Act. If a data broker fails to comply with a data subject request under the California Delete Act, several consequences and enforcement actions can be imposed.
Here are the key points regarding non-compliance:
Data brokers that fail to comply with the requirements of the Accessible Deletion Mechanism or other provisions related to consumer data requests are liable for administrative fines, fees, expenses, and costs. These fines are determined by the California Privacy Protection Agency (CPPA). USD 200 daily fines for non-registration and unfulfilled deletion requests.
Data brokers that do not register as required by the Act are subject to administrative fines and costs. This includes:
If a data broker does not delete consumer data as requested, they face penalties that can include substantial fines. These penalties are designed to enforce compliance and deter future violations.
Data brokers must undergo an independent third-party audit every three years starting January 1, 2028. Failure to comply with the audit requirements can lead to further penalties and enforcement actions.
The California Delete Act is poised to have significant impacts on businesses, both positive and negative.
Here are some key ways in which businesses might be affected:
The Act encourages the mass deletion of data, which is a critical resource for many businesses, particularly those in the digital economy. This could reduce the availability of valuable consumer data that businesses rely on for marketing, customer acquisition, and personalization.
Businesses might face increased costs due to the need to comply with the new regulations. The administration and enforcement of deletion requests could be complex and expensive. According to Oswald, the cost to the CPPA for implementing the deletion request system could be roughly 20 times its projected budget, indicating significant financial and operational burdens.
There are concerns that the Act might lead to pay-to-play deletion schemes, where consumers would have to pay for deletion services. This could add hundreds of dollars a year to consumer expenses, indirectly impacting businesses through consumer dissatisfaction and potential loss of trust.
Small businesses, which often rely heavily on data-driven advertising to find new customers, may struggle without access to comprehensive consumer data. This could impact their ability to compete effectively with larger firms that have more resources to adapt to the new regulations.
Non-profits could lose access to data tools that help them find new donors and volunteers, affecting their fundraising and outreach efforts. Government agencies might also face difficulties in using data to allocate resources efficiently and reduce waste, impacting public service delivery.
By providing consumers with greater control over their personal information, the Act could enhance consumer trust and loyalty. Businesses that are transparent and compliant with these regulations might build stronger relationships with their customers.
The focus on consumer-initiated data deletion might lead businesses to prioritize the collection and maintenance of high-quality data. This can improve the accuracy and effectiveness of data-driven strategies.
The Act could spur innovation in privacy-focused technologies and services, creating new business opportunities in the areas of data management, cybersecurity, and compliance solutions.
Businesses that adapt quickly and efficiently to the new regulations could gain a competitive advantage by differentiating themselves as leaders in consumer privacy and data protection.
The CPPA will maintain a public website providing information about the accessible deletion mechanism and registered data brokers. This ensures that consumers are well-informed about their rights and the available tools for protecting their personal data.
Yes, there are several similar laws both within the United States and internationally that aim to enhance consumer privacy and regulate the handling of personal data by businesses. Here are some notable examples:
The California Delete Act simplifies consumer data deletion from brokers, sharing goals with other laws to enhance consumer control, transparency, and data protection.
