All Blogs
/
Everything You Need to Know About California Delete Act

Everything You Need to Know About California Delete Act

Harsh Sahu
CTO
May 2024 | 10 mins
California delete act
Table of Contents
Try for free
Schedule Demo

The California Delete Act first introduced by the state senator Josh Becker. According to him, the act’s basic premise is “every Californian should be able to control who has access to their personal information and what they can do with it”.

This act doesn’t come as a surprise because data brokers spend their days and nights building dossiers with millions of people's reproductive healthcare, geolocation, and purchasing data so they can sell it to the highest bidder.

In this blog, you will get to know what data broker means in the California data deletion act, what are the various of the act, certain exemptions and how it can also impact certain sectors.

What is California Delete Act?

The California Delete Act, also known as Senate Bill 362 (SB 362), set to go into effect from January 1, 2024, is a legislative measure aimed at enhancing California consumer privacy by giving individuals greater control over their personal information held by data brokers.

It is a build up from the previously enacted data regulation laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The delete act is a positive approach to safeguard consumer privacy by giving them control over their personal and sensitive data. Californians will be able to request deletion of their data and also understand why certain data were collected by data brokers. All the personal data collected will undergo a scrutiny and Californians will have all the rights over their data.

What are the Key Features of the California Delete Act?

Key provisions of the California Delete Act, which amplifies Californians control over their personal information collected by data brokers includes:

#1 Definition of Data Brokers

A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom it does not have a direct relationship.

California is the first state to pass a law to create an accessible deletion mechanism for consumers to delete their personal information held by data brokers in a single step.

#2 Transfer of Authority

Administration, enforcement, and rule-making authority over California’s data broker registry will transfer from the California Department of Justice to the California Privacy Protection Agency (CPPA) effective January 1, 2024.

#3 Accessible Deletion Mechanism

By January 1, 2026, the CPPA must establish an accessible deletion mechanism allowing consumers to direct all data brokers to delete their personal information through a single request.

Data brokers must process deletion requests and delete all relevant personal information within 45 days of receiving the request, starting August 1, 2026.

#4 Prohibition on Selling or Sharing Information

Data brokers are prohibited from selling or sharing a consumer’s information after a deletion request, unless the consumer requests otherwise.

#5 Data Broker Registration and Compliance

Data brokers must register annually with the CPPA, pay a registration fee, and provide specified information, including details on how they handle consumer data deletion requests.

Non-compliance with registration requirements or the deletion mechanism can result in administrative fines and costs.

#6 Audits and Reporting

Starting January 1, 2028, data brokers must undergo an independent audit every three years to ensure compliance with the deletion mechanism requirements.

Data brokers must submit audit reports to the CPPA upon request and maintain these reports for at least six years.

#7 Public Access and Fees

The CPPA will create a public website providing information about registered data brokers and the accessible deletion mechanism.

The CPPA is authorized to charge fees to data brokers for accessing the deletion mechanism, with collected fees deposited in the Data Brokers’ Registry Fund.

#8 Enforcement and Penalties

Data brokers failing to comply with the accessible deletion mechanism or registration requirements are liable for administrative fines, fees, expenses, and costs.

The CPPA and state courts can use funds from the Data Brokers’ Registry Fund to cover enforcement and administrative costs.

#9 Consumer Rights and Protections

Consumers can request deletion of their personal information held by data brokers and associated service providers or contractors.

The deletion mechanism must be accessible and usable by consumers with disabilities and allow consumers to verify the status of their deletion requests.

#10 Exemptions from the Delete Act

Entities covered by federal laws like the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and certain healthcare privacy regulations are excluded from the definition of "data broker."

Who are Qualified to be Data Brokers Under the California Data Deletion Law?

To qualify as a data broker under the California Delete Act, a business must meet the following criteria:

#1 Nature of Business

The business knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship. This means the business gathers personal data and engages in transactions involving this data without directly interacting with the individuals whose information is being sold.

#2 Exclusions

Certain entities are excluded from being classified as data brokers under this Act. These exclusions include:

  • Entities covered by the federal Fair Credit Reporting Act.
  • Entities covered by the Gramm-Leach-Bliley Act and its implementing regulations.
  • Entities covered by the Insurance Information and Privacy Protection Act.

#3 Annual Registration Requirement

Businesses that qualify as data brokers must register annually with the California Privacy Protection Agency (CPPA). This registration involves providing specific information about their data practices and paying a registration fee.

Some Examples of Data Brokers Under the Delete Act

Under the California Delete Act, data brokers are businesses that collect and sell personal information about consumers with whom they do not have a direct relationship.

Here are some examples of entities that can be considered data brokers:

#1 Marketing and Advertising Firms

Companies that collect consumer data from various sources (online activities, surveys, purchase histories) and sell it to advertisers and marketers for targeted advertising campaigns.

#2 People Search Websites

Websites that gather public records and other data to create profiles on individuals, which they then sell to people looking to find information about others.

#3 Credit Reporting Agencies (for non-FCRA covered activities)

While their primary activities are regulated under the Fair Credit Reporting Act (FCRA), any additional services where they sell consumer data not covered by the FCRA can fall under the data broker category.

#4 Health Data Aggregators

Companies that collect and sell non-HIPAA protected health information, such as wellness data from fitness apps or diet tracking tools.

#5 Real Estate Data Firms

Companies that compile data about property owners, their transaction history, and other related information to sell to real estate agents, developers, or investors.

#6 Background Check Services

Firms that collect data from various sources to provide comprehensive background checks for employers or landlords, especially those not covered under specific federal regulations.

#7 Telecommunications Data Providers

Companies that collect data on consumer phone usage and location and sell this information to third parties for marketing or other purposes.

#8 Retail Data Collectors

Businesses that gather information about consumer shopping habits, purchase histories, and preferences and sell this data to manufacturers and retailers for market analysis.

These entities typically operate without direct interaction with the consumers whose data they collect and sell, making them subject to the regulations imposed by the California Delete Act if they operate within the state's jurisdiction.

What Data Can You Delete Under the California Data Deletion Law?

Under the California Delete Act, consumers can request the deletion of various types of personal information held by data brokers. This encompasses a broad range of data categories that data brokers might collect, store, and sell.

Here are the key types of data that can be deleted under the Act:

#1 Personal Identifiers

Names, addresses, phone numbers, email addresses, Social Security numbers, driver's license numbers, passport numbers, and other unique identifiers.

#2 Commercial Information

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

#3 Biometric Information

Physiological, biological, and behavioral characteristics, including DNA, fingerprints, faceprints, and voiceprints.

#4 Internet or Other Electronic Network Activity Information

Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

#5 Geolocation Data

Precise physical location information about a consumer.

#6 Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information

Audio recordings, photos, and video footage.

#7 Professional or Employment-Related Information

Employment history, performance evaluations, and disciplinary records.

#8 Educational Information

Records related to education, including grades, transcripts, and other academic information.

#9 Inferences Drawn from Personal Information

Profiles reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

#10 Sensitive Personal Information

Information such as racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, sexual orientation, and precise geolocation.

How to Delete Personal Information?

The process to delete your personal information collected by data brokers is simple:

#1 Single Request Mechanism

Consumers can submit a single verifiable deletion request to the California Privacy Protection Agency's accessible deletion mechanism, which will then direct all data brokers to delete the consumer's personal information.

#2 Verification

Consumers can verify the status of their deletion request through the accessible deletion mechanism.

#3 No Charge

The deletion mechanism will not charge consumers for making a deletion request.

Exceptions to Deleting Personal Information

Data brokers may retain certain data if it is required to comply with legal obligations or if the deletion is otherwise exempt under the California Consumer Privacy Act (CCPA) or related laws.

What is the Accessible Deletion Mechanism Under the Delete Act?

The Accessible Deletion Mechanism is a key feature of the California Delete Act, designed to enhance consumer privacy by simplifying the process of requesting the deletion of personal information held by data brokers.

Here are the key aspects of the Accessible Deletion Mechanism:

#1 Single Request Process

Allows consumers to submit a single verifiable request to delete their personal information across all registered data brokers.

#2 Establishment Deadline

The California Privacy Protection Agency (CPPA) is required to establish this mechanism by January 1, 2026.

#3 Accessibility

The mechanism must be user-friendly and accessible to all consumers, including those with disabilities. This ensures that all consumers can easily request the deletion of their personal data.

#4 Cost-Free

Consumers will not be charged for making a deletion request through this mechanism.

What are the Key Functionalities of the Accessible Deletion Mechanism?

The Accessible Deletion Mechanism aims to streamline and simplify the process of deleting personal information, making it easier for consumers to exercise their privacy rights and maintain control over their personal data.

The key functionalities of the accessible deletion mechanism include:

#1 Deletion Requests

Consumers can request the deletion of all personal information held by data brokers and their associated service providers or contractors through a single, verifiable request.

#2 Request Alteration

Consumers can alter a previous deletion request after at least 45 days have passed since the last request.

#3 Data Broker Compliance

Data brokers must process deletion requests within 45 days of receiving them and delete all relevant personal information. Data brokers are also required to access the mechanism at least once every 45 days to process new deletion requests.

#4 Verification and Status Check

Consumers can verify the status of their deletion requests through the mechanism, ensuring transparency and accountability.

#5 Data Broker Responsibilities

After processing a deletion request, data brokers must direct all related service providers and contractors to delete the consumer’s personal information. Data brokers must continue to delete the consumer’s personal information at least once every 45 days unless the consumer requests otherwise or if specific exemptions apply.

#6 Prohibition on Data Selling and Sharing

After a consumer’s data has been deleted, data brokers are prohibited from selling or sharing the consumer’s information unless the consumer consents.

#7 Audit Requirements

Starting January 1, 2028, data brokers must undergo an independent audit every three years to ensure compliance with the deletion mechanism and other related provisions.

What Happens if a Data Broker Fails to Comply with the Delete Act?

Consumers can file complaints with the CPPA if they believe a data broker has failed to comply with their deletion request or other provisions of the Act. If a data broker fails to comply with a data subject request under the California Delete Act, several consequences and enforcement actions can be imposed.

Here are the key points regarding non-compliance:

#1 Administrative Fines and Costs

Data brokers that fail to comply with the requirements of the Accessible Deletion Mechanism or other provisions related to consumer data requests are liable for administrative fines, fees, expenses, and costs. These fines are determined by the California Privacy Protection Agency (CPPA). USD 200 daily fines for non-registration and unfulfilled deletion requests.

#2 Fines for Failure to Register

Data brokers that do not register as required by the Act are subject to administrative fines and costs. This includes:

  • An amount equal to the fees that were due during the period of non-registration.
  • Additional fines and costs related to the CPPA's investigation and administration of the non-compliance action.

#3 Penalties for Failure to Delete Data

If a data broker does not delete consumer data as requested, they face penalties that can include substantial fines. These penalties are designed to enforce compliance and deter future violations.

#4 Audit Requirements

Data brokers must undergo an independent third-party audit every three years starting January 1, 2028. Failure to comply with the audit requirements can lead to further penalties and enforcement actions.

How will the California Delete Act Impact Businesses?

The California Delete Act is poised to have significant impacts on businesses, both positive and negative.

Here are some key ways in which businesses might be affected:

Potential Negative Impacts

#1 Mass Deletion of Data

The Act encourages the mass deletion of data, which is a critical resource for many businesses, particularly those in the digital economy. This could reduce the availability of valuable consumer data that businesses rely on for marketing, customer acquisition, and personalization.

#2 Increased Costs

Businesses might face increased costs due to the need to comply with the new regulations. The administration and enforcement of deletion requests could be complex and expensive. According to Oswald, the cost to the CPPA for implementing the deletion request system could be roughly 20 times its projected budget, indicating significant financial and operational burdens.

#3 Pay-to-Play Deletion Schemes

There are concerns that the Act might lead to pay-to-play deletion schemes, where consumers would have to pay for deletion services. This could add hundreds of dollars a year to consumer expenses, indirectly impacting businesses through consumer dissatisfaction and potential loss of trust.

#4 Challenges for Small Businesses

Small businesses, which often rely heavily on data-driven advertising to find new customers, may struggle without access to comprehensive consumer data. This could impact their ability to compete effectively with larger firms that have more resources to adapt to the new regulations.

#5 Non-Profit and Government Operations

Non-profits could lose access to data tools that help them find new donors and volunteers, affecting their fundraising and outreach efforts. Government agencies might also face difficulties in using data to allocate resources efficiently and reduce waste, impacting public service delivery.

Potential Positive Impacts

#1 Enhanced Consumer Trust

By providing consumers with greater control over their personal information, the Act could enhance consumer trust and loyalty. Businesses that are transparent and compliant with these regulations might build stronger relationships with their customers.

#2 Data Quality Improvement

The focus on consumer-initiated data deletion might lead businesses to prioritize the collection and maintenance of high-quality data. This can improve the accuracy and effectiveness of data-driven strategies.

#3 Innovation in Privacy Solutions

The Act could spur innovation in privacy-focused technologies and services, creating new business opportunities in the areas of data management, cybersecurity, and compliance solutions.

#4 Competitive Advantage

Businesses that adapt quickly and efficiently to the new regulations could gain a competitive advantage by differentiating themselves as leaders in consumer privacy and data protection.

Frequently asked questions

1. What are the Consumer Rights and Remedies under the Delete Act?

  1. Consumer Complaints: Consumers can file complaints with the CPPA if they believe a data broker has failed to comply with their deletion request or other provisions of the Act.
  2. Right to Verification: Consumers have the right to verify the status of their deletion requests through the accessible deletion mechanism, ensuring transparency and accountability.

2. How will Californians Access their Rights Under the California Delete Act?

The CPPA will maintain a public website providing information about the accessible deletion mechanism and registered data brokers. This ensures that consumers are well-informed about their rights and the available tools for protecting their personal data.

3. Are there any Similar Laws like the California Delete Act?

Yes, there are several similar laws both within the United States and internationally that aim to enhance consumer privacy and regulate the handling of personal data by businesses. Here are some notable examples:

  1. California Consumer Privacy Act (CCPA)
  2. Virginia Consumer Data Protection Act (CDPA)
  3. Colorado Privacy Act (CPA)
  4. Nevada Privacy Law (SB 220)
  5. General Data Protection Regulation (GDPR)
  6. Brazilian General Data Protection Law (LGPD)
  7. Personal Information Protection and Electronic Documents Act (PIPEDA)
  8. New Zealand Privacy Act 2020

The California Delete Act simplifies consumer data deletion from brokers, sharing goals with other laws to enhance consumer control, transparency, and data protection.

Protect Your Sensitive Data, Comply With Data Privacy Laws.
Let us show how OptIQ can protect sensitive data, even when data is at rest or in motion.
For Fast Growing Businesses
Need more info?
Contact Sales
Unleash the Highest Data Security in 5 minutes
Let us show how OptIQ can protect sensitive data, even when data is at rest or in motion.
For Fast Growing Businesses
Need more info?
Contact Sales