6 minute read | October.19.2023
California Gov. Gavin Newsom has signed a bill into law aimed at letting consumers delete their personal information in the hands of data brokers in California.
Supporters say the Delete Act will patch a loophole in the California Consumer Privacy Act (CCPA) that requires data brokers to only delete personal information obtained directly from consumers, but not personal information collected indirectly or aggregated from other sources.
Here are five key things to know about the Delete Act, including considerations for your privacy compliance program:
The Delete Act defines “data broker” the same as the CCPA does – as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” subject to certain exemptions.
The Delete Act grants the CPPA authority to develop a system that, by January 1, 2026, will enable a consumer (or a consumer’s authorized agent) to issue, without charge, a single verifiable data deletion request applicable to all data brokers registered in California. Any such request will require a data broker or associated service provider or contractor to delete the consumer’s personal information. The Delete Act allows the CPPA to charge data brokers an access fee for accessing the deletion mechanism. The CPPA has not yet determined the amount of any such fee.
Beginning January 1, 2028, the Delete Act requires data brokers to submit to an audit conducted by an independent third party once every three years to assess the data broker’s compliance. The Delete Act would also require a data broker to submit an audit report to the CPPA within five days of its written request. Data brokers would need to maintain audit records for at least six years.
The CPPA will help enforce data brokers’ registration and data deletion requirements. The agency could adopt regulations to implement and administer the Delete Act.
Failure to comply with the Delete Act requirements may subject data brokers to administrative fines, fees, expenses and costs, including $200 for each day a data broker fails to register where required. The CPPA will use those funds to cover costs it and state courts incur to enforce the Delete Act and to establish and maintain the accessible deletion mechanism. An administrative action under the Delete Act cannot be brought against a data broker more than five years after a suspected violation.
The Delete Act will impose significant compliance obligations on data brokers. Companies should consider whether they fall within the scope of the Delete Act. If they do, they should consider building a compliance program to comply with the broader data deletion requests and enhanced transparency requirements – keeping in mind key dates, including the January 31, 2024, deadline to update online privacy notices.
A data broker compliance program should include written internal processes and procedures to access the deletion mechanism at regular intervals and fulfill the underlying deletion requests. Companies should also review agreements with service providers and contractors to ensure they will be able to meet downstream obligations under the Delete Act. Lastly, companies should look out for further guidance from the CPPA.
Want to learn more about the developing privacy landscape for data brokers? Ask one of the authors.