New Requirements for California Compliance under the Recently-Passed Delete Act
-
Short Summary:
The California Delete Act, signed into law October 10, 2023, expands on the definitions and requirements set out in the landmark California Consumer Privacy Act (CCPA). For data brokers, the law requires several new provisions including:
- New Deletion Requirements: Beginning in 2026, the California Privacy Protection Agency (CPPA) will enact a Comprehensive Deletion Mechanism for consumers. Data brokers are required to monitor and respond to deletion requests placed through the mechanism within 45 days.
- New Disclosure Requirements: In addition to the existing notice requirements under the CCPA, data brokers must also disclose whether they process (1) youth data (2) precise geolocation data, and (3) reproductive healthcare data. Brokers must also collect and disclose metrics on their receipt of and responsiveness to consumer privacy requests.
- New Auditing and Registration Requirements: Starting in 2028, brokers will be required to undergo a third-party audit every 3 years, report the results of the audit, and retain the records. Registration will be under the CCPA, rather than the Attorney General.
-
INTRO - Mapping onto the CCPA
Signed into law October 10, 2023, the California Delete Act (also known as SB362) completes several of the provisions laid out in the state’s monumental California Consumer Privacy Act (CCPA). The scope of the bill has significant new requirements for data brokers, in addition to the already existing, stringent requirements under the CCPA.
One of the major shifts is the relevant governing body for the CCPA. The Delete Act shifts and vests the power currently held by the Attorney General in the California Privacy Protection Agency (CPPA), which was established by the California Privacy Rights Act of 2020.
Among the new requirements, there are three significant updates to flag for data brokers, or anyone working for and representing data brokers. First, the law updates deletion rights for principals to delete third-party data. Second, the law enables the California Privacy Protection Agency (CPPA) as the new regulatory body over data brokers, and the CPPA is required to establish a new “one-stop-shop” for data deletion requests.
Significantly, the Delete Act did not change the California language defining a “data broker.” Under the CCPA: a data broker is any entity that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Anyone who is already qualified and is registered with the Attorney General still qualifies and needs to be registered with the CCPA. Under the existing provisions of the CCPA, organizations only have to be registered if they meet the above definition of a data broker, and also fulfill the following qualifications. Any companies that collect California consumers’ data are required to register as brokers, regardless of their territoriality, if they either (1) have a gross annual revenue in excess of $25M, (2) receive ro shared the information of more than 50,000 CA resistance annually, or (3) derive at least 50% of annual revenue from the sale of personal information of CA consumers.
There are some exceptions for entities that otherwise fulfill these requirements, about fall under other statutory privacy provisions: such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), Insurance Information and Privacy Protection Act (IIPPA), and California’s HIPAA-covered entities.
-
New Deletion Requirements
The Delete Act seeks to resolve several loopholes, but primarily one which relates to third-party data. As the CCPA stands now, data principals can only make requests for data that was sourced directly from them by the broker currently holding the data. The Delete Act will enable deletion requests for any of the data held by a broker, regardless of whether it was directly sourced from the principal or sourced by a third party.
Similarly, the Delete Act empowers the CCPA as the new oversight body for data rokers, and shifts the power from the Attorney General over to the CCPA in terms of data broker registration and fine collection. Among their other new responsibilities, the CPPA is required to create a comprehensive deletion mechanism. This mechanism, similar to the National Do Not Call Registry, would allow consumers to make a single request for data deletion, rather than having to individually petition each of the data brokers that hold a consumer’s data.
Once the deletion mechanism is in place, the burden will be on the brokers to consistently monitor any requests made that relate to data that they hold. A broker will have 45 days to comply with the initial deletion request, and will have to continuously delete any data associated with that consumer at least every 45 days following the initial deletion request. The data broker is, of course, also then barred from selling or sharing any new data on that consumer,
The legislation has projected August 1, 2026 as the date of effect for this provision.
-
New Disclosure Requirements
Data brokers are already subject to several disclosure requirements as set out by the CCPA, but the Delete Act adds new responsibility for disclosing certain information.
Brokers must disclose, in their registration, whether they collect any of the three types of personal information: (1) the data of minors (2) reproductive health care data, and (3) precise geolocation data. Each of these terms have not been more narrowly defined as used o9n this Act, and will likely be subject of further regulatory advice.
Once the deletion mechanism is in place, the burden will be on the brokers to consistently monitor any requests made that relate to data that they hold. A broker will have 45 days to comply with the initial deletion request, and will have to continuously delete any data associated with that consumer at least every 45 days following the initial deletion request. The data broker is, of course, also then barred from selling or sharing any new data on that consumer,
There is also a higher expectation of reporting on each brokers’ receipt and responses to consumer privacy requests. Now. registered brokers are required to compile the following metrics related to request received within the previous calendar year: (1) the number of requests received, (2) the number of requests complied with, (3) the number of requests denied. Further, for the requests that the broker denied either in whole or in part, they must identify the reason for denial as one of the following: “(1)The request was not verifiable; (2)The request was not made by a consumer; (3)The request called for information exempt from deletion; ro (4)The request was denied on other grounds” Finally, the broker must disclose the median and the mean number of days within which the data broker substantively responded to requests that the broker had received.
On their website, a broker must now also provide a link on their public-facing website which must include all of the following information for the consumer:
- How to delete personal information,
- How to correcting inaccurate personal information
- How to learn what personal information is being collected and how to access that personal information.
- How to learn to opt out of the sale or sharing of personal information
- How to learn to limit the use and disclosure of sensitive personal information.
The above information will have to be provided annually, on or before July 1, following each year in which a business meets the definition of a data broker.
Beginning January 1, 2028, and every 3 years thereafter the Act requires brokers to undergo an independent, third-party audit in order to determine compliance with the CCPA and Delete Act requirements. The resulting report must be disclosed to the CPPA upon the Agency’s written request.Wthether the company has completed the required audit, and when that audit was completed, must also be disclosed on the company's website.
New Registration Requirements
As already mentioned, one of the key provisions of the Delecte Act is the registration requirement with The CPPA, rather than the Attorney General. As such, the required disclosures and fees are now under the authority of the CPPA. The due date for registration and fee payment remains the same: on or before January 31 of each year that the entity meets the definition of a data broker.
Failure to comply with these provisions, including failure to register, entails fines of $200 for each deletion request for each day the data broker fails to delete information as required, as well as reasonable expenses incurred by the Agency in administering and investigating the action. For every day that a broker fails to register, it will also entail a fee of $200, as established under the CCPA.
Registration fees, and any money incurred by the fines associated with failure to register and failure to delete consumer information, will be deposited into the Data Brokers’ Registry Fund, which the bill would require to be administered by the agency, instead of the Consumer Privacy Fund. The funds are assigned for use in costs incurred by the Agency and state courts in enforcing these actions, particularly for the Agency’s use in developing and deploying the comprehensive deletion mechanism.
Registration requirements with the CCPA are to continue on the same schedule as they were with the Attorney General, meaning the next deadline is January 2024.
-
Conclusion and recommendations
The Delete Act adds to the already landmark requirements for data protection and privacy established in California Law. Companies that qualify under the state’s definition of a data broker are subject to heightened standards of deletion, disclosure, and registration. Though we can expect further details to be clarified through regulations, likely from the CPPA, companies must be aware of their upcoming provision in order to remain in compliance.