Data Privacy Alert: California to Adopt “Delete Act”, Expanding Data Broker Obligations

Recently, the California Legislature passed Senate Bill 362, known as the “Delete Act.” Although it is currently awaiting Governor Newsom’s signature (he has until October 14^th to decide), this legislation is expected to soon become law. The Delete Act aims to streamline the process for consumers to have their personal information deleted by establishing a centralized system similar to the “Do Not Call” registry and would apply exclusively to data brokers.

Under the 2019 law, data brokers are businesses that knowingly collect and sell to third parties the personal information of a consumer with whom they do not have a direct relationship. These entities are already required to annually register with the state, pay a registration fee, and allow consumers to opt out of information sales.

If the Delete Act is signed, data brokers will have to adhere to the following provisions:

1. Registration: Data brokers must annually register with the California Privacy Protection Agency (“CPPA”), the state’s primary privacy enforcement authority (instead the Attorney General under the current law) and pay the registration fee.
2. Registration Details: As part of registration, data brokers must provide specific information, including the types of data collected (e.g., geolocation, reproductive health), data subjects (e.g., minors), and other relevant information.
3. Deletion Requests: By January 1, 2026, the CPPA would create a centralized system for consumers to submit deletion requests online. Beginning on August 1, 2026, all data brokers would be required to delete the requested personal information within 45 days and direct their service providers and vendors to do so. The CPPA would be authorized to charge data brokers a fee to access the deletion mechanism.
4. Consumer Notice: Data brokers must feature a prominently displayed link on their websites, explaining how consumers can exercise their privacy rights. This includes information on data collection and sharing practices, deleting and correcting personal information, opting out of sales, and limiting sensitive data use or disclosure.
5. Annual Reporting: Data brokers must compile an annual report detailing the number of consumer requests received, complied with, or denied (with the reasons why), along with mean and median days it took to respond to the requests.
6. Tri-Annual Audit: Beginning January 1, 2028, and every 3 years thereafter, data brokers would be required to undergo an audit by an independent third party to determine compliance with the Deleta Act and would require the data broker to submit an audit report to the CPPA upon its written request.
7. Penalties: Violations of the Delete Act may result in penalties, including $200 fines for each day a data broker fails to register as such (as opposed to a $100 fine under current law) or does not honor a deletion request. Violators may also be responsible for reasonable expenses incurred by the CPPA in the investigation and administration of the action. The Delete Act would introduce an administrative enforcement procedure, as opposed to the current civil cause of action by the Attorney General. CPPA would be prohibited from commencing an administrative action pursuant to the Delete Act more than 5 years after the date of the violation.

Key Considerations:

1. Compliance: Companies doing business in California (especially, lead generation businesses) should assess whether they meet the criteria of a “data broker”, register if necessary, and refresh their understanding of the applicable laws and regulations in all the states where they operate.
2. Privacy Notices: All companies, not just data brokers, should review their data collection, sharing, and usage practices and update their privacy notices accordingly.
3. Consultation: It is advisable to consult privacy counsel and third-party vendors to establish compliance tools that enable the handling of data subject requests effectively and in accordance with privacy laws. Posting a privacy policy alone does not suffice anymore.
4. Keeping Current: It is vital for companies in the business of data collection and sales, such as those in lead generation, recruitment, people search, and financial data brokerage, to stay up-to-date with the latest privacy laws, especially in California. Stay current by subscribing to our regular and targeted client advisories!

NEED HELP WITH PRIVACY LAW COMPLIANCE?

The CommLaw Group Can Help!

If your company has questions about its data privacy obligations under state and federal laws or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:

Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana Bikbaeva – Tel: 703-663-6757 / E-mail: dab@commlawgroup.com