On September 15, 2023, the California Legislature passed Senate Bill 362, known as the Delete Act, which amends the California data broker law. The bill now awaits a signature from the governor. If signed, certain aspects of the law will go into effect as soon as January 31, 2024.
The Delete Act requires the California Privacy Protection Agency (“CPPA”) to establish a secure “accessible deletion mechanism” that allows consumers to make a single deletion request for all data brokers. It creates significant new impacts and obligations for businesses that meet the definition of a data broker (any business as defined by the CCPA that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship).
Those impacted companies face obligations to (1) provide additional information as part of mandatory registration, (2) monitor and accept deletion requests from the new accessible deletion mechanism and continue to honor those request even for newly acquired personal information, (3) pass deletion requests to service providers and contractors, (4) treat non-verifiable deletion requests as requests to opt-out of the sale and sharing of personal information, (5) undergo independent audits every three years, and (6) report metrics on data subject requests. Data brokers also face new fees to access the accessible deletion mechanism, as well as the potential of increased fines and penalties for noncompliance.
Impacts for Data Brokers
Additional registration disclosures.
Under the current data broker registration requirements, a data broker only needs to provide its physical, web, and email addresses, and any other information or explanation the data broker chooses to provide about its data collection practices. Under the Delete Act, as soon as January 31, 2024, a data broker must now include in its registration more detailed information which, as with the current law, must be updated annually.
Additional detail to be provided includes:
· whether the data broker collects data of minors, precise geolocation data, or reproductive health care data,
· metrics related to data subject requests (described below),
· beginning in 2029, whether the data broker has undergone an independent audit (described below) and the most recent year the audit was submitted to the CPPA,
· a link to a website that includes details on how a consumer can exercise their rights under the CCPA, and
· whether and the extent to which the data broker and its subsidiaries are governed by the Confidentiality of Medical Information Act (“CMIA”), the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Insurance Information and Privacy Protection Act (“IIPPA”).
Notably, the definition of a data broker specifically excludes entities that are covered by the CMIA, FCRA, GLBA, HIPAA, and IIPPA. Thus, it stands to reason that the requirements, including the requirement to disclose whether the data broker is covered by these laws will only apply to entities that are not fully governed by them.
Obligation to persist a deletion request.
Starting August 1, 2026, a data broker must access the deletion mechanism at least once every 45 days. Unless an exception for deletion applies, it must honor deletion requests within 45 days and continue to delete a consumer’s personal information every 45 days after that. This essentially results in a requirement to maintain a recurring process to check for new information about the consumer that the data broker may later obtain and apply the deletion request to such data. The data broker is also prohibited from selling or sharing any personal information about the consumer who submitted a delete request, which must also be applied unless and until the consumer provides subsequent consent.
The Delete Act states that the recurring deletion requirement applies only to requests submitted pursuant to “this section,” so deletion requests that come to the data broker outside of the CPPA’s accessible deletion mechanism are presumably not subject to this recurring check. For some data brokers, this may be practically infeasible to differentiate, and the result may be that all deletion requests will be persisted.
Additionally, data brokers will need to think carefully about their deletion process. As mentioned above, data brokers are required to honor a delete request “within 45 days of receiving the request.” However, it’s not clear if that means 45 days from the date the request is accessed by the data broker or the date the request was submitted through the accessible deletion mechanism.
To meet the timeline under this ambiguity, data brokers may need to access the deletion mechanism more frequently or ensure they can honor the requests simultaneously with receiving it from the mechanism. If a data broker cannot honor the requests immediately, it will need to use a flag or other mechanism to ensure the personal information is not sold after the deletion request is received, but before deletion is performed.
Obligation to treat a non-verifiable request as an opt-out.
If a request cannot be verified, the request should be treated as an opt-out of the sale or sharing of personal information. For some data brokers, this requirement may have the same operational impact as a verified delete request if their only purpose for having the personal information is to sell or share it.
Obligation to pass on the deletion request.
Data brokers will also be required to pass deletion requests on to their service providers or contractors and, where the request cannot be verified, pass on the opt-out request. Data brokers should consider (1) whether their service providers fall under an exception to the obligation to act on the request, and (2) reviewing their agreements with service providers and contractors, and if not already substantively covered, updating the agreement to require ingestion and compliance with these requests.
Independent audit.
Starting January 1, 2028, data brokers will be required to undergo an audit every three years to determine their compliance with the Delete Act. Beyond assessing general compliance with the law, there is no specific indication of what the audit report must contain, but it must be provided to the CPPA within 5 days of request. The audit report must also be maintained for six years. Importantly, given the obligation to report when the audit was performed, the short timeline for providing the report, and the possibility that the CPPA could request both audits that would have been required during a six-year period, a data broker’s failure to conduct timely audits will be easily discoverable.
Metrics reporting.
The CCPA requires businesses to report metrics on data subject requests if they process the personal information of 10,000,000 or more consumers per year. Under the Delete Act, data brokers will be required to publish the same categories of metrics outlined in § 7102 of the CCPA regulations regardless of how many consumers’ personal information they process.
Notably, this includes metrics from all data subject requests, not just requests related to the accessible deletion mechanism. Given that the accessible deletion mechanism must allow a data broker to know whether the request was verifiable (as described below), this raises a question as to how the data broker should report deletion requests denied on the grounds that the request was not verifiable. This likely will not become clear until the accessible deletion mechanism has been released.
Costs for accessing the accessible deletion mechanism.
The CPPA may establish a reasonable cost for data brokers to access the accessible deletion mechanism, not to exceed the cost of providing that access. Data brokers would pay this access cost in addition to the existing data broker registration fee.
The Accessible Deletion Mechanism
The CPPA has no small task ahead of it in establishing the accessible deletion mechanism. The requirements are comprehensive and, in various Senate and Assembly Floor analyses, the CPPA estimated costs of around $1.74 million through 2027 and $600,000 each year after that to maintain the mechanism. Funds for these costs would come from data broker fees. Most significantly, the mechanism must:
· Enable consumers to request deletion from all data brokers in a single request, and allow the consumer to choose which data brokers to exclude, if any.
· Allow the consumer to alter a previous request.
· Allow data brokers to determine whether a request was verifiable.
· Allow the consumer to make a request in “any language” spoken by the consumer.
· Be accessible and usable by people with disabilities.
· Support the ability for authorized agents to make a request.
· Allow the consumer to verify the status of their request.
Increased Penalties and Fines
The Delete Act increases the fines from $100 to $200 per day for each day that the data broker should have been registered but was not, plus the initial cost of registration at the time it was required to register. A court may also award reasonable costs incurred by the CPPA in its investigation. Additionally, if the data broker does not comply with deletion requests, it can also be fined $200 per day.
Assuming the Delete Act is signed by the governor, businesses that meet the definition of a data broker and are thus subject to the requirements of the Delete Act should ensure they have tracking in place to meet the metric reporting obligations before January 31, 2024. Additionally, while there is time before data brokers must start ingesting deletion requests from the accessible deletion mechanism, they should keep the development of the mechanism on their radar and start planning what changes to their systems and processes are needed to comply.
Taylor Widawski is a Senior Associate at Hintze Law with rich experience as in-house and outside counsel providing strategic advice on privacy programs as well as privacy product counseling across a variety of industries and topics.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.