In September, the California Senate approved the California Delete Act (SB 362). Once the state’s governor signs the Delete Act into law, Californians will be able to delete their personal data more easily – and data brokers will have several strict new legal obligations.
“Data brokers spend their days and nights building dossiers with millions of people’s reproductive healthcare, geolocation, and purchasing data so they can sell it to the highest bidder,” California Senator Josh Becker said in March, with the Act hit the Senate floor.
“The Delete Act is based on a very simple premise: Every Californian should be able to control who has access to their personal information and what they can do with it.”
This article considers what the Delete Act changes compared to California’s existing data broker legislation.
The ‘Loophole’ closed by the Delete Act
California lawmakers claim that the Delete Act closes a “loophole” under existing California law.
The state’s landmark privacy law, the California Consumer Privacy Act (CCPA), enables a consumer to delete information that a business has collected from that consumer directly (under certain conditions).
But the CCPA’s “right to delete” doesn’t cover information collected about that consumer that a business has collected from other sources.
This supposed loophole means consumers can struggle to delete information bought or otherwise obtained by data brokers—which normally do not have a direct relationship with consumers.
Existing California data broker law
Data brokers in California are already regulated by the California Data Broker Registration law (Cal Civ Code § 1798.99.80).
Under this law, data brokers must register with the Data Brokers’ Registry Fund before 31 January each year. The fee is currently $400.
The Data Broker Registration law requires data brokers to provide the following information when registering:
- Primary physical address
- Primary email address
- Website addresses
- Any additional information or explanation the data broker chooses to provide concerning its practices
Under this older law, the California Attorney General (AG) can impose a civil penalty of up to $100 per day against data brokers failing to register.
What exactly is a data broker?
The Delete Act makes a minor amendment to the old law’s “data broker” definition.
The main definition stays the same:
“Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Terms like “business”, “personal information”, and “sell” take their definitions from the CCPA.
Most of the exemptions from the “data broker” definition also remain from the old law. Data brokers do not include certain entities, to the extent that they are covered by the following laws:
- The federal Fair Credit Reporting Act
- The Gramm-Leach-Bliley Act
- The Insurance Information and Privacy Protection Act
But the Delete Act introduces a new exemption:
An entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146. For purposes of this paragraph, “business associate” and “covered entity” have the same meanings as defined in Section 1798.146.
This new provision cross-references the CCPA’s exemptions. It exempts information processed under certain medical research laws, plus personal information that has been de-identified according to the CCPA’s requirements.
The Delete Act’s new rules
The Delete Act has three main impacts:
- Enhanced registration and reporting requirements for data brokers.
- The creation of a centralized portal where consumers may delete personal information held by any covered data brokers via a single request.
- Increased fines and new oversight by the California Privacy Protection Agency (CPPA).
New reporting requirements
Once the Delete Act takes effect, data brokers will need to provide more comprehensive information about their practices as part of the registration process.
- The name of the data broker and its primary physical, email, and internet website addresses.
- Certain metrics relating to the data broker’s response to consumer rights requests (which data brokers must now compile on an annual basis)
- Whether the data broker collects the personal information of minors.
- Whether the data broker collects consumers’ precise geolocation.
- Whether the data broker collects consumers’ reproductive health care data.
- Beginning 1 January 1 2029, whether the data broker has undergone an audit (from 2028, each data broker must submit to independent audits once every three years).
- A link to a page on the data broker’s website that:
- Details how consumers may:
- Delete personal information
- Correct inaccurate personal information
- Learn what personal information is being collected and how to access that personal information
- Learn what personal information is being sold or shared and to whom
- Learn how to opt out of the sale or sharing of personal information
- Learn how to limit the use and disclosure of sensitive personal information
- Does not make use of any “dark patterns”.
- Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the laws referenced in the Delete Act’s exemptions (explained above).
- Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
New deletion process
By 1 January 2026, the CPPA must create an online portal enabling consumers to submit requests to data brokers to delete their personal information. From 1 August that year, data brokers must access the portal every 45 days and fulfil any deletion requests relevant to them.
Once a consumer has submitted their request via the deletion portal, data brokers must continue to delete any information they obtain about that consumer every 45 days, forever.
The CCPA’s exceptions to the “right to delete” still apply to data brokers under the Delete Act, but if relying on an exception, the data broker must treat the consumer’s request as an opt-out of the sale or sharing of their personal information instead.
New enforcement process
The Delete Act brings tougher enforcement rules on data brokers that fail to register properly or that fail to fulfil valid consumer rights requests.
Fines are doubled, from $100 per day under the old law to $200 per day under the Delete Act.
The CPPA has general oversight over the Delete Act and will manage the data broker registry. The CPPA will be empowered to bring enforcement under the Act, as well as the California AG.