California governor Gavin Newsom signed the Delete Act (California Senate Bill No. 362) into law, which builds upon the existing California Data Broker Registration statute.
The law empowers consumers with broad data rights, including the right to request the deletion of their personal data.
In particular, it allows state residents to request that companies deemed to be data brokers that maintain their personal information delete such personal information with a single click of a button.
This guide provides more details about the Delete Act and its requirements.
The California Delete Act, also called SB-362, is a privacy law that gives consumers the right to make a one-time request to have all data brokers delete their personal information.
Enacted into law on October 10, 2023, this act:
Primarily, the bill was passed in September 2023 by the California legislature. After being signed by the governor, it transfers the oversight of any data broker to the California Privacy Protection Agency (CPPA).
According to the law, the CPPA is expected to develop a public deletion mechanism for consumers to delete their personal information by January 1, 2026.
This new law will apply to all data brokers. It defines a data broker as a business with no direct relationship with the consumer but intentionally collects and sells their personal information to third parties.
To break it down, this law only affects businesses buying and selling personal data to third parties and not businesses with a direct relationship with the consumers.
Common with other laws, the California Delete Act includes exemptions for certain business entities regulated under HIPAA or another applicable health law referenced under the CCPA.
This includes businesses covered by the following federal laws:
Practically, the Delete Act defines key terms such as "sale," "consumer," "business," and "personal information." It's important to understand the definitions of key terms to grasp the scope of the law fully.
How about we look at these definitions in detail?
The Delete Act defines "sale" as any action (whether selling, releasing, renting, etc.) that involves sharing a consumer's personal data with a third party for money or other valued considerations.
The Delete Act also provides some exceptions to what constitutes a sale. Thus, a sale does not occur when:
Here's what "sale" is defined as under the California Delete Act:
According to Title 18 of the California Code of Regulations, Section 17014, a consumer is a natural person who resides in California.
Natural person implies that other legal entities like corporations do not enjoy data privacy rights under the CCPA.
The California Code of Regulations includes any person in the state as a resident, apart from temporary or transitory activities (passing through or on a trip).
Also, any California resident traveling temporarily outside the state is still considered a resident, thereby a consumer under the CCPA.
Here's how the act defines a resident:
Businesses are the key subjects of the California Delete Act. The law functions to regulate how they treat California residents' (consumers) personal information.
In light of the California Delete Act, a business is a profit corporation that collects personal information and does business in California, even without a physical presence in the state.
A business must also meet at least one of the CCPA's three thresholds, which include:
The California Delete Act maintains a broad definition of "personal information," referring to it as any information that can identify, relate to, describe, or be reasonably linked to a particular consumer.
Examples of personal information include:
The information, however, does not include data that is publicly available. That is, from state, federal, or government records, like public records of property or real estate and professional licenses.
The Delete Act creates new consumer privacy rights specifically for data collected and traded by "data brokers."
Here is a complete breakdown of what these consumer rights entail:
The Delete Act requires that all businesses that meet the criteria of a "data broker" conform to the new deletion and transparency obligations.
Some of these requirements for businesses include:
The California Delete Act makes amends to the already existing data broker law and includes new requirements that are supposed to take effect between January 2024 and January 2028.
Looking ahead, businesses that qualify as data brokers are expected to adhere to several steps and requirements. Here's all you will have to do.
All data brokers have to register with the CPPA or renew their registration with the CPPA on or before January 31.
But this is only possible for businesses that qualified as "data brokers" in the previous year as per the Delete Act. Registering inducts the business into the California Data Broker Registry.
To register under the Delete Act, data brokers must follow these steps as per the new requirements:
Provide detailed information on whether you collect:
Provide your contact details and web presence, such as:
Provide metrics regarding the handling of CCPA requests, including the number of:
From 2029, you'll be required to disclose if a third party has audited you, and if yes, you have to present any related materials to the CCPA.
Beginning January 1, 2029, you'll be required to provide a link to your website or webpage explaining how the consumers can exercise their CCPA rights.
Disclose whether you or your subsidiaries are subject to specific laws that exempt you from CCPA obligations.
If subject to the California Delete Act, you must create and publish a Privacy Policy or update your current one.
Starting July 1, 2024, the law requires full disclosure of metrics regarding the handling of consumer requests.
You are required to compile and publish these metrics within your website's Privacy Policy:
Here's how the Delete Act explains this:
Under the Delete Act, the CCPA has to set up a system for consumers to request the deletion of their personal data from all data brokers registered in California by January 1, 2026.
As such, you must establish a one-stop deletion mechanism and promptly honor deletion requests made through this mechanism starting August 1, 2026. You only have a 45-day deadline to verify and process any request.
During this time, you or associated service providers or contractors must refrain from retaining, sharing, or selling any new personal data received about any consumer in the future.
However, if a deletion request is unverifiable, you must treat it as a consumer opting out of sale or sharing according to the CCPA/CPRA.
This right, also known as Do Not Sell or Share My Personal Information right, requires you to:
Data brokers must undertake audits by independent third parties every three years starting January 1, 2028.
Such audit reports must be submitted to the CPPA within five business days upon a written request, and you must retain the materials for at least six years.
That is not all. From January 1, 2029, you must disclose that the last year you underwent an audit by the CCPA.
Here's an example of how the Delete Act outlines these terms:
The CPPA is responsible for enforcing the California Delete Act. It has the following obligations when it comes to this law:
Like other federal laws, you may face serious penalties if you do not comply with the California Delete Act.
The CPPA may impose civil penalties of $200 per day for unregistered data brokers and $200 per day for each unfulfilled deletion request.
In addition to financial penalties, you may also be responsible for administrative costs incurred by the CPPA during enforcement actions and investigations.
The California Delete Act is a new privacy law that gives consumers more control over their personal data and enacts new obligations on data brokers.
Whichever the case, the law allows consumers to make a single request for the deletion of their personal data from all data brokers in California.
Whether your organization is or could be considered a data broker, the law requires you to:
The California Delete Act is enforced by the CPPA, which can impose fines and injunctions on data brokers who violate the law.