California Delete Act

California governor Gavin Newsom signed the Delete Act (California Senate Bill No. 362) into law, which builds upon the existing California Data Broker Registration statute.

The law empowers consumers with broad data rights, including the right to request the deletion of their personal data.

In particular, it allows state residents to request that companies deemed to be data brokers that maintain their personal information delete such personal information with a single click of a button.

This guide provides more details about the Delete Act and its requirements.

What is the California Delete Act?

The California Delete Act, also called SB-362, is a privacy law that gives consumers the right to make a one-time request to have all data brokers delete their personal information.

Enacted into law on October 10, 2023, this act:

  1. Addresses the loopholes of data deletion, especially in cases where personal information is collected.
  2. Allows consumers to have a one-stop shop to request their data to be deleted everywhere by every data broker in the state.
  3. Strengthens California consumers' privacy protections for data brokers operating in the State of California.

Primarily, the bill was passed in September 2023 by the California legislature. After being signed by the governor, it transfers the oversight of any data broker to the California Privacy Protection Agency (CPPA).

According to the law, the CPPA is expected to develop a public deletion mechanism for consumers to delete their personal information by January 1, 2026.

To Whom Does the California Delete Act Apply?

This new law will apply to all data brokers. It defines a data broker as a business with no direct relationship with the consumer but intentionally collects and sells their personal information to third parties.

To break it down, this law only affects businesses buying and selling personal data to third parties and not businesses with a direct relationship with the consumers.

Common with other laws, the California Delete Act includes exemptions for certain business entities regulated under HIPAA or another applicable health law referenced under the CCPA.

This includes businesses covered by the following federal laws:

  • Gramm-Leach Bliley Act
  • Privacy Protection Act
  • Insurance Information Act
  • Fair Credit Reporting Act

Practically, the Delete Act defines key terms such as "sale," "consumer," "business," and "personal information." It's important to understand the definitions of key terms to grasp the scope of the law fully.

How about we look at these definitions in detail?

Sale

The Delete Act defines "sale" as any action (whether selling, releasing, renting, etc.) that involves sharing a consumer's personal data with a third party for money or other valued considerations.

The Delete Act also provides some exceptions to what constitutes a sale. Thus, a sale does not occur when:

  1. A consumer intentionally directs you to disclose personal information
  2. You share consumer's personal data with a service provider that is necessary to undertake business purposes
  3. You share the personal information of consumers who opt out of the sale of personal information

Here's what "sale" is defined as under the California Delete Act:

California Delete Act: Sell definition

Consumer

According to Title 18 of the California Code of Regulations, Section 17014, a consumer is a natural person who resides in California.

Natural person implies that other legal entities like corporations do not enjoy data privacy rights under the CCPA.

The California Code of Regulations includes any person in the state as a resident, apart from temporary or transitory activities (passing through or on a trip).

Also, any California resident traveling temporarily outside the state is still considered a resident, thereby a consumer under the CCPA.

Here's how the act defines a resident:

California Delete Act: Resident definition

Business

Businesses are the key subjects of the California Delete Act. The law functions to regulate how they treat California residents' (consumers) personal information.

In light of the California Delete Act, a business is a profit corporation that collects personal information and does business in California, even without a physical presence in the state.

A business must also meet at least one of the CCPA's three thresholds, which include:

  1. Exceeding an annual gross revenue of $25 million
  2. Buying, sharing, or selling personal data of over 100,000 consumers annually
  3. Deriving more than half of its yearly revenue from sharing or selling consumers' personal data

Personal Information

The California Delete Act maintains a broad definition of "personal information," referring to it as any information that can identify, relate to, describe, or be reasonably linked to a particular consumer.

Examples of personal information include:

  • Social security numbers
  • Names
  • Geolocation data
  • Email and IP address
  • Internet browsing histories
  • Records of products purchased
  • Fingerprints

The information, however, does not include data that is publicly available. That is, from state, federal, or government records, like public records of property or real estate and professional licenses.

How Does the California Delete Act Affect Consumers?

The Delete Act creates new consumer privacy rights specifically for data collected and traded by "data brokers."

Here is a complete breakdown of what these consumer rights entail:

  1. The right to know: Consumers can request data brokers to disclose the sources and categories of personal data they have collected, why the business collects and sells it, and who are the third parties they have sold it to.
  2. The right to notice: Any data broker has to provide a conspicuous and clear notice on their websites outlining consumers' rights under the Delete Act and how to exercise them.
  3. Opting out of data sale: Any consumer can opt out of the sale of their personal data by data brokers. Data brokers have to honor the consumer's opt-out request within 15 days.
  4. Right to delete: A consumer can request that any data broker erase their personal data unless the data broker has a valid business purpose or a legal obligation to retain it.

How Does the California Delete Act Affect Businesses?

The Delete Act requires that all businesses that meet the criteria of a "data broker" conform to the new deletion and transparency obligations.

Some of these requirements for businesses include:

  • Register with the CPPA
  • Monitoring deletion practices continuously
  • Delete consumer data upon request unless they have a valid business purpose or a legal obligation to retain it
  • Processing deletion requests on time
  • Go through third-party audits every three years to verify compliance with the law
  • Publish key information and metrics (through a Privacy Policy)
  • Treat unverifiable deletion requests as opt-outs of sale or sharing under the CCPA (CPRA)
  • Pay an annual registration fee to the CPPA
  • Disclose whether they are regulated by specific laws exempting CCPA obligations

How to Comply With the California Delete Act

The California Delete Act makes amends to the already existing data broker law and includes new requirements that are supposed to take effect between January 2024 and January 2028.

Looking ahead, businesses that qualify as data brokers are expected to adhere to several steps and requirements. Here's all you will have to do.

Annually Register With the CPPA

All data brokers have to register with the CPPA or renew their registration with the CPPA on or before January 31.

But this is only possible for businesses that qualified as "data brokers" in the previous year as per the Delete Act. Registering inducts the business into the California Data Broker Registry.

To register under the Delete Act, data brokers must follow these steps as per the new requirements:

  • Pay the CCPA a registration fee. The fees should not go beyond the reasonable expenses of starting and sustaining an informational online website.
  • Provide detailed information on whether you collect:

    • Consumers' reproductive health data
    • Consumers' precise geolocation
    • Personal information of minors
  • Provide your contact details and web presence, such as:

    • Your name
    • Internet website address
    • Email address
    • Physical address
  • Provide metrics regarding the handling of CCPA requests, including the number of:

    • Requests received
    • Compliance rates
    • Denial reasons
    • Response times
  • From 2029, you'll be required to disclose if a third party has audited you, and if yes, you have to present any related materials to the CCPA.

  • Beginning January 1, 2029, you'll be required to provide a link to your website or webpage explaining how the consumers can exercise their CCPA rights.

  • Disclose whether you or your subsidiaries are subject to specific laws that exempt you from CCPA obligations.

Update Your Privacy Policy

If subject to the California Delete Act, you must create and publish a Privacy Policy or update your current one.

Starting July 1, 2024, the law requires full disclosure of metrics regarding the handling of consumer requests.

You are required to compile and publish these metrics within your website's Privacy Policy:

  1. The number of CCPA requests you've received in the last calendar year
  2. How you respond to those requests, either by complying or denying, and the legal basis for denial
  3. The total number of days you took to respond to a deletion request substantively

Here's how the Delete Act explains this:

California Delete Act: List of requirements

Honor Deletion Requests

Under the Delete Act, the CCPA has to set up a system for consumers to request the deletion of their personal data from all data brokers registered in California by January 1, 2026.

As such, you must establish a one-stop deletion mechanism and promptly honor deletion requests made through this mechanism starting August 1, 2026. You only have a 45-day deadline to verify and process any request.

During this time, you or associated service providers or contractors must refrain from retaining, sharing, or selling any new personal data received about any consumer in the future.

However, if a deletion request is unverifiable, you must treat it as a consumer opting out of sale or sharing according to the CCPA/CPRA.

This right, also known as Do Not Sell or Share My Personal Information right, requires you to:

  1. Ensure your link reads "Do Not Sell or Share My Personal Information"
  2. Make a webpage on your site that explains how consumers can stop the sale or sharing of their personal data
  3. Provide a prominent link to that page on your website's homepage and your Privacy Policy

Undergo Periodic, Independent Third-Party Audits

Data brokers must undertake audits by independent third parties every three years starting January 1, 2028.

Such audit reports must be submitted to the CPPA within five business days upon a written request, and you must retain the materials for at least six years.

That is not all. From January 1, 2029, you must disclose that the last year you underwent an audit by the CCPA.

Here's an example of how the Delete Act outlines these terms:

California Delete Act: Requirements excerpt

How is the California Delete Act Enforced?

The CPPA is responsible for enforcing the California Delete Act. It has the following obligations when it comes to this law:

  • Investigate potential violations of the law
  • Impose penalties on violations
  • Ensure compliance with the Delete Act's requirements
  • Overseeing data brokers' compliance
  • Manage the Data Broker's Registry Fund

What are the Penalties for Non-Compliance With the California Delete Act?

Like other federal laws, you may face serious penalties if you do not comply with the California Delete Act.

The CPPA may impose civil penalties of $200 per day for unregistered data brokers and $200 per day for each unfulfilled deletion request.

In addition to financial penalties, you may also be responsible for administrative costs incurred by the CPPA during enforcement actions and investigations.

California Delete Act Summary

The California Delete Act is a new privacy law that gives consumers more control over their personal data and enacts new obligations on data brokers.

Whichever the case, the law allows consumers to make a single request for the deletion of their personal data from all data brokers in California.

Whether your organization is or could be considered a data broker, the law requires you to:

  • Register with the CPPA and renew your registration annually
  • Provide more transparency about your data collection and sale practices
  • Comply with registration requirements
  • Honor deletion requests promptly
  • Publish relevant metrics
  • Undergo third-party audits
  • Update their Privacy Policies

The California Delete Act is enforced by the CPPA, which can impose fines and injunctions on data brokers who violate the law.