California Delete Act

California governor Gavin Newsom signed the Delete Act (California Senate Bill No. 362) into law, which builds upon the existing California Data Broker Registration statute.

The law empowers consumers with broad data rights, including the right to request the deletion of their personal data.

In particular, it allows state residents to request that companies deemed to be data brokers that maintain their personal information delete such personal information with a single click of a button.

This guide provides more details about the Delete Act and its requirements.

What is the California Delete Act?

The California Delete Act, also called SB-362, is a privacy law that gives consumers the right to make a one-time request to have all data brokers delete their personal information.

Enacted into law on October 10, 2023, this act:

Addresses the loopholes of data deletion, especially in cases where personal information is collected.
Allows consumers to have a one-stop shop to request their data to be deleted everywhere by every data broker in the state.
Strengthens California consumers' privacy protections for data brokers operating in the State of California.

Primarily, the bill was passed in September 2023 by the California legislature. After being signed by the governor, it transfers the oversight of any data broker to the California Privacy Protection Agency (CPPA).

According to the law, the CPPA is expected to develop a public deletion mechanism for consumers to delete their personal information by January 1, 2026.

To Whom Does the California Delete Act Apply?

This new law will apply to all data brokers. It defines a data broker as a business with no direct relationship with the consumer but intentionally collects and sells their personal information to third parties.

To break it down, this law only affects businesses buying and selling personal data to third parties and not businesses with a direct relationship with the consumers.

Common with other laws, the California Delete Act includes exemptions for certain business entities regulated under HIPAA or another applicable health law referenced under the CCPA.

This includes businesses covered by the following federal laws:

Gramm-Leach Bliley Act
Privacy Protection Act
Insurance Information Act
Fair Credit Reporting Act

Practically, the Delete Act defines key terms such as "sale," "consumer," "business," and "personal information." It's important to understand the definitions of key terms to grasp the scope of the law fully.

How about we look at these definitions in detail?

Sale

The Delete Act defines "sale" as any action (whether selling, releasing, renting, etc.) that involves sharing a consumer's personal data with a third party for money or other valued considerations.

The Delete Act also provides some exceptions to what constitutes a sale. Thus, a sale does not occur when:

A consumer intentionally directs you to disclose personal information
You share consumer's personal data with a service provider that is necessary to undertake business purposes
You share the personal information of consumers who opt out of the sale of personal information

Here's what "sale" is defined as under the California Delete Act:

California Delete Act: Sell definition

Consumer

According to Title 18 of the California Code of Regulations, Section 17014, a consumer is a natural person who resides in California.

Natural person implies that other legal entities like corporations do not enjoy data privacy rights under the CCPA.

The California Code of Regulations includes any person in the state as a resident, apart from temporary or transitory activities (passing through or on a trip).

Also, any California resident traveling temporarily outside the state is still considered a resident, thereby a consumer under the CCPA.

Here's how the act defines a resident:

California Delete Act: Resident definition

Business

Businesses are the key subjects of the California Delete Act. The law functions to regulate how they treat California residents' (consumers) personal information.

In light of the California Delete Act, a business is a profit corporation that collects personal information and does business in California, even without a physical presence in the state.

A business must also meet at least one of the CCPA's three thresholds, which include:

Exceeding an annual gross revenue of $25 million
Buying, sharing, or selling personal data of over 100,000 consumers annually
Deriving more than half of its yearly revenue from sharing or selling consumers' personal data

Personal Information

The California Delete Act maintains a broad definition of "personal information," referring to it as any information that can identify, relate to, describe, or be reasonably linked to a particular consumer.

Examples of personal information include:

Social security numbers
Names
Geolocation data
Email and IP address
Internet browsing histories
Records of products purchased
Fingerprints

The information, however, does not include data that is publicly available. That is, from state, federal, or government records, like public records of property or real estate and professional licenses.

How Does the California Delete Act Affect Consumers?

The Delete Act creates new consumer privacy rights specifically for data collected and traded by "data brokers."

Here is a complete breakdown of what these consumer rights entail:

The right to know: Consumers can request data brokers to disclose the sources and categories of personal data they have collected, why the business collects and sells it, and who are the third parties they have sold it to.
The right to notice: Any data broker has to provide a conspicuous and clear notice on their websites outlining consumers' rights under the Delete Act and how to exercise them.
Opting out of data sale: Any consumer can opt out of the sale of their personal data by data brokers. Data brokers have to honor the consumer's opt-out request within 15 days.
Right to delete: A consumer can request that any data broker erase their personal data unless the data broker has a valid business purpose or a legal obligation to retain it.

How Does the California Delete Act Affect Businesses?

The Delete Act requires that all businesses that meet the criteria of a "data broker" conform to the new deletion and transparency obligations.

Some of these requirements for businesses include:

Register with the CPPA
Monitoring deletion practices continuously
Delete consumer data upon request unless they have a valid business purpose or a legal obligation to retain it
Processing deletion requests on time
Go through third-party audits every three years to verify compliance with the law
Publish key information and metrics (through a Privacy Policy)
Treat unverifiable deletion requests as opt-outs of sale or sharing under the CCPA (CPRA)
Pay an annual registration fee to the CPPA
Disclose whether they are regulated by specific laws exempting CCPA obligations

How to Comply With the California Delete Act

The California Delete Act makes amends to the already existing data broker law and includes new requirements that are supposed to take effect between January 2024 and January 2028.

Looking ahead, businesses that qualify as data brokers are expected to adhere to several steps and requirements. Here's all you will have to do.

Annually Register With the CPPA

All data brokers have to register with the CPPA or renew their registration with the CPPA on or before January 31.

But this is only possible for businesses that qualified as "data brokers" in the previous year as per the Delete Act. Registering inducts the business into the California Data Broker Registry.

To register under the Delete Act, data brokers must follow these steps as per the new requirements:

Pay the CCPA a registration fee. The fees should not go beyond the reasonable expenses of starting and sustaining an informational online website.
Provide detailed information on whether you collect:
- Consumers' reproductive health data
- Consumers' precise geolocation
- Personal information of minors
Provide your contact details and web presence, such as:
- Your name
- Internet website address
- Email address
- Physical address
Provide metrics regarding the handling of CCPA requests, including the number of:
- Requests received
- Compliance rates
- Denial reasons
- Response times
From 2029, you'll be required to disclose if a third party has audited you, and if yes, you have to present any related materials to the CCPA.
Beginning January 1, 2029, you'll be required to provide a link to your website or webpage explaining how the consumers can exercise their CCPA rights.
Disclose whether you or your subsidiaries are subject to specific laws that exempt you from CCPA obligations.

Update Your Privacy Policy

If subject to the California Delete Act, you must create and publish a Privacy Policy or update your current one.

Starting July 1, 2024, the law requires full disclosure of metrics regarding the handling of consumer requests.

You are required to compile and publish these metrics within your website's Privacy Policy:

The number of CCPA requests you've received in the last calendar year
How you respond to those requests, either by complying or denying, and the legal basis for denial
The total number of days you took to respond to a deletion request substantively

Here's how the Delete Act explains this:

California Delete Act: List of requirements

Honor Deletion Requests

Under the Delete Act, the CCPA has to set up a system for consumers to request the deletion of their personal data from all data brokers registered in California by January 1, 2026.

As such, you must establish a one-stop deletion mechanism and promptly honor deletion requests made through this mechanism starting August 1, 2026. You only have a 45-day deadline to verify and process any request.

During this time, you or associated service providers or contractors must refrain from retaining, sharing, or selling any new personal data received about any consumer in the future.

However, if a deletion request is unverifiable, you must treat it as a consumer opting out of sale or sharing according to the CCPA/CPRA.

This right, also known as Do Not Sell or Share My Personal Information right, requires you to:

Ensure your link reads "Do Not Sell or Share My Personal Information"
Make a webpage on your site that explains how consumers can stop the sale or sharing of their personal data
Provide a prominent link to that page on your website's homepage and your Privacy Policy

Undergo Periodic, Independent Third-Party Audits

Data brokers must undertake audits by independent third parties every three years starting January 1, 2028.

Such audit reports must be submitted to the CPPA within five business days upon a written request, and you must retain the materials for at least six years.

That is not all. From January 1, 2029, you must disclose that the last year you underwent an audit by the CCPA.

Here's an example of how the Delete Act outlines these terms:

California Delete Act: Requirements excerpt

How is the California Delete Act Enforced?

The CPPA is responsible for enforcing the California Delete Act. It has the following obligations when it comes to this law:

Investigate potential violations of the law
Impose penalties on violations
Ensure compliance with the Delete Act's requirements
Overseeing data brokers' compliance
Manage the Data Broker's Registry Fund

What are the Penalties for Non-Compliance With the California Delete Act?

Like other federal laws, you may face serious penalties if you do not comply with the California Delete Act.

The CPPA may impose civil penalties of $200 per day for unregistered data brokers and $200 per day for each unfulfilled deletion request.

In addition to financial penalties, you may also be responsible for administrative costs incurred by the CPPA during enforcement actions and investigations.