California’s Delete Act Creates Universal Deletion Requirement Aimed at Data Brokers  

October 18, 2023

On October 10, Governor Gavin Newsom signed into law California’s most recent foray into the world of consumer data privacy: the Delete Act. Targeting so-called data brokers, the Act expands on regulations already in place and shifts enforcement from the Secretary of State to the California Privacy Protection Agency (CPPA). While the law does not substantively expand the digital privacy rights already enjoyed by Californians, it does make them easier to exercise.

Perhaps most notably, the Act requires the CPPA to create a “one-stop-shop” website where consumers will be able to submit a single request to have their information deleted by every data broker in the state. Proponents of the Act hope to create something like a “do not track” list akin to the “do not call list” against which telemarketers must scrub their files. Submitting a request will include a consumer on a list accessible to registered data brokers, who must periodically delete the data of every consumer who has opted out – or face steep fines.

Applicability

The Delete Act uses the same criteria as the California Consumer Privacy Act (CCPA) when determining who needs to register as a data broker. It applies only to those entities who “knowingly collect[] and sell[] to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Additionally, a business must already be subject to CCPA by doing business in the state and either:

  1. having an annual gross revenue of over $25 million in the last year,
  2. buying, selling, or sharing the personal information of 100,000 or more consumers, or
  3. earning over 50% of its annual revenue from selling or sharing personal information.

Compliance

As under the CCPA, data brokers must register on or before January 31 of each year. The Delete Act, however, greatly expands the information required for registration, including disclosing whether a business collects precise geolocation data or the personal information of minors.

Beginning on August 1, 2026, any data broker registered with the state must check the centralized deletion request list every 45 days. If a consumer has opted out, data brokers must delete any information they have about that individual every 45 days, at a minimum.

Beginning January 1, 2028, data brokers must obtain an independent audit of their practices at least once every three years and submit a report to the CPPA upon request.

Penalties

The Delete Act imposes penalties on data brokers for failing to register with the CPPA and failing to comply with a consumer’s deletion request.

If a data broker fails to register, it may be subject to a fine of $200 per day plus the applicable registration fees for the time during which it failed to register.

If a data broker fails to honor consumer deletion requests, the CPPA may levy fines of $200 per request per day. This could result in steep penalties, especially if the universal opt-out tool enjoys widespread adoption by consumers.

Open Questions

The Delete Act has also created or left open some areas of uncertainty. The law does not define what constitutes a “direct relationship” with a consumer, thus leaving open the question of who exactly qualifies as a data broker. Industry experts have noted that some entities in the grey area have, under CCPA (which uses the same language), chosen not to register. While this may have been tenable given the penalties under CCPA, many companies may wish to reconsider, given the potentially massive fines under the Delete Act.

The Act has also created questions related to enforcement, which is left solely to the CPPA. While that agency will have access to registration statements and, eventually, audits, with over 500 data brokers already registered with the state and more with increased incentives to do so, enforcement may prove difficult. The CPPA will need to contend not only with a growing number of registered data brokers but also with ambiguous statutory language.

What is clear, however, is that the ecosystem of data privacy legislation continues to evolve. California may yet again be charting the path for how other states approach the issue. California was first in the nation to pass both a data breach notice law and a comprehensive consumer data privacy law. Many experts believe that others will follow the state’s lead on regulating data brokers, which could, in turn, generate increased interest in the subject at the federal level.

Share on LinkedIn

Authors

Andrew Baer

Chair, Technology, Privacy & Data Security

abaer@cozen.com

(215) 665-2185

Daniel Kilburn

Associate

DKilburn@cozen.com

(215) 665-4726

Related Practices


This client alert was co-authored by law clerk, Daniel Kilburn.