California Delete Act

Data Brokers
Posted: May 06 2024
Thanks to SB 362 the California Delete Act, consumers can delete their information from data brokers

The California Delete Act is a state law that provides California residents with a one-click mechanism to ask registered data brokers to delete their personal information. It also requires data brokers to register with the California Privacy Protection Agency and disclose information about their data collection practices in their annual registration documents and privacy policy.

History

2023 

California Delete Act Signed Into Law 

The California Delete Act, was signed into law on October 10, 2023 as Senate Bill 362 (SB 362).  Privacy Rights Clearinghouse and Californians for Consumer Privacy co-sponsored the bill. Authored by Senator Josh Becker, SB 362 received support from a broad coalition of privacy, civil liberties, consumer protection, economic justice, reproductive healthcare, and LGBTQIA advocacy organizations.  

SB 362 amended Sections 1798.99.80-1798.99.84 of the Civil Code, and added Sections 1798.99.85, 1798.99.86, 1798.99.87, and 1798.99.89. It moved the data broker registry from the California Attorney General’s office to California Privacy Protection Agency,1 expanded the information data brokers are required to disclose,2 and established an accessible deletion mechanism for consumers to request the deletion of their personal information.3  

Why

The California Delete Act was enacted to address shortcomings of the California Consumer Privacy Act (CCPA) regarding data brokers—businesses that buy and sell personal information of consumers with whom they have no direct relationship.4  

In addition to limited scope of the CCPA Right to Delete (limited to information collected directly from a consumer),5 exercising this right with data brokers was practically impossible for consumers.  There were more than 500 registered brokers in 2023, and the CCPA permitted up to 90 days permitted for each response.6  In addition, there was nothing in the CCPA preventing data brokers from re-collecting and selling personal information after a deletion request. 

The lack of consumer control concerned the bill’s proponents and supporters because data broker practices can pose significant risks to privacy and security. The data they collect and sell can be used for a wide range of purposes, from targeted advertising to identity theft, fraud, stalking, and harassment.   

Data brokers collect and store billions of data elements covering nearly every U.S. consumer, usually without their knowledge or consent.7 This information may include (but is not limited to) names, addresses, email addresses, phone numbers, social security numbers, birthdates, income levels, purchase histories, and online browsing activities.8 Advertising data brokers often categorize individuals into hundreds of thousands of segments based on their personal information, including sensitive and potentially exploitative categories such as "depression-prone" or "economically anxious." They may even collect and sell sensitive information such as precise geolocation data, health information, and information about minors.9  

Scope

Who 

The California Delete Act applies to data brokers, defined as businesses that knowingly collect and sell to third parties the personal information of consumers with whom the business does not have a direct relationship.10  

It does not apply to entities to the extent that they are covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act.11 Nor does the definition of data broker apply to entities to the extent that they are exempt under section 1798.146 of the California Consumer Privacy Act (which applies to entities and data covered by the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act).12  

  

What 

The California Delete Act right to request deletion extends to personal information, and incorporates the definition from the California Consumer Privacy Act (CCPA).13 Personal information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.14   

 The California Delete Act's accessible deletion mechanism covers all of this personal information, allowing consumers to request the ongoing deletion of their data from all or a selection of registered data brokers.15 

Rights

Right to Delete Information From Data Brokers 

The California Delete Act provides consumers (acting on their own or through an authorized agent) with the right to request the deletion of their personal information from data brokers through an accessible deletion mechanism.16  

To facilitate this right, the California Privacy Protection Agency must establish a mechanism that is freely available to consumers, accessible for individuals with disabilities, and designed to protect consumer privacy.17  

 

Highlights include: 

  • Consumers can submit a single verifiable request to delete their personal information from all registered data brokers or selectively exclude specific data brokers.18 
  • Data brokers must access the deletion mechanism at least once every 45 days and process all deletion requests within 45 days of receipt.19 
  • In cases where a data broker denies a consumer request to delete because the request cannot be verified, the data broker must process the request as an opt-out of the sale or sharing of the consumer's personal information, as provided for under the California Consumer Privacy Act.20 
  • After a consumer submits a deletion request and the data broker deletes the consumer's data, the data broker must continue to delete the consumer's personal information at least once every 45 days and is prohibited from selling or sharing new personal information of the consumer, with some exceptions.21 Data brokers must undergo an audit every three years, starting from January 1, 2028, to determine compliance with the deletion requirements.22 

 

Exceptions to the Right to Delete 

A data broker is not required to delete a consumer's personal information if:23 

  • It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in the California Consumer Privacy Act's exceptions to the right to delete, such as completing a transaction, providing a service requested by the consumer, or complying with legal obligations.23 

  • The personal information falls under the California Consumer Privacy Act's exceptions to the definition of personal information, such as deidentified or aggregated consumer information,24 or publicly available information.25

    Deidentified information is data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that the business has implemented technical safeguards and business processes to prevent reidentification.26

    Publicly available information includes information that is lawfully made available from government records or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.27 

Personal information that falls under these exceptions can only be used for the purposes described in the exceptions and cannot be used or disclosed for any other purpose, including marketing.28 

 

Right to Know How Data Brokers Respond to CCPA Requests  

Under the California Delete Act, data brokers must disclose the number of California Consumer Privacy Act requests they have received, responded to in whole or in part, and denied during the previous calendar year.35 36Furthermore, data brokers must indicate whether they believe they are already covered by the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act, which may exempt them from some deletion requirements.29 

This enhanced disclosure requirement helps consumers and those who represent consumer interests better understand data broker practices and responsiveness to consumer requests.   

 

Right to Know Whether Data Brokers Collect Specific Sensitive Information 

To increase transparency around data broker practices, the California Delete Act requires data brokers to disclose whether they collect precise geolocation data, minors' information, or reproductive healthcare information.30   

Because consumers may choose to request deletion from some data brokers and not others, 31 increased transparency can help consumers make more informed choices about the entities they permit to collect and sell their personal information. 32 

Enforcement

The California Delete Act shifts control of the data broker registry from the Office of the Attorney General to the California Privacy Protection Agency and empowers the Agency to enforce its provisions.33 Data brokers that fail to register or comply with the deletion requirements are liable for administrative fines and costs in actions brought by the Agency.34  

Fines for non-compliance include: 

  • $200 per day for failure to register as required.35 
  • $200 per deletion request per day for failure to delete information as required.36 
  • Reasonable expenses incurred by the Agency in the investigation and administration of the action.37 

All penalties, fines, fees, and expenses recovered are deposited in the Data Brokers' Registry Fund, which is administered by the Agency to offset the costs of enforcement and maintaining the accessible deletion mechanism.38 

The Delete Act prohibits administrative actions from being commenced more than five years after the date on which the violation occurred.39 

Notes

  1. Cal. Civ. Code § 1798.99.82(a)
  2. Cal. Civ. Code § 1798.99.82(b)(2)
  3. Cal. Civ. Code § 1798.99.86)
  4. Cal. Civ. Code § 1798.105(a)
  5. Cal. Civ. Code § 1798.130(a)(2)
  6. Federal Trade Commission, 2014, p. 46)
  7. Cal. Civ. Code § 1798.99.82(b)(2)(C-E)
  8. Cal. Civ. Code § 1798.99.82(b)(2)(C-E)
  9. Cal. Civ. Code § 1798.99.80(c)
  10. Cal. Civ. Code § 1798.99.80(c)(1-3)
  11. Cal. Civ. Code § 1798.99.80(c)(4)
  12. Cal. Civ. Code § 1798.99.80(a)
  13. Cal. Civ. Code § 1798.140(v)(1)
  14. Cal. Civ. Code § 1798.99.86(a)
  15. Cal. Civ. Code § 1798.99.86(a)
  16. Cal. Civ. Code § 1798.99.86(b)(5), (b)(7), (b)(1)
  17. Cal. Civ. Code § 1798.99.86(a)(2-3)
  18. Cal. Civ. Code § 1798.99.86(c)(1)
  19. Cal. Civ. Code § 1798.99.86(c)(1)(B)
  20. Cal. Civ. Code § 1798.99.86(d)
  21. Cal. Civ. Code § 1798.99.86(e)
  22. Cal. Civ. Code § 1798.99.86(c)(2)
  23. Cal. Civ. Code § 1798.105(d)
  24. Cal. Civ. Code § 1798.140(v)(3)
  25. Cal. Civ. Code § 1798.140(v)(2)
  26. Cal. Civ. Code § 1798.140(m)
  27. Cal. Civ. Code § 1798.140(v)(2)
  28. Cal. Civ. Code § 1798.99.86(c)(3)
  29. Cal. Civ. Code § 1798.99.85(a)(1)
  30. Cal. Civ. Code § 1798.99.82(b)(2)(H)
  31. Cal. Civ. Code § 1798.99.82(b)(2)(C-E)
  32. Cal. Civ. Code § 1798.99.86(a)(3)
  33. Cal. Civ. Code § 1798.99.82(c-d)
  34. Cal. Civ. Code § 1798.99.82(c-d)
  35. Cal. Civ. Code § 1798.99.82(c)(1)
  36. Cal. Civ. Code § 1798.99.82(d)(1)
  37. Cal. Civ. Code § 1798.99.82(c)(3), (d)(2)
  38. Cal. Civ. Code § 1798.99.81
  39. Cal. Civ. Code § 1798.99.89