California’s New Delete Act Expands Cyber Security Protections for Consumers
On October 10, 2023 California's Governor, Gavin Newsom, signed into law Senate Bill 362 or the “Delete Act.” The Delete Act imposes new transparency requirements on data brokers, which include the number of requests received for consumers exercising their privacy rights, the median and mean number of days to respond to a request, and the number of requests denied and the reasoning for the denial. Under the Delete Act, data brokers have to register with the California Privacy Protection Agency (CPPA) and provide consumers with the right to easily request deletion of their personal information. Data brokers will also be subject to new audit requirements.
Beginning January 2024, data brokers must register with the CPPA rather than the California Attorney General. A data broker is defined as any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Delete Act excludes entities coved by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Insurance Information and Privacy Protection Act, as well as entities covered by HIPAA (i.e. entities or business associates of covered entities when their processing of personal information is exempt under section 1798.146 of the California Civil Code). Notably, the definition of “sells” is broad, including the disclosure of information for both monetary and non-monetary consideration. As part of the registration, data brokers are required to provide information and metrics related to processing of consumer privacy rights and whether certain categories of information are collected.
The Delete Act also requires the CPPA, by January 1, 2026, to create a free and accessible deletion mechanism that allows consumers to delete personal information through a single verification request for registered data brokers. As part of the deletion mechanism, consumers will be able to select deletion from specific data brokers and modify previous deletion requests. The Delete Act also implements a timing requirement for deletion, requiring data brokers to process new deletion requests and delete information related to previous requests every 45 days. A data broker is not required to delete consumer information if it is reasonably necessary for the data broker to maintain the personal information or deletion is not required as specified under the California Consumer Privacy Act (CCPA).
The Delete Act imposes new audit requirements set to take effect January 1, 2028. Under the new requirements, data brokers are required to undergo an independent audit every three years to certify compliance with the law. Data brokers that fail to register or delete personal information of a consumer will be subject to a $200 fine per day. The Delete Act also allows the CPPA to seek payment for investigation costs from data brokers.
While some provisions of the Delete Act take effect in 2026 and 2028, the registration requirements go into effect in January of 2024. As such, businesses should become well-informed on compliance obligations under the Delete Act. For further information about the Delete Actor privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz Leist, Nikkia Knudsen, or your Vorys attorney.