California Expands Data Deletion Rights Against Data Brokers
On October 10, 2023, California Governor Gavin Newsom signed into law SB-362, a measure amending existing California laws regulating data brokers and granting California residents the right to delete all personal information collected by the states’ registered data brokers in a single request. These updates will simplify the ability of California consumers to exercise their deletion rights granted under the California Consumer Privacy Act (CCPA) at Ca. Civ. Code § 1798.105, at least when it comes to making data deletion requests to registered data brokers.
As detailed below, the amended law requires data brokers to report detailed information to the California Privacy Protection Agency (CPPA) regarding consumers’ requests for deletion and the data broker’s response to the same. This will mean that the CPPA will have significant oversight over data brokers’ compliance with the CCPA’s deletion requirements, as compared to compliance by other businesses subject to the CCPA.
The CPPA has the authority to adopt regulations to further implement the data broker deletion mechanism. Given the CPPA’s regulations to implement the CCPA passed or proposed to date, any regulations that CPPA chooses to pass could significantly impact how these requirements apply in practice.
Data Brokers
California’s data broker registration requirement has been in effect since 2020. Now, however, the CPPA, instead of the California Attorney General, will manage data broker registrations. Businesses meeting the definition of a “data broker” must register with the CPPA by January 31 following each year in which a business meets the definition of a data broker.
“Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include entities covered by the federal Fair Credit Reporting Act, the federal Gramm-Leach-Bliley Act, the California Insurance Information and Privacy Protection Act, or providers of health care, HIPAA-covered entities, and HIPAA business associates, to the extent their processing of personal information is exempt under the CCPA at Ca. Civ. Code § 1798.146.
Accessible Deletion Mechanism
By January 1, 2026, the CPPA will establish an “accessible deletion mechanism” that permits a consumer, through a single verifiable consumer request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The mechanism will describe the deletion rights, the process for submitting a deletion request, and examples of the types of information that may be deleted.
Consumers will not be charged for making this request. The deletion mechanism will allow a consumer to selectively exclude specific data brokers from a request and verify the status of the consumer’s deletion request.
Beginning August 1, 2026, data brokers must access the accessible deletion mechanism at least once every 45 days and take the following actions:
- Within 45 days after receiving a request, process all deletion requests and delete all personal information related to the consumers making the requests, except where an exception is met.
- In cases where a data broker denies a consumer request to delete because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, in accordance with the CCPA.
- Direct all service providers or contractors associated with the data broker to either, as applicable: (i) delete all personal information in their possession related to the consumers making the requests; or (ii) process a request as an opt-out of the sale or sharing of the consumer’s personal information.
A data broker will not be required to delete a consumer’s personal information if deletion would not be required under the CCPA — either because the data broker has a need to retain the personal information that falls into one of the deletion exceptions under the CCPA (see Ca. Civ. Code § 1798.105(d), which includes exceptions that permit retention to comply with a legal obligation or to complete the transaction for which the personal information was collected, among other exceptions) or is otherwise exempt from the CCPA (see Ca. Civ. Code §§ 1798.145; 1798.146).
After a consumer has submitted a deletion request and a data broker has deleted the consumer’s data, the data broker must (i) delete all the consumer’s personal information at least once every 45 days unless the consumer requests otherwise or the deletion is not required as addressed in the preceding paragraph; and (ii) not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under CCPA at Ca. Civ. Code §§ 1798.145; 1798.146, which are the exemptions from the CCPA.
Starting in 2028, and every 3 years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with these requirements. Data brokers must submit the audit report and related materials to the CPPA within five days of a written request from the CPPA.
Increased Reporting Obligations
The amended law also expands data brokers’ reporting obligations to the CPPA. The updated reporting obligations require data brokers to provide a link to a page on the data broker’s website that details how consumers may exercise their privacy rights, such as by deleting personal information or learning what personal information is being collected. Data brokers must report if they collect minors’ personal information, precise geolocation, and/or reproductive health care data. This information will be available to the public.
The data broker must also compile the number of deletion and other consumer rights’ requests that the data broker received, complied with in whole or in part, and denied during the previous calendar year, as well as the median and mean number of days within which the data broker substantively responded to the requests. In addition to reporting this information to CPPA in its annual reporting, the data broker must disclose these metrics in the data broker’s privacy policy posted on their website.
For more information on the CCPA, including consumer rights regarding deletion of personal information and the right to opt out of the sale or sharing of personal information, see Foley’s Innovative Technology Insights blog, which includes further coverage such as California Voters Pass the California Privacy Rights Act.