BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

California Enacts the Delete Act

In October, California enacted its newest privacy legislation, commonly referred to as the “Delete Act” (California Senate Bill No. 362). The Delete Act will allow consumers to request that any data broker that maintains any personal information related to that consumer delete such personal information.

History: CCPA and CPRA

The Delete Act builds upon California’s already robust privacy laws. California first enacted the California Consumer Privacy Act of 2018 (CCPA), which was inspired by the General Data Protection Regulation (GDPR), and then followed up with the California Privacy Rights Act of 2020 (CPRA), which amended the CCPA and established the California Privacy Protection Agency.

Definition of Data Brokers

The Delete Act affects data brokers, which are defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the businesses do not have a direct relationship.

Data brokers exclude consumer reporting agencies to the extent that they are covered by the federal Fair Credit Reporting Act (15 USC Sec. 1681 et seq.) and financial institutions covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations. The law also has limited application in the insurance and healthcare industries.

Key Requirements

The Delete Act requires, among other things, the following:

  • Data brokers register with, provide certain information to, and pay a registration fee to the California Privacy Protection Agency (CPPA).
  • The CPPA create and maintain an internet website where the information provided by data brokers will be accessible to the public.
  • The CPPA establish, by January 1, 2026, an accessible deletion mechanism that allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
  • Beginning August 1, 2026, data brokers access the accessible deletion mechanism at least once every 45 days and process all deletion requests, except as specified in the Delete Act.
  • Moneys collected or received by the CPPA and the US Department of Justice under the Delete Act are deposited in the Data Brokers’ Registry Fund, a fund administered by the CPPA, which can be used to cover certain costs, such as the costs incurred by the state courts and the agency in connection with enforcing the Delete Act and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism.

The Delete Act also authorizes the CPPA to charge a fee to data brokers for accessing the accessible deletion mechanism and provides that a data broker failing to comply with the requirements pertaining to the accessible deletion mechanism be liable for administrative fines, fees, expenses, and costs, as specified in the Delete Act.

Key Takeaways

Businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the businesses do not have a direct relationship should pay close attention to the definition of “data broker.” If a business determines that it is a data broker, it should ensure that it complies with the requirements of the Delete Act, including the obligation to register, to avoid penalties.

Data brokers will need to develop and maintain internal policies to review deletion requests to comply with the Delete Act deletion timelines, be prepared for the volume of deletion requests, implement policies to verify deletion requests, maintain records for audit obligations, track the type of data they collect (including personal information such as information of minors, precise geolocation, or reproductive health care data), and keep updated privacy policies.

The Delete Act will also impact businesses that obtain consumer data from Data Brokers, as such data may not be permanently available if the consumer asks the Data Broker to delete their data. A business that has relied on such data for verification purposes, for example, will need to be prepared to have alternative ways to verify consumer information.