California Delete Act: A Quick Overview

Unpacking the California Delete Act

On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq).

Key Takeaways

The California Delete Act has five key takeaways that form the backbone of this legislation:

1. Regulation of Data Brokers
   • The Delete Act governs “data brokers” as defined by the CCPA.
   • A “data broker” is a business that knowingly collects and sells a consumer’s personal information without a direct relationship, with some exceptions.

2. One-Stop Data Deletion Mechanism
   • The CPPA is mandated to create a centralized data deletion system by January 1, 2026.
   • Consumers can issue a free, verifiable data deletion request for all registered California data brokers through this mechanism.
   • The CPPA may charge data brokers for access to the deletion system, though the fee amount is yet to be determined.

3. Audit Obligations on Data Brokers
   • Starting January 1, 2028, data brokers must undergo an independent audit every three years to assess compliance.
   • Audit reports must be submitted to the CPPA promptly, and audit records must be retained for at least six years.

4. Enforcement and Penalties
   • The CPPA can enforce data broker registration and deletion requirements and may establish regulations under the Delete Act.
   • Noncompliance may result in administrative penalties, fines, and fees, including a $200 daily fine for failure to register. These funds support enforcement costs and the deletion mechanism.

Recent Updates and Adherence

As of the last update in January 2024, California businesses must be fully compliant with the California Delete Act. Failure to comply can lead to significant fines and penalties, emphasizing the need for businesses to promptly adhere to the law. The Act mandates the CPPA to establish a public “deletion mechanism” by January 1, 2026. This mechanism allows consumers or authorized agents to submit a verifiable request for data brokers to delete their personal information. The CPPA must offer this service at no cost to consumers, making it easily accessible online, akin to the National Do Not Call Registry.

Insights and Ramifications

The California Delete Act is a major milestone, signaling a shift in how we handle digital interactions. Strengthening consumers with greater control over their personal information, the Act encourages a move towards transparent and ethical data practices. This impact extends beyond California, with similar privacy initiatives gaining traction nationwide and globally.

For businesses intentionally collecting, selling, or licensing personal data from consumers they don’t directly engage with, seeking legal advice and promptly registering is essential. The registration process is quick and cost-effective, offering potential protection against higher fines and increased regulatory scrutiny. This precaution becomes crucial as privacy protections gain momentum across the country.

Expert Opinions

• Senator Josh Becker, the brains of the Delete Act, said in a statement: “The Delete Act is based on a very simple premise: Every Californian should be able to control who has access to their personal information and what they can do with it.” Becker emphasizes the need for individuals to have the power to delete their personal information, putting a stop to data brokers collecting and tracking them.
• Tracy Rosenberg, a data privacy advocate with Media Alliance and Oakland Privacy, commented on the law “It is a pretty basic-level philosophical battle about whether your personal information is yours to share as you see appropriate and when it is personally beneficial to you, or whether it is property to be bought and sold.”
• John Gilmore, head of research at DeleteMe, points out that the industry won’t come to an end but acknowledges changes already happening: “Already, most major browsers have started phasing out cookies, and phones began app tracking transparency two years ago. The writing has been on the wall now for more than five years.”
• Chris Pierson, CEO of cybersecurity and privacy protection firm BlackCloak, advises CIOs, CISOs, CFOs, and CTOs to assess their use of data brokers affected by the California law: “You have your two years to go ahead and build controls to decrease and limit risks on the creative side.”

Wrapping Up

The California Delete Act safeguards privacy rights in an age where data is valuable. Allowing people to delete personal information, curbing data profiling, and ensuring clear opt-out choices, this law sets a strong standard for digital privacy. As others adopt similar steps, the California Delete Act guides toward a future where privacy is a clear right, not just a privilege.