California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis. The “Delete Act” seeks to change this by implementing a single opt-out request that would apply to all data brokers, associated service providers, and contractors. The Delete Act would essentially create a California “do not sell” list for data brokers akin to a do not call list in the telemarketing context.
Application of the Delete Act
The Delete Act would apply to “data brokers,” which the Act defines as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Importantly, the definition exempts those entities covered by the FCRA, GLBA, or the Insurance Information and Privacy Protection Act. Non-exempt data brokers would be required to register with the California Privacy Protection Agency (the “CPPA”), pay a registration fee, and provide the CPPA with detailed information, including whether or not the data broker collects personal information of minors, precise geolocation data of consumers, or reproductive health care data.
Prior to January 1, 2026, the Delete Act would require the CPPA to establish an accessible deletion mechanism that does all of the following:
- Allows a consumer to request – through a single verifiable method – that every data broker delete any personal information related to that consumer held by the data broker, associated service provider, or contractor;
- Allows a consumer to selectively exclude specific data brokers from a request;
- Allows a consumer to make a request to undo or alter a previous request made, after at least 31 days have passed since the consumer’s last request under the Act; and
- Implements and maintains reasonable security procedures and practices.
Additionally, the Delete Act would require the deletion mechanism to, in part:
- Allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request, without a fee;
- Permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request;
- Allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism;
- Allow a consumer to make a request in any language spoken by any consumer;
- Support the ability of a consumer’s authorized agents to aid in the deletion request; and
- Allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
Once the deletion mechanism is in place, data brokers would be required to begin complying with deletion requests on August 1, 2026, by accessing the mechanism at least once every 31 days. Unless the personal information is reasonably necessary to fulfill a purpose described under the CCPA’s Right to Delete exemptions (See Section 1798.105(d)), the data broker would be required to process the deletion request, direct all service providers or contractors associated with the data broker to also process the request, and send an affirmative representation to the CPPA indicating the number of records deleted by the data broker, service providers, and contractors.
After processing a deletion request, the data broker is prohibited from selling or sharing new personal information of the consumer and must continually delete all of the consumer’s personal data at least once every 31 days, unless the consumer requests otherwise.
Enforcement & Reporting
While the draft of the Delete Act that passed the Senate was enforceable by both the Attorney General and the California Privacy Protection Agency, the Assembly has since struck the enforcement provisions tied to the Attorney General. As the draft currently stands, the CPPA retains sole enforcement authority, and may issue administrative fines of $200 a day for the failure of a data broker to register and an additional $200 per day for each deletion request a data broker fails to properly comply with. However, the Act places a statute of limitations upon administration actions regarding any violation that is older than five years. The Act would not provide for a private right of action.
In addition to the enforcement provisions, the Delete Act would require that data brokers compile annual reports containing:
- The number of deletion requests received under the Act;
- The number of deletion requests that were complied with and the number that were denied;
- The number of deletion requests deemed to be unverifiable, to have not been made by a consumer, or which called for the deletion of exempt information; and
- The median and the mean number of days it took the data broker to substantively respond to a request.
Beginning on January 1, 2028, and every three years thereafter, data brokers must also undergo an audit by an independent third party to determine compliance with the Act. While this audit will not be automatically submitted to the CPPA, a data broker must be able to provide the CPPA a copy within five days of a request from the agency. However, starting in 2029, a data broker would have to annually provide the CPPA with the last data that an audit occurred.
Status of the Delete Act
The Delete Act was passed by the California State Senate on May 31, and then unanimously passed out of the Assembly’s Committee on Privacy and Consumer Protection in June. The bill is currently referred to the Assembly’s Committee on Appropriations. On August 16, the Delete Act was placed on the Assembly’s “suspense file” calendar. Suspense file bills are considered at a single hearing – without public comment or attendance – where the Committee on Appropriations compares the anticipated costs of a bill against the state’s available revenue. There is currently no public date set for next steps on the Delete Act.
Privacy advocates and data brokers will be carefully monitoring the progress of this proposed law, which goes further than any U.S. law to date in regulating the data broker industry. If passed, the law – in combination with already existing consumer opt-out rights and Apple Store requirements for consumers to opt-in to online tracking – will further challenge the ad tech industry’s business model.