On October 10, 2023, Governor Gavin Newsom signed the CA Delete Act (SB 362) amending and practically overhauling CA’s existing Data Broker Registration law of 2019 (collectively, the “Act”), which previously only subjected data brokers to registration and disclosure requirements.

Key Takeaways:

• Starting January 1, 2026, California residents will be able to make a single request to delete their personal information from all data brokers through an accessible deletion mechanism (similar to the federal “Do Not Call Registry”) administered by the California Privacy Protection Agency (the “Agency”).
• Starting August 1, 2026, data brokers will be required to check the deletion mechanism every 45 days and delete personal information about California consumers who have submitted requests. The deletion obligation also applies to personal information about the same consumer collected in the future, which can be operationally complex.
• Data brokers will have to register more than their names and addresses. They will also have to disclose certain data collection practices and metrics.
• Data brokers will be subjected to new audit requirements.
• Penalties are doubled to $200/day of violation.
• Don’t forget that existing data broker registration requirements remain in place and require renewals by January 31^st every year. Data brokers will have to register with the Agency starting January 31, 2024, provided that the Agency is able to create the required registration page on its website.

What is a “Data Broker”?

The Act has not changed the existing definition of a Data Broker, which is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” A “sale,” per the California Consumer Privacy Act, as amended by the California Consumer Privacy Rights Act (collectively, the “CCPA”), is not limited to the exchange of monetary compensation, but also includes disclosing personal information for “other valuable consideration.”  However, the Acts expands the definition of who is not a Data Broker, including:

• An entity covered by the federal Fair Credit Reporting Act (“FCRA”) (previously, only covering consumer reporting agencies);
• An entity covered by the Gramm-Leach-Bliley Act (“GLBA”) (previously, only covering financial institutions);
• An entity covered by the California’s Insurance Information and Privacy Protection Act (“IIPPA”);
• New: an entity, or business associate of a covered entity, processing information that is considered medical information under California’s Confidentiality of Medical Information Act (“CMIA”) or protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”).[1]

What is an “Accessible Deletion Mechanism”?

The most significant change introduced by the Act is the ability for California consumers to make a single request requiring all data brokers, as well as their associated service providers and contractors, to delete any personal information related to that consumer. This means that California consumers no longer have to go business-by-business to remove their personal information from data broker databases. Data brokers may find it difficult to ascertain who is a California resident, and as a result the Act may set a de facto federal standard for data broker deletion requests.

To achieve this, the Agency is required to establish a centralized “accessible deletion mechanism” by January 1, 2026. Then, starting August 1, 2026, all data brokers must access the established mechanism at least once every 45 days and process any consumer deletion requests. If the data broker has no valid exemption and has deleted the consumer’s personal information, the data broker is further prohibited from selling or sharing any new personal information of the same consumer, unless otherwise directed by the consumer or narrowly permitted by the CCPA.

Expanded Disclosure Requirements

The Act previously required data brokers to register with the CA Attorney General and appear on its publicly available registry list of data brokers. The registration only required the data brokers’ name and primary physical, email, and internet website addresses. Additionally, it only encouraged, but did not require, data brokers to voluntarily provide additional information regarding the data broker’s collection practices.  However, the Act requires and expands on what additional information data brokers must provide to the Agency (replacing the CA Attorney General).

Starting January 31, 2024, data brokers will have to start registering with the Agency, provided that the Agency creates the required registration page on the Agency’s website. The additional information required to be disclosed includes:

• Whether they collect personal information of minors, precise geolocation, and/or reproductive health care data;
• A link to a webpage that explains how consumers may exercise their CCPA privacy rights;
• Whether they are regulated by the FCRA, GLBA, HIPAA, or California’s IIPPA and CMIA;
• On or before July 1^st following each calendar year, provide metrics requirement similar to CCPA (e.g., # of consumer requests received, complied with in whole or in part, or denied; median and mean response time; reasons for denial). The metrics must also be disclosed within the data broker’s privacy policy; and
• Starting January 1, 2028, whether they have undergone audit requirements and what year the most recent report was submitted to the Agency.

Audit Requirements

Starting January 1, 2028, and every three years thereafter, data brokers must be audited by an independent third party to determine their compliance under the Act and must submit the audit report to the Agency.

Enforcement and Fines

The Act takes into effect on January 1, 2024. As a result, the Agency is replacing the CA Attorney General as the agency with the authority to manage and enforce the Act and its requirements.

Lastly, the Act doubles the previous fine to $200 for each day a data broker fails to register with the Agency or delete information when requested, as required by the Act.