California’s Data Deletion Law Imposes a Host of New Obligations on Data Brokers

Skadden Publication / Cybersecurity and Data Privacy Update

Ken D. Kumayama William E. Ridgway David A. Simon James S. Talbot Lisa V. Zivkovic

On October 10, 2023, California Gov. Gavin Newsom signed into law Senate Bill 362, also known as the Delete Act, allowing California residents to have their personal information deleted by all registered data brokers operating in the state through a single deletion mechanism.

The Delete Act, which amends California’s existing Data Broker Registration law, will require data brokers to:

  • Register with the California Privacy Protection Agency (CPPA) (instead of the California Attorney General (AG)).
  • Make significant additional disclosures to the CPPA.
  • Delete all personal information held about California residents who exercise their newfound right to delete their personal information through the one-stop mechanism.
  • Undergo an audit by an independent third party every three years to ensure compliance with the Delete Act.

Applicability of the Delete Act

The definition of “data broker,” which remains unchanged from the Data Broker Registration law, includes any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Delete Act largely incorporates other definitions of key terms, such as “consumer” (i.e., California residents), “sell” (i.e., exchange of personal information for monetary or any valuable consideration), and “personal information,” from the California Consumer Privacy Act (CCPA). “Direct relationship,” however, is not defined. For further discussion of the meaning of “sale” under the CCPA, see our September 2022 article “California Attorney General Announces Settlement With Sephora Under the CCPA.”

The Delete Act includes certain entity-level exemptions, excluding from the definition of “data broker” entities that are subject to the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and Insurance Information and Privacy Protection Act (IIPA).

However, with respect to other entities, the Delete Act only excludes them, or business associates of covered entities, to the extent their processing of personal information is exempt under California Civil Code § 1798.146 (such as under the Health Insurance Portability and Accountability Act, or HIPAA).

Oversight Authority Transferred to the CPPA

The Delete Act transfers oversight authority of data brokers to the CPPA from the California AG, which had been responsible for that under the Data Broker Registration law. Data brokers will now be required to register with the CPPA by January 31 following every year they meet the “data broker” definition above, starting on or before January 31, 2024.

Deletion Mechanism and Data Broker Deletion Obligations

CPPA To Establish Deletion Mechanism

Under the Delete Act, the CPPA is mandated to create an accessible deletion mechanism by January 1, 2026. This mechanism will enable California residents to initiate a single verifiable request through which they can instruct every registered data broker that possesses their personal information to delete that data.

The CPPA must design the mechanism so that data brokers can determine whether an individual has submitted a verifiable request, and to allow consumers to selectively exclude certain data brokers from deletion requests and provide an option to modify or rescind a prior deletion request.

Data brokers are also responsible for instructing their associated service providers or contractors to take corresponding actions, whether it involves deleting the personal information of the requesting consumer or handling the request as an opt-out.

Data Brokers’ Obligations To Delete

Commencing from August 1, 2026, all data brokers must access the deletion mechanism at least once every 45 days to address deletion requests submitted there and process all verifiable deletion requests within 45 days. Where a data broker rejects a request because it is unable to verify it through the deletion mechanism, the data broker must treat the request as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA.

Furthermore, a data broker’s obligation to delete is continuous. This means that, even after a data broker has received and complied with a consumer’s deletion request, it must continue to delete personal information at least once every 45 days and refrain from selling or sharing any new personal information collected from that specific consumer.

Disclosure Obligations

The Delete Act significantly increases the amount of information a data broker is required to provide in its annual registration with the CPPA. Though the Data Broker Registration law only requires that a data broker disclose its name and its primary physical, email and internet website addresses, a data broker will now be required those as well as:

  • The number of CCPA consumer requests and Delete Act deletion requests received, complied with (in whole or in part) and denied (in whole or in part and the basis for denial) during the prior calendar year. Additionally, it must disclose the average time taken to respond to such requests.
  • Responses to questions about whether it collects personal information of minors, consumers’ precise geolocation or consumers’ reproductive health care data.
  • A link to a page on its website that does not employ any deceptive user interface designs (dark patterns) and explicitly outlines how consumers can exercise each of their CCPA privacy rights.
  • Information concerning whether and to what extent it, or any of its subsidiaries, is regulated by FCRA, GLBA, IIPA, HIPAA, and/or the Confidentiality of Medical Information Act (CMIA).

Reasons for denial that must be reported among the metrics include that the request: (1) was not verifiable; (2) was not made by a California resident; (3) called for information exempt from deletion; (4) was denied on other grounds.

These enhanced disclosure requirements will be required as of the next registration period for data brokers (i.e., on or before January 31, 2024).

Audit Obligations

Beginning January 1, 2028, and every three years thereafter, data brokers will be required to undergo an independent third-party audit to assess their compliance with the Delete Act. Any resulting audit report must be submitted to the CPPA within five business days if the CPPA requests it, and must be maintained for at least six years.

Furthermore, as of January 1, 2029, data brokers must declare in their annual registrations whether they have undergone such an audit and when they last submitted audit materials to the CPPA.

Penalties for Non-Compliance

Non-compliance with the Delete Act could result in significant fines. Data brokers who fail to register with the CPPA are subject to administrative fines including: (1) $200 per day for each day the data broker fails to register (increased from $100 per day under the Data Broker Registration law); (2) reimbursement to the CPPA for unpaid registration fees; and (3) expenses incurred by the CPPA in the enforcement action.

Additionally, if a data broker fails to act on deletion requests and delete personal information, it can be fined $200 per day for each request on which it fails to act.

Conclusion

The Delete Act introduces extensive requirements that affect the ability of regulated entities to collect, share and sell personal information. Consequently, businesses that sell to third parties personal information of California residents with whom they have no direct relationship should carefully consider these new provisions and ensure that they have the mechanisms in place to ensure compliance, especially given the possible for significant penalties for non-compliance.

Moreover, industries that heavily rely on third-party data — including, but not limited to targeted advertising, artificial intelligence and machine learning — should prepare for potential disruptions and required adjustments.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP