People People

Thought Leadership

California Legislature Passes "Delete Act"

Client Updates

On September 15, the California State Legislature passed Senate Bill 362, also known as the “Delete Act,” which adds new requirements for data brokers that collect and sell the personal data of California residents. Acting as a supplement to the California Consumer Privacy Act (“CCPA”) and Privacy Rights Act (“CPRA”), the Delete Act, if signed by Governor Newsom, will impose further requirements for covered entities that collect and use the personal data of California residents. The Governor has until October 14, 2023, to sign the bill into law.

The Delete Act only applies to businesses (called “data brokers”) that collect and sell personal data of California residents to third parties who do not have a direct relationship with the individual. 

Obligations

In addition to obligations already imposed under the CCPA and CPRA, the Delete Act adds several additional obligations for data brokers specifically, with implementation and oversight provided by the California Privacy Protection Agency (“CPPA” or “Agency”).  The obligations are set to roll out over the next several years, and some of the deadlines require further actions by the CPPA before enforcement can commence.

  • By January 1, 2026: The CPPA must establish a deletion mechanism that allows consumers to submit a centralized request for deletion of personal data held by data brokers.
     
  • By August 1, 2026: All data brokers must monitor (at least once every 45 days) the deletion mechanism to process and comply with deletion requests made by consumers.

    • The request must be honored, if verified, within 45 days, and every 45 days thereafter, the data broker must delete all personal data received from the consumer. 

    • The request remains persistent, and after a deletion request is submitted, the data broker must refrain from selling or sharing any new personal data received, unless the    consumer requests otherwise (or the selling/sharing is otherwise permitted under separate provisions).
  • Beginning on January 1, 2028: All data brokers must undergo an audit, at least once every three years, conducted by an independent third party to determine their compliance with the requirements of the Delete Act.  The data broker must also prepare and submit a report on this audit to the CPPA, and maintain a record of this report for at least six years.

  • Beginning on January 1, 2029: Data brokers must provide to the CPPA a certification of (or notice of lack of) the audit that was performed. 

In addition, data brokers must, by January 31 of the year following a business’s qualification of a “data broker,” register with the CPPA by paying the requisite fees and provide information on the data broker’s business, including the data it collects (in particular reproductive health data, geolocation, and personal information of minors).  In addition, the data brokers must provide information on how consumers may exercise their privacy rights, which should also be submitted to the CPPA during registration.
 
Failure to register properly can result in administrative fines from the CPPA of $200 per day that registration is delayed plus the costs of the CPPA to enforce these provisions.  Similar failures to respect deletion requests will result in the same fines.
 
CPPA Obligations
 
In addition to the above requirement for data brokers, the CPPA is also given several new obligations (and enforcement powers).

First, the CPPA will be responsible for administrating a “Data Brokers’ Registry Fund,” which comprises all the fees, fines, and other moneys collected through the Delete Act.  This fund is to be used to maintain the CPPA’s services, support the CPPA’s investigations and enforcement, and to facilitate the accessible deletion mechanism required under the Act. 

Second, the CPPA is also required to create a page on its website that includes the registration information required for data brokers, and which houses the deletion mechanism that it administers. The CPPA has just over two years to develop this mechanism, which must ensure that it:
  • Allows a consumer to request deletion of all their personal information through a single deletion request;

  • Permits the user to securely submit information to verify their deletion request;

  • Allows data brokers to review and verify consumer deletion requests;

  • Will not charge a consumer to make a deletion request;

  • Allows the user to check the status of a deletion request;

  • Provides a description of the consumer's rights and the deletion request process. 

While the CPPA cannot charge consumers to submit a request, the Delete Act does allow the CPPA to charge data brokers a “reasonable” fee (related to the cost of operating the website) to access the mechanism. 

Though many of these obligations have a lead time of several years, if signed into law, companies should begin considering whether they will be subject to its provisions, as it could require consistent monitoring and revisions to its privacy compliance programs. As always, the Baker Botts team is ready and able to assist clients to meet these new obligations.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.

Practices

Related Professionals