Senior Content Marketing Manager II
September 29, 2023â˘3 min read
The Delete Act maintains the current definition of a data broker, as defined by the California Consumer Privacy Act (CCPA) i.e.:
a business that knowingly collects and sells third-party consumers' personal information without having a direct relationship with them
The Delete Act also mirrors the CCPA in its definitions of business, collect, third party, consumer, sell, and personal information.
Like many privacy laws, the Delete Act does outline a few exceptions, including entities covered by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or the Insurance Information and Privacy Protection Act (IIPPA).
Once signed into law, the Delete Act will impose new requirements on data brokers and create novel enforcement obligations for the California Privacy Protection Agency (CPPA). Data brokers will need to register with the CPPA, be more transparent about what types of data they collect and how that data is used, provide metrics on consumer privacy request fulfillment, and submit to regular compliance audits.
Because the Delete Act moves the regulation of data brokers to the CPPA, the agency will be expected to ensure compliance with the law's requirements, create a one-stop-shop deletion mechanism for consumers looking to delete their data, and potentially engage in rulemaking around some of the the Delete Act's under-developed provisions.
The Delete Act transfers oversight of data brokers from the California Attorney Generalâs Office to the CPPA. Once the act is in force, organizations that meet the definition of data brokers (defined by the CCPA) will need to register with the CPPA each year for a yet undetermined fee.
Starting in 2029, data brokers must also include compliance audit results when registering with the CPPA each year.
When registering with the CPPA, data brokers will need to disclose more information about their data collection practices. This includes disclosures on whether they collect consumersâ precise geolocation, minorsâ personal information, or reproductive health data. They will also need to disclose whether they are regulated by data protection laws like HIPAA, GLBA, and more.Â
Data brokers must also provide, in their company privacy policies, metrics on their processing of consumer access or deletion requestsâincluding number of requests received and denied, as well as average response times.
Under the Delete Act, the CPPA would need to create a public facing âdeletion mechanismâ by January 1, 2026. This mechanism must be free to use and easily accessible online.Â
Similar to the FTCâs national Do Not Call registry, this mechanism would allow consumers or authorized agents to, through a single action, request that every data broker in California delete their personal information.Â
Starting August 1, 2026, giving a six month adjustment period, data brokers must begin accessing the CPPAâs deletion mechanism once every 45 days. They are then required to fulfill a consumer deletion request within 45 days of receipt.Â
If a consumerâs identity canât be verified and the data broker is unable to fulfill the request, they must still treat it as an opt-out of the sale or sharing of personal data, as defined by the CCPA.
After complying with a consumerâs initial deletion request, data brokers must continue to delete personal information collected from that consumer at least once every 45 daysâunless the consumer requests otherwise. This duty is ongoing once the Delete Act is in effect.
Beginning January 1, 2028, data brokers must undergo an audit by an independent third party every three years. Records of any compliance audits must be retained for a least six years, and must be made available to the CPPA upon request.
The California Delete Act will impose significant new requirements on data brokers who fall under the law's purview. Those that do should focus on two main pieces: getting their ducks in a row when it comes to disclosures, and preparing to fulfill the likely influx of new consumer data requests.
Though there's some prep time when it comes to consumer data requests (as the CPPA isn't expected to publish the delete mechanism until 2026), the new disclosure requirements will begin immediately once the bill is signed.
Transcend Privacy Requests is the easiest and most comprehensive way to delete, deidentify, return, or modify a user's data or preferences across your tech stack.
Decrease costs, increase program efficiency, and comply with privacy request requirements with a single platform that handles every step â all without human intervention.
No matter the data system, request type, regulation, or requirement, Transcend has you covered, with customization as easy as checking a box.
Senior Content Marketing Manager II