On October 10, the Governor of California signed Bill No. 362, the so-called DELETE Act, an amendment to the California Civil Code (hereinafter- CC). This document defines new requirements for data brokers that also work with information about California residents.
How was it before?
Data brokers must register with the California Attorney General, pay a registration fee, and provide relevant information about their activities. Brokers must provide their name, primary physical address, email, and website when registering. The Attorney General has the right to file an administrative lawsuit against brokers who fail to register or violate the requirements of applicable personal information protection laws and to order them to pay appropriate fines and other costs.
What to prepare for now?
DELETE retains the previous definition of brokers: a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
We would like to remind you that “business” is defined as a legal entity that is organized or operated for profit or financial gain, collects personal information of consumers or on whose behalf such information is collected, determines, alone or jointly with others, the purposes and means of processing personal information of consumers, does business in the State of California, and meets one or more of the following requirements:
- as of January 1 of a calendar year, has annual gross revenue over twenty-five million dollars ($25,000,000) for the preceding calendar year;
- buys, sells, or disseminates the personal information of 100,000 or more consumers, or;
- earns more than 50% of its annual revenue from selling or sharing personal information.
Brokers are not entities subject to the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Health Insurance Portability and Accountability Act, or the Confidentiality of Medical Information Act.
How do brokers register?
DELETE transfers the functions of the Attorney General to the California Privacy Protection Agency (hereinafter – CPPA).
Each year, if a business qualifies as a data broker, it must register with the CPPA by January 31 of the year following the year in which it meets the definition of a broker. Upon registration, the broker must provide information on:
- name and main physical address, email, and website;
- data on processing of consumer requests (see below);
- whether the broker collects personal information of minors, the exact geolocation of consumers, data on their reproductive health care;
- starting from January 1, 2029 – information on the broker’s audit and report on its results;
- whether the broker or any of its subsidiaries are subject to the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Health Insurance Portability and Accountability Act, or the Confidentiality of Medical Information Act;
- other information about data collection at its discretion.
In addition, requirements have been established for the broker’s website, which it must provide to the CPPA upon registration. Such a website must contain detailed information on how consumers can exercise their right to privacy, namely:
- deletion of personal information;
- сorrecting inaccurate personal information;
- learning what personal information is being collected and how to access that personal information;
- learning what personal information is being sold or shared and to whom; and learning how to opt out of the sale or sharing of personal information;
- learning how to limit the use and disclosure of sensitive personal information.
The broker’s website should not contain so-called dark patterns – deceptive website design templates.
What is an accessible deletion mechanism (ADM)?
In addition to maintaining a register of brokers, the CPPA must also develop an ADM by January 1, 2026. This mechanism will allow a consumer, through a single verifiable consumer request, to request that a broker and related service providers or contractors that store personal information related to that consumer, regardless of the source of the data, delete that information.
Starting August 1, 2026, the broker must have access to the ADM and check it at least once every 45 days. The broker must process data deletion requests through the ADM and delete such consumer information within 45 days of receiving a request. However, the broker does not have to delete personal information in certain cases provided for by the California CC.
If a data broker rejects a consumer’s request on the grounds that it cannot be verified, it should treat it as a request to opt out of the sale or transfer of personal information under the CC. In addition, brokers must instruct all related counterparties to take similar measures – to delete the consumer’s data or refuse to sell or transfer it.
In addition, from August 1, 2026, DELETE imposes an obligation on the broker to continue to delete information about a consumer who has already sent a request via ADM at least once every 45 days. Also, the broker must not sell or distribute new personal information about such a consumer that it has received, with the exceptions provided for by the CC.
Should a broker report on received consumer data deletion requests?
Every year, by July 1, the broker must:
– calculate the number of requests that were received (both under ADM and California Consumer Privacy Act), satisfied in full, partially, or rejected during the previous calendar year;
– calculate the number of days within which the requests were responded to on average;
Are there any other requirements for brokers?
Starting January 1, 2028, brokers must undergo an audit every three years to determine whether the broker’s activities comply with the law. Based on the results of such an audit, the broker will submit a report and any related materials to the CPPA within five business days of receiving a written request.
What sanctions does DELETE provide for?
Brokers will be liable for failure to register and failure to comply with the requirements of the ADM and to undergo an audit.
For example, for failure to register, the broker must pay an administrative fine of two hundred dollars ($200) for each day of delay in registration, the applicable registration fees for the time during which it failed to register, as well as the costs incurred by the CPPA in investigating and administering the claim.
If a broker fails to comply with the audit and/or ADM requirements, it must pay an administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information, as well as the costs incurred by the CPPA in investigating and administering the claim.
- Monitor your activities and register if you fall within the definition of a data broker in the state of California. As of 2024, the fine for failure to register will double to two hundred dollars ($200) in addition to the other fees described above.
- Analyze your personal data collection and processing practices and align your personal data protection practices. Also, ensure that your website meets the DELETE requirements for the next data broker registration period in 2024: it does not contain dark patterns and provides detailed information to the consumer about the options for protecting his or her personal data under California and federal laws.
- Conduct training for employees on the DELETE Act and how to improve their personal data practices.
- Monitor the CPPA’s guidance on the ADM and broker access to it in 2026 and audit and reporting requirements in 2028.