Passed by the Senate and State Assembly in September 2023 and signed into law by Governor Gavin Newsom on October 10, 2023, the California Delete Act (“Delete Act”) aims to amend several sections in existing data brokers' regulations.
The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), contains several provisions that grant users and customers various rights related to their personal information that is collected or sold by a business, including the right to request disclosure related to all collected information, the right to request deletion of personal information, and to direct a business not to sell or share this information.
Previously, the regulatory setup required data brokers to register with the Attorney General's office, pay them the registration fee, and provide specific information related to their yearly operations, among other requirements. However, the enactment of the Delete Act transfers data brokers' oversight to the California Privacy Protection Agency (CPPA). The CPPA will now assume all the responsibilities and powers held by the Attorney General's office regarding data brokers.
Additionally, the Delete Act requires the CPPA to establish an accessible deletion mechanism that allows a customer, through a single verifiable consumer request, to request that every data broker that maintains personal information delete any personal information related to that customer held by the data broker or associated service provider or contractor.
Beginning from 1 January 2028 and every three years thereafter, the data brokers must undergo an audit by an independent third party to determine compliance with the law. The data brokers shall also be required to submit an audit report to the CPPA upon its written request.
Scope and Applicability
The Delete Act applies to data brokers, defined as any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. It excludes entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Insurance Information and Privacy Protection Act, as well as entities or business associates of covered entities, to the extent their processing of personal information is exempt under section 1798.146 of the California Civil Code (i.e., entities covered by HIPAA).
Obligations for Organizations Under this Act
Registration Requirements
All businesses must register with the CPPA on or before 31 January following each year in which they meet the definition of a ‘data broker’ as per the Delete Act.
To register with the CPPA, the data broker must do all of the following:
- Pay a registration fee to the CPPA, not exceeding the reasonable costs of establishing and maintaining an informational internet website and the reasonable costs of establishing, maintaining, and providing access to the deletion mechanism. This fee will be deposited in the Data Brokers' Registry Fund.
- Provide information, including their contact details and web presence. They must also provide metrics on their processing of consumer privacy requests and information on whether the data broker collects precise geolocation, reproductive health care data, or minor's personal information.
- Beginning January 1, 2029, provide a link to a webpage on the data broker’s website that explains how consumers may exercise their CCPA rights, such as the right to access, delete, and limit the use of personal data and confirm that the data broker does not make use of dark patterns.
- Provide information on the extent the data broker or any of its subsidiaries is regulated by the Fair Credit Reporting Act, the Gramm-Leach Bliley Act or Health Insurance Portability and Accountability Act; or California’s Insurance Information and Privacy Protection Act or Confidentiality of Medical Information Act.
- Starting in 2029, whether the data broker has undergone a third-party audit to determine its compliance with the Delete Act and, if so, the most recent year that the data broker submitted an audit report and related materials to the CPPA (third-party audits are required starting in 2028).
Deletion Mechanism
The law requires the California Privacy Protection Agency to establish an ‘accessible’ deletion mechanism by January 1, 2026. The deletion mechanism must implement and maintain robust security measures for protecting consumers' personal information. Through a single verifiable request, it must also enable the consumers to request the deletion of all their personal information maintained by the data brokers and their service providers. The mechanism must also allow the consumers to exclude specific data brokers from the deletion request and alter a prior request, provided that at least 45 days have elapsed since the consumer made the last request.
Moreover, the deletion mechanism must adhere to several key requirements, including enabling the customers to request the deletion of all their collected data in a single request, providing secure data submission, allowing data brokers to verify and access necessary request information, offering internet-based access, being free of charge, support the use of languages spoken by the customers, ensuring accessibility for people with disabilities, permitting requests through authorized agents, enabling request status checks, and providing descriptions of permissible deletions, the request process, and types of information that is deletable.
From 1 August 2026, the law requires the data brokers to access the deletion mechanism once every 45 days to process any deletion requests received from consumers via the mechanism. If a deletion request cannot be verified, it should be treated as an opt-out request instead. In addition, the data brokers must also instruct their service providers and contractors to delete relevant consumer information or process opt-out requests accordingly.
Public Disclosure and Audit Obligations
The Delete Act requires data brokers to report annually, by July 1, metrics on the number of CCPA requests and Delete Act deletion requests that the data broker received, complied with, and denied during the prior calendar year, as well as the average number of days it took the data broker to substantively respond to such request. These metrics must also be made available on the data broker’s website privacy policy.
In addition, beginning from January 1, 2028, and every three years after, data brokers must undergo an extensive independent third-party assessment audit to determine their compliance with the Delete Act. The audit will only be deemed complete once the data broker submits the audit report and other relevant materials to the CPPA within five business days of a written request made by the CPPA. The data brokers must maintain the report and any other materials submitted to the CPPA for a period of at least six years. Beginning January 1, 2029, the data brokers must also disclose their audit results while registering annually with the CPPA.
Regulatory Authority
The CPPA, responsible for enforcing the California Consumer Privacy Act (CCPA), is primarily responsible for overseeing all provisions of the Delete Act.
Penalties for Non-Compliance
A data broker who fails to comply with the registration and deletion requirements is liable to administrative fines and penalties.
If a data broker fails to register as required under the Delete Act, they can be fined $200 per day and must also pay the fees that were due during the non-compliance period, along with the expenses incurred by the CPPA during the investigation. If a data broker doesn't comply with deletion requests, they can face a daily fine of $200 for each request not fulfilled and must also cover reasonable investigation and administration expenses.
It is to be noted that the Delete Act imposes a five-year statute of limitations for initiating an action against the alleged violation of its provisions.
How Securiti Can Help
The California Delete Act emphasizes the users' overall control over their data once collected.
The deletion mechanism ensures users can easily exercise their right to deletion without dealing with cumbersome processes and redtapes. Securiti can help organizations address this challenge by ensuring users can gain access to such a mechanism to fulfill their data privacy rights.
This is where Securiti can be of service.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Large global enterprises rely on Securiti's Data Command Center for meeting data security, privacy, governance, and compliance obligations.
Among a large plethora of modules, products, and other solutions is the Privacycenter.cloud, which enables organizations to streamline the entry process of receiving, processing, and complying with any individual data requests, such as data deletion.
Not only is it easy to use and deploy, but it allows for consistent real-time insights into the status of each request, assuring compliance with each request as a consequence.
Request a demo today and learn more about how Securiti's Data Command Center can help you comply with the critical requirements of the California Delete Act.
