On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data. The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous. Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously. As a result, data brokers will see a significant increase in the volume of such requests they are required to process. Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits.
What is a “Data Broker”? A data broker is a business that knowingly “collects” and “sells” to third parties the personal information of a California resident with whom the business does not have a direct relationship. The definitions of “collect” and “sell” derive from the California Consumer Privacy Act and are broader than they might seem. “Collect” includes any “buying, renting, gathering, obtaining, receiving, or accessing” personal information. “Sell” means any disclosure of personal information to a third party for monetary “or other valuable consideration,” i.e., any release of personal information in exchange for a benefit. As an example, an exchange of information in return for advertising services has been considered a “sale” by the California Attorney General.
What constitutes a “direct relationship” is not defined, but it presumably includes a business’s relationship with its own consumers and individuals that access the business’s own website. The disclosure of first-party cookie data would not appear to make a business a “data broker.” By contrast, a business that receives third-party sales leads and passes those leads onto other businesses without restrictions on the ability of the other party’s use of the data would likely constitute a data broker.
A business is not considered a Data Broker “to the extent that it is covered by” one of four statutes: the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (applicable to financial institutions), the Insurance Information and Privacy Protection Act and the Confidentiality of Medical Information Act. It is not clear whether the use of the phrase, “to the extent that,” is meant to indicate that aspects of a business that are not subject to these laws can still fall within the scope of the data broker requirements.
What laws currently apply to data brokers? There are other data broker statutes currently in effect in California and Vermont in addition to generally applicable data protection laws like the California Consumer Privacy Act and other “comprehensive” state laws in Colorado, Connecticut, and Virginia. These data broker statutes require that data brokers register with state regulators. Data brokers must pay a fee and, in Vermont, comply with minimum data security standards. State regulators publish a list of all businesses registering as a data broker, meaning that the entities’ status as a data broker is made public. The California regulator also publishes information that businesses make available about how individuals can opt out of the “sale” of their personal information.
What is new under the “Delete Act”? Beginning January 31, 2024, data brokers registering in California will be required to provide additional information that will be made publicly available: (1) whether the business collects personal information of minors; (2) whether the business collects precise geolocation data; and (3) whether the business collects reproductive health data. Beginning in July of 2024, data brokers will be required to compile additional information about the number of data subject rights requests they receive and the amount of time it takes them to respond, among other things, and will be required to supply that information in their next annual registration. Currently, only businesses that sell or share the personal information of 10,000,000 or more consumers are required to do so.
More onerous requirements will apply starting in 2026. By January 1, 2026, the CPPA will be required to create a mechanism through which consumers can submit a verifiable request to have every business registered as a data broker delete their personal information. Starting in August 2026, data brokers will be required to access that mechanism at least every 45 days and honor the deletion requests. Data brokers will need to ensure that the consumer’s personal information is deleted at least every 45 days and will be required to pass along such deletion requests to their own service providers and contractors. Beginning in January 2028, data brokers will be required to undergo a third-party audit of its compliance with the statute. It will need to submit the results of that audit and “any related materials” to the CPPA the following year.
What are the penalties for non-compliance? Failure to register with the CPPA is punishable through an administrative fine of $200 for each day the data broker fails to register. When applicable, failure to honor the expanded deletion requirements will be punishable through a fine of $200 for each request the data broker fails to honor multiplied by the number of days it fails to do so. Needless to say, with brokers likely to receive a significant volume of deletion requests every year, these fines could prove crippling—the failure to comply with 100 individual requests for 100 days could lead to $2 million in potential fines.
What is to be done? To start with, businesses should assess whether they satisfy the definition of a data broker. Given the ambiguity and potential breadth of the terms “collect” and “sell,” as well as the phrase, “direct relationship,” it may prove challenging for businesses to make that determination. Businesses will need to weigh the risk of failing to register when required versus the cost of compliance where it is unclear if they satisfy the definition. If the business is a data broker, it should begin to assess how it will process bulk deletion requests now. It will no longer be practical to handle these requests on a one-off basis, and even though 2026 is still several years away, it will take time to build the required technical processes.