Data Brokers Face Big Compliance Obligations Under California’s New DELETE Act

Data brokers in California should begin revising their privacy compliance programs to meet new registration requirements and obligations related to the consumer personal information they maintain. Signed into law in early October, the DELETE Act strengthens the California Consumer Privacy Act (CCPA) and amends California’s existing data broker law to impose advanced requirements aimed at bolstering consumer privacy. Here is a run-through of the notable regulatory elements of the DELETE Act:

• Data Broker definition: The DELETE Act applies to data brokers, defined as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The definition of “business” is the same as used in the CCPA, which incorporates certain monetary, collection, or sell/share thresholds that make it likely that the DELETE ACT will apply to nearly any data broker that sells or shares California consumers’ personal information. Notably, “direct relationship” is not defined, so data brokers must closely examine their relationship with the consumer. Exemptions apply to the extent the data broker is an entity covered by the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), or California’s Insurance Information and Privacy Protection Act (IIPPA), and a covered entity, or a business associate of a covered entity, to the extent their processing of personal information is governed under the Health Insurance Portability and Accountability Act (HIPAA).

• Registration with CPPA: Beginning in 2024, data brokers must pay a registration fee to register with the California Privacy Protection Agency (CPPA) on or before January 31^st following each year the business meets the “data broker” definition. Failing to register will subject the data broker to an uncapped administrative fee of $200 for each day registration is not completed, as well as expenses incurred by the CPPA for enforcement of the registration requirement. Previously, data brokers were required to register with the California Attorney General.

• Information Provided at Registration: Also beginning in 2024, certain information must be provided to the CPPA at registration, including:
  • Whether the data broker collects personal information of minors, precise geolocation information, or reproductive healthcare information;
  • Metrics relating to requests received under the CCPA;
  • Whether and to what extent the data broker is regulated by the FCRA, GLBA, IIPPA, or HIPAA; and
  • A link to the data broker’s website describing how consumers can exercise privacy rights under the CCPA. Additionally, the broker’s website must be free of dark pattern tactics.

Registration information will be published on a CPPA-maintained website for review by the public.

• Metrics in Privacy Policy: On or before July 1 following each year the business meets the “data broker” definition, data brokers must compile the number of CCPA privacy requests they received, complied with, or denied during the previous calendar year as well as the median and mean number of days taken to substantively respond to the requests. Data brokers must disclose the compiled metrics in their privacy policy starting in 2024.

• Accessible Deletion Mechanism: By January 1, 2026, the CPPA will establish an accessible deletion mechanism that will allow a consumer to make a single deletion request for all personal information maintained by registered data brokers and their service providers or contractors. Consumers will have the option to exclude specific data brokers when making deletion requests. Authorized agents may make requests on behalf of the consumer. The CPPA may charge a reasonable fee for data brokers to access the deletion mechanism.

• Accessing the Deletion Mechanism: Beginning on August 1, 2026, data brokers must access the deletion mechanism maintained by the CPPA at least once every 45 days.
  • Within 45 days after receiving a deletion request from the deletion mechanism, the data broker must delete all of the requesting consumer’s personal information, refrain from selling or sharing new personal information of the requesting consumer unless the consumer requests otherwise, and direct service providers and contractors to delete all of the requesting consumer’s personal information they maintain.
  • Data brokers must continue to delete the consumer’s personal information every 45 days and refrain from selling or sharing new personal information unless the consumer requests otherwise.
  • If the data broker denies the deletion request because it cannot be verified, it must treat it as a request to opt-out of the sale and sharing of personal information and direct its service providers and contractors to do the same.
  • Data brokers are not required to delete the requesting consumer’s personal information if an exemption applies under the CCPA § 1798.105, § 1798.145, or § 1798.146.
  • Failing to comply with the deletion mechanism requirements subject the data broker to an uncapped administrative fee of $200 for each deletion request for each day the data broker fails to delete information as well as expenses incurred by the CPPA for enforcement of the deletion mechanism requirements.

• Compliance Audits: Beginning January 1, 2028, and every 3 years thereafter, compliance with the DELETE Act must be audited by an independent third party. Data brokers must keep audit reports for at least 6 years and must provide the audit report to the CPPA within 5 days upon request.

California continues to empower consumer control over personal data which, in turn, imposes additional obligations on businesses. Although applicability dates under the DELETE Act vary, proactive data brokers should begin reviewing and updating compliance programs, data inventory, and privacy policies. While the DELETE Act is considered first-of-its-kind, other states are likely to follow suit.

M&S’s experienced attorneys regularly advise on data privacy issues to help businesses comply with applicable federal, state, and global laws. If you have a question on the DELETE Act or other privacy laws, contact us.