If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by January 1, 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.
Should the bill pass, it could profoundly impact how data brokers handle personal information, and subsequently impact the businesses that partner with data brokers for targeted advertising.
Where we are right now
Currently, data brokers seem to remain a foot away from the fire: California Civil Code § 1798.99.80, et seq., just require data brokers to register with the Attorney General and pay an annual registration fee. In registering with the Attorney General, data brokers are required to provide its name, primary physical, email, and internet website addresses.
What Senate Bill 362 is proposing
Senate Bill 362 would add additional obligations by introducing a single “accessible deletion mechanism,” provided online by the CPPA. Consumers would be able to use such mechanism to request that every data broker that maintains any personal information about the consumer delete such personal information held by the data brokers or associated service providers or contractors. The data brokers would be required to process deletion requests that are made through the CPPA mechanism within 31 days of receiving them, and beginning July 1, 2026, continuously delete the personal information of the requesting consumer and not sell or share new personal information of the consumer. Data brokers would also be required to direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the requesting consumer. This means that California consumers would be able to request deletion of any and all personal information maintained by different data brokers with just a single deletion request.
The bill would also require data brokers to provide additional information to the CPPA when registering as data brokers, including to specify whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data. Data brokers would also be required to maintain a website free of dark patterns that details how consumers may exercise their privacy rights. Beginning January 1, 2028, and every 3 years thereafter, data brokers would be required to submit an audit report to the CPPA upon the CPPA’s written request.
Senate Bill 362 would also replace the Attorney General with the CPPA as the authority tasked with enforcing the Data Broker Law. The CPPA is the same agency that implements and, together with the California Attorney General, enforces the CCPA.
What this means
Should California consumers extensively use this deletion mechanism, this could reduce the size of a data broker’s database. Partnering businesses that rely heavily on data brokers for their marketing initiatives might feel a ripple effect with less effective targeted advertising.
Looking forward
Should Senate Bill 362 become law, data monetization in California faces another blow as data brokers would be subject to additional obligations under the streamlined deletion mechanism for California consumers. The extent of consumer engagement with the mechanism will play a determining role in the impact of the bill.
