Latest Posts
Search for:
In California Privacy Law

The Data Market in California faces another blow as data brokers will be subject to additional obligations under the streamlined deletion mechanism for California consumers

by , , , , , and 3 Mins Read

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act

On October 10, 2023, California Governor, Gavin Newsom, signed Senate Bill 362, referred to as the Delete Act, into law. The Delete Act amends existing data broker laws to subject all data brokers to new registration and disclosure requirements with the California Privacy Protection Agency (“CPPA”), in addition to creating one-stop deletion request mechanisms for consumers. As part of the new bill, data brokers will also be required to adhere to increased transparency requirements regarding precise geolocation data, reproductive health care data and personal data about minors.

Key Provisions

  • By January 1, 2026, the CPPA will establish an accessible deletion mechanism that allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains that consumer’s personal information delete it whether held by the data broker or associated service provider or contractor.
  • Beginning August 1, 2026, data brokers will have 45 days to process all deletion requests and delete all personal information related to the consumer making the request.
  • Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s personal information, data brokers will be required to delete all personal information of the consumer at least once every 45 days, and data brokers will be prohibited from selling or sharing new personal information of the consumer.
  • On or before January 31 following each year in which a business meets the definition of a data broker, data brokers will be required to register with, pay a registration fee to, and provide information to, the CPPA instead of the California Attorney General.
  • On or before July 1 of each year, data brokers will be required to compile and disclose specified information relating to the number of deletion and other requests received and the median and the mean number of days within which the data broker responded to such requests. 
  • Beginning January 1, 2028, and every 3 years thereafter, data brokers will be required to undergo an audit by an independent third party to determine compliance with these provisions and submit an audit report to the CPPA upon the agency’s written request.
  • The bill will also require data brokers to create a page on their website that details how a consumer may exercise their privacy rights.
  • Data brokers that fail to register with the CPPA will be subject to a daily fine of $100 to $200 for each day the company fails to register. Additionally, data brokers that fail to carry out deletion requests may be subject to a daily penalty of $200 per ignored request.

Takeaways

While some of the more substantive regulations are not effective until 2026, businesses should use this time to evaluate whether or not they meet the definition of a data broker. Business that partner with data brokers for marketing or other initiatives might also feel a ripple effect with less effective targeted advertising and reduced data services.

Business should update their data mapping and data classification exercises, updating websites, developing methods to keep track of consumer requests, and working with IT to develop mechanisms to adhere to the new deletion requirements.

Categories:
Tags:
Author

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Mariana Oliver is an associate based in Baker McKenzie's Intellectual Property & Technology Group based in Chicago.

Author

Manisha is an associate in the Data Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.

Author

Michelle is an associate in Baker McKenzie's International Commercial practice group based in San Francisco.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.

Related Posts