California Passes The Delete Act – What Lead Generators and Data Brokers Need to Know

On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (SB 362).  The Act is new legislation that requires businesses that meet the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.

The Act requires the California Privacy Protection Agency to establish a simple deletion mechanism that permits individuals to submit deletion requests that data brokers must adhere to starting August 1, 2026.  Importantly, beginning in 2028 data brokers will be subject to audits intended to demonstrate compliance with the Act.

What Businesses are Covered Under the Act?

The Delete Act defines “data broker” as a business that knowingly collects and sells personal information of a consumer that it does not have a direct relationship with, to third parties.  Excluded are certain entities that may be covered by various federal and state laws relating to data, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act and the California Insurance Information and Privacy Protection Act.

Data brokers must register with the CPPA and pay registration fees, as well as fees for access to the deletion mechanism.

What are the Applicable Registration and Disclosure Requirements?

Data brokers are required to register with the CPPA on or before January 31 for each year that they meet the statutory definition of “data broker.”  In fact, data brokers have been required to register with the California Attorney General’s Office since 2020 – when California’s data broker registration law became effective.

Additionally, the Act obligates the California Privacy Protection Agency to make registration information publicly accessible via its website.

What Information do Data Brokers Have to Disclose?

Pursuant to the statutory registration obligation, data brokers are required to disclose how many rights requests it receives and information regarding deletion.  Data brokers are also required to disclose information that is typically seen in a privacy policy.  For example and without limitation, whether reproductive health data, geolocation data or children’s personal information is collected, and how consumers may exercise their privacy rights under the Act.

Data brokers are not required to honor deletion requests pursuant to the ACT until August 1, 2026,

What are the Monetary Penalties for Failure to Comply?

Data brokers that fail to comply with the registration requirements will be subject to fines of at least $200 per day.  Data brokers could be liable for fees due during the period that it failed to register in addition to costs incurred by the CPPA as a consequence of investigating and enforcing the law “as the court deems appropriate.”

Registered data brokers may be subject to administrative fines of $200 per deletion request for each day required information was not deleted, plus investigation and administration expenses incurred.

Takeaway:  The Act is designed to ensure a single-click mechanism for opt-outs from data broker collection and deletion request response requirements.  It is not unlikely for other states to pass similar bills going forward.  The Act should place lead generators and data brokers on high-alert.  Consult with an experienced FTC compliance attorney if your company purchases or sells consumer data.

Richard B. Newman is an FTC defense attorney at Hinch Newman LLP.  Follow FTC defense lawyer on National Law Review. 

Informational purposes only. Not legal advice. May be considered attorney advertising.