California Passes The Delete Act – What Lead Generators and Data Brokers Need to Know

On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (SB 362).  The Act is new legislation that requires businesses that meet the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.

The Act requires the California Privacy Protection Agency to establish a simple deletion mechanism that permits individuals to submit deletion requests that data brokers must adhere to starting August 1, 2026.  Importantly, beginning in 2028 data brokers will be subject to audits intended to demonstrate compliance with the Act.

What Businesses are Covered Under the Act?

The Delete Act defines “data broker” as a business that knowingly collects and sells personal information of a consumer that it does not have a direct relationship with, to third parties.  Excluded are certain entities that may be covered by various federal and state laws relating to data, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act and the California Insurance Information and Privacy Protection Act.

Data brokers must register with the CPPA and pay registration fees, as well as fees for access to the deletion mechanism.

What are the Applicable Registration and Disclosure Requirements?

Data brokers are required to register with the CPPA on or before January 31 for each year that they meet the statutory definition of “data broker.”  In fact, data brokers have been required to register with the California Attorney General’s Office since 2020 – when California’s data broker registration law became effective.

Additionally, the Act obligates the California Privacy Protection Agency to make registration information publicly accessible via its website.

What Information do Data Brokers Have to Disclose?

Pursuant to the statutory registration obligation, data brokers are required to disclose how many rights requests it receives and information regarding deletion.  Data brokers are also required to disclose information that is typically seen in a privacy policy.  For example and without limitation, whether reproductive health data, geolocation data or children’s personal information is collected, and how consumers may exercise their privacy rights under the Act.

Data brokers are not required to honor deletion requests pursuant to the ACT until August 1, 2026,

What are the Monetary Penalties for Failure to Comply?

Data brokers that fail to comply with the registration requirements will be subject to fines of at least $200 per day.  Data brokers could be liable for fees due during the period that it failed to register in addition to costs incurred by the CPPA as a consequence of investigating and enforcing the law “as the court deems appropriate.”

Registered data brokers may be subject to administrative fines of $200 per deletion request for each day required information was not deleted, plus investigation and administration expenses incurred.

Takeaway:  The Act is designed to ensure a single-click mechanism for opt-outs from data broker collection and deletion request response requirements.  It is not unlikely for other states to pass similar bills going forward.  The Act should place lead generators and data brokers on high-alert.  Consult with an experienced FTC compliance attorney if your company purchases or sells consumer data.

Richard B. Newman is an FTC defense attorney at Hinch Newman LLP.  Follow FTC defense lawyer on National Law Review. 

Informational purposes only. Not legal advice. May be considered attorney advertising.

Richard Newman

Richard B. Newman is a nationally recognized FTC advertising compliance, CID investigation and regulatory enforcemetn attorney. He regularly provides advertising counsel and represents clients in high-profile investigations and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices. Richard is also an ecommerce lawyer and spam defense attorney. His practice additionally focuses upon false advertising defense, data privacy, cybersquatting, intellectual property law and transactional matters relating to the dissemination of national advertising campaigns, including the gamut of affiliate marketing, telemarketing, lead generation, list management and licensing agreements. Richard advises clients on how to minimize the legal risks associated with digital marketing, email marketing, telemarketing, social media influencer campaigns, endorsements and testimonials, negative option marketing models, native advertising, online promotions and comparative advertising,





About This Blog and Hinch Newman’s Advertising + Marketing Practice

Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.

Featured Posts