California Passes The Delete Act – What Lead Generators and Data Brokers Need to Know
On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (SB 362). The Act is new legislation that requires businesses that meet the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.
The Act requires the California Privacy Protection Agency to establish a simple deletion mechanism that permits individuals to submit deletion requests that data brokers must adhere to starting August 1, 2026. Importantly, beginning in 2028 data brokers will be subject to audits intended to demonstrate compliance with the Act.
What Businesses are Covered Under the Act?
The Delete Act defines “data broker” as a business that knowingly collects and sells personal information of a consumer that it does not have a direct relationship with, to third parties. Excluded are certain entities that may be covered by various federal and state laws relating to data, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act and the California Insurance Information and Privacy Protection Act.
Data brokers must register with the CPPA and pay registration fees, as well as fees for access to the deletion mechanism.
What are the Applicable Registration and Disclosure Requirements?
Data brokers are required to register with the CPPA on or before January 31 for each year that they meet the statutory definition of “data broker.” In fact, data brokers have been required to register with the California Attorney General’s Office since 2020 – when California’s data broker registration law became effective.
Additionally, the Act obligates the California Privacy Protection Agency to make registration information publicly accessible via its website.
What Information do Data Brokers Have to Disclose?
Data brokers are not required to honor deletion requests pursuant to the ACT until August 1, 2026,
What are the Monetary Penalties for Failure to Comply?
Data brokers that fail to comply with the registration requirements will be subject to fines of at least $200 per day. Data brokers could be liable for fees due during the period that it failed to register in addition to costs incurred by the CPPA as a consequence of investigating and enforcing the law “as the court deems appropriate.”
Registered data brokers may be subject to administrative fines of $200 per deletion request for each day required information was not deleted, plus investigation and administration expenses incurred.
Takeaway: The Act is designed to ensure a single-click mechanism for opt-outs from data broker collection and deletion request response requirements. It is not unlikely for other states to pass similar bills going forward. The Act should place lead generators and data brokers on high-alert. Consult with an experienced FTC compliance attorney if your company purchases or sells consumer data.
Informational purposes only. Not legal advice. May be considered attorney advertising.
About This Blog and Hinch Newman’s Advertising + Marketing Practice
Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.