California's Data Deletion Law: Understanding the California Delete Act for Regulating Data Brokers | Secure Privacy Blog | Secure Privacy Blog

What are the key features of the new privacy law?

The California Delete Act boasts several key features that empower Californians to take control of their personal information held by data brokers:

Centralized Deletion Platform: The Act mandates the creation of a central platform by the California Privacy Protection Agency (CPPA) where Californians can submit a single deletion request that automatically applies to all registered data brokers in the state. This simplifies the process and eliminates the need to contact each broker individually.

Expanded Definition of Data Brokers: The Act broadens the definition of data brokers to encompass companies that collect and sell personal information without a direct relationship with the individual. This includes data aggregators, data resellers, and some online advertising companies.

Mandatory Deletion Requirements: Data brokers are legally obligated to comply with deletion requests within a specific timeframe, typically 45 days. They must also ensure the deleted data is not sold or used in any way.

Increased Transparency and Oversight: Data brokers are required to disclose the types of personal information they collect, how they use it, and with whom they share it. The CPPA also has increased authority to investigate and enforce the Act's provisions.

What are data brokers?

The California Delete Act defines data brokers as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship. In other words, they buy and sell data about you that they haven't gathered directly from you.

To qualify as a data broker under the Act, a business must meet these three criteria:

It's a business: That means it operates for profit or gain. Non-profit organizations and government agencies are not considered data brokers under the Act.

It knowingly collects and sells personal information: The business must actively gather and then trade in data about individuals. Data that has been inadvertently collected or not sold wouldn't fall under the Act.

It does this about consumers it doesn't have a direct relationship with: This specifically targets businesses that buy and sell information about people they've never interacted with directly. It excludes businesses that gather and sell data about their own customers or users.

Here are some examples of businesses that might be considered data brokers under the California Delete Act:

Data aggregators: These companies collect information from various sources, like public records, online activity, and California marketing databases, and then sell it to other businesses.

People-search websites: These sites allow users to search for information about other people, often by name or address. They typically purchase this data from data brokers.

Data brokers that specialize in certain types of information: For example, there are data brokers that focus on selling health data, financial data, or marketing data.

Ultimately, whether a specific business qualifies as a data broker under the California Delete Act will depend on its specific activities and how it handles personal information.

Who is covered by the Delete Act?

Under the California Delete Act, two main groups are covered:

California residents: Anyone residing in California, regardless of where they are physically located at the time, has the right to request the deletion of their personal information from data brokers operating in the state.

Individuals physically present in California: Even if not residents of California, individuals physically present within the state's borders at the time their personal information is collected by data brokers operating there, can also request deletion under the Act.

Here are some additional points to consider:

Direct relationship exemption: The Act doesn't apply to data collected by businesses with whom you have a direct relationship like your bank or social media platform.

Minors: The Act provides additional protections for minors under 16, requiring parental or guardian consent for data collection and granting them the right to request immediate deletion of their information.

Employee data: The Act's reach doesn't extend to personal information collected by employers about their employees unless it's subsequently sold or shared with data brokers.

What data can I delete under the Act?

Under the California Delete Act, you have the right to request the deletion of a broad range of personal information from data brokers. This includes:

Identifying information: - Name - Address - Phone number - Email address - Social Security number - Driver's license number - Passport number - Account usernames and passwords

Commercial data: - Purchasing history - Browsing habits - Online identifiers (e.g., IP addresses, cookies, device IDs) - Geolocation data - Search queries - Social media activity - Information about your interests and preferences

Demographic data: - Age - Gender - Race - Ethnicity - Religious beliefs - Sexual orientation - Marital status - Income level - Education level - Occupation

Derived data: - Inferences made about your interests, preferences, or characteristics based on your online activity - Predictions about your behavior - Information about your personality or lifestyle

The centralized platform for submitting deletion requests is not yet operational, but you can still exercise your right to delete by contacting individual data brokers directly. Look for their "Do Not Sell My Info" or "Deletion Request" links on their websites.

Are there any exceptions to the right to delete?

While the California Delete Act empowers Californians to erase a broad range of personal data from data brokers, certain exceptions do exist. These exceptions primarily focus on data that serves essential purposes for security, compliance, or maintaining public records. Here's a summary of the key exceptions:

Public Records: Information that's already publicly accessible through government sources, such as court documents or voter registration rolls, cannot be deleted under the Act.

Internal Operations: Data brokers may retain personal information that's strictly necessary for their internal operations, such as maintaining their own accounts or databases.

Legal Compliance: Data required for fulfilling legal obligations, such as complying with tax laws or government investigations, is exempt from deletion requests.

Fraud Prevention and Security: Information crucial for preventing fraud or ensuring security, such as data used for authentication or detecting security breaches, can be retained by data brokers.

It's important to note that these exceptions are narrowly defined to ensure that data deletion rights remain robust while still allowing for essential data uses. The CPPA is responsible for interpreting and enforcing these exceptions, ensuring that data brokers don't abuse them to circumvent the Act's intent.

How will the centralized deletion mechanism work?

The California Delete Act's centralized deletion mechanism, slated for launch in January 2026, promises a streamlined way for California residents to reclaim their data from the clutches of data brokers. Imagine a secure online portal where you submit a single, verifiable deletion request. This request automatically cascades through the system, notifying every registered data broker holding your information. Data brokers then have 45 days to scrub your data from their records.

Think of it like hitting a giant "delete" button for your digital footprint. Gone are the days of chasing down individual brokers, sifting through confusing privacy policies, and facing endless hoops. This centralized platform removes the burden from you, letting you reclaim your right to privacy efficiently and effectively.

It's important to note that the platform is still under development, and specific details may evolve. But the core concept is clear: one request, one platform, a clean slate. For Californians concerned about their data, the centralized deletion mechanism represents a powerful tool in their privacy arsenal.

What happens if a data broker fails to comply with a data subject request?

Under the California Delete Act, data subjects have recourse if a data broker fails to honor your deletion request within the stipulated 45-day timeframe. Here's how data subjects can seek enforcement of their rights:

File a Complaint with the CPPA: The CPPA is tasked with overseeing the Delete Act's implementation. they can file a formal complaint with the CPPA, detailing the data broker's non-compliance. The CPPA will investigate and take appropriate action, which could include issuing fines or penalties against the non-compliant data broker.

Pursue Private Legal Action: If the CPPA's action is insufficient, they have the right to file a private lawsuit against the data broker in California courts. Successful lawsuits could result in court-ordered compliance, financial damages, and even attorney fee reimbursement.

Remember: It's crucial to document the deletion request and any communication with the data broker. This evidence will strengthen the case if there is a need to escalate the matter to the CPPA or pursue legal action. The Delete Act empowers data subjects to hold data brokers accountable for their handling of their personal information.

What are some limitations of the Act?

While the California Delete Act empowers Californians to reclaim control of their data, it's not a magic wand. Certain limitations exist:

Exempt Data: Certain information like public records, financial data, and data crucial for security purposes are exempt from deletion.

Direct Relationships: The Act doesn't apply to businesses you directly interact with, like your bank or social media platform. You'd need to manage deletion rights with them individually.

Centralized Platform Delay: The one-stop deletion platform won't be operational until 2026. Until then, you'll need to submit individual deletion requests to each data broker.

Verifiable Requests: Requests need to be verifiable, meaning you'll need to prove your identity to data brokers. This can be challenging for some.

Data Brokers' Interpretation: The Act leaves room for interpretation, and how data brokers implement deletion provisions might vary, leading to potential inconsistencies.

How will the Delete Act impact businesses?

Data brokers will need to adapt their practices to comply with the Act's requirements. If you operate in California, the Delete Act will undoubtedly impact your business. Prepare for changes like:

Data deletion compliance: You'll need to integrate with the centralized deletion platform by January 2026, allowing Californians to request deletion from all data brokers in one go.

Expanded deletion scope: Be ready to delete a broader range of personal data, including commercially collected information and inferred characteristics, beyond just basic identifiers.

Increased transparency: Expect heightened scrutiny of your data practices. You'll need to disclose data categories collected and usage purposes clearly.

Potential compliance costs: Implementing deletion systems, verifying requests, and potential audits may incur costs.

Shift in data-driven operations: You might need to adjust your business model to rely less on personal data for targeted advertising or personalization.

How will the Delete Act be enforced?

California's Delete Act empowers the CPPA to enforce data broker registration and compliance. This means stricter penalties: USD 200 daily fines for non-registration and unfulfilled deletion requests. This shift signals a new era for data privacy, empowering Californians to control their information and incentivizing responsible data practices from brokers. The CPPA, with its sharper teeth, aims to safeguard personal information and build a future of data respect and protection for Californians.

Will the Delete Act inspire similar legislation in other states?

The California Delete Act has the potential to spark a wildfire of similar legislation across the United States. Its innovative centralized deletion platform, combined with expansive data deletion rights and strict enforcement, offers a compelling model for other states seeking to empower their citizens with greater control over their personal information. The Act's impact could be amplified by the growing public awareness of data privacy issues and the increasing pressure on businesses to handle personal data responsibly.

Already, states like Virginia and Colorado have passed their own data privacy laws, drawing inspiration from California's CCPA and CPRA. While the full impact of the Delete Act remains to be seen, its groundbreaking approach to data broker oversight and individual control could well inspire a wave of similar legislation across the country, reshaping the landscape of data privacy in the US.

When does the Delete Act go into effect?

While the California Delete Act officially became law in October 2023, its key features take effect in stages.

By January 1, 2024, the data broker registry shifted to the CPPA's control, ensuring centralized oversight. However, the much-anticipated "one-stop-shop" deletion platform won't be operational until January 1, 2026. Data brokers must start using the mechanism by August 1, 2026. Beginning January 1, 2028, the Delete Act requires data brokers to submit to an audit conducted by an independent third party once every three years to assess the data broker’s compliance.

Until then, Californians can still exercise their deletion rights directly with individual data brokers.

While aspects of the Act are already active, the full "deletion revolution" kicks in with the launch of the centralized platform in 2026. Mark your calendars!

California's Data Deletion Law: Understanding the California Delete Act for Regulating Data Brokers

What is the California Delete Act?

Continue Reading

CCPA vs. GDPR: What Businesses Need to Know

HIPAA Privacy Policy: Essential Website Compliance for Healthcare Organizations

Iowa Consumer Data Protection Act (ICDPA): Comprehensive Data Privacy Law Overview for Iowa Businesses