On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources.
The Act would grant California consumers the right to request that data brokers (1) delete and (2) limit the further sale and sharing of consumers’ personal data. In addition, the bill would create new registration, disclosure, recordkeeping, and audit requirements applicable to data brokers. Specifically, the Act would:
- Require data brokers to register with the California Privacy Protection Agency (“CPPA”), pay a fee, and comply with disclosure and recordkeeping obligations;
- Direct the CPPA to create an accessible deletion mechanism that allows consumers to exercise deletion requests simultaneously with regards to multiple data brokers;
- Require data brokers to continue to delete any new information received about the consumer every 45 days;
- Prohibit data brokers that receive a consumer’s deletion request from selling or sharing any new personal information about the consumer, unless the consumer specifically requests doing so;
- Allow authorized agents to assist consumers in submitting deletion requests;
- Require data brokers to undergo independent compliance audits every three years; and
- Authorize penalties and administrative costs for noncompliance.
If enacted, the Act’s provisions would become effective in multiple steps between 2024 and 2028. Note that the Act defines the term “data broker” broadly to include any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” However, the Act would not extend to entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, as well as entities covered by the California Insurance Code.
Update: On October 10, 2023, Governor Gavin Newsom signed into law the Delete Act (S.B. 362), making California the first state to grant residents the right to ask all registered data brokers, with one single request, to delete all personal information collected about them, as well as prohibit registered data brokers from selling or sharing their personal information.