U.S. Privacy and Data Protection | Insights | May 2024 (State Law)

U.S. Privacy and Data Protection | Insights | May 2024 (State Law)

The California Privacy Protection Agency board recently gathered to revise draft regulations to implement parts of the state's new data broker law, the Delete Act of 2023, which was signed into law last October by California Gov. Gavin Newsom.

What is the Delete Act and How Does it Impact My Business?

Under existing law, data brokers are already required to register in California. Hundreds of companies in California have been listed as data brokers in California’s data broker registry.

Beginning January 1, 2026, the Delete Act will also require the California Privacy Protection Agency (CPPA) to “establish a centralized system to allow individuals to request the simultaneous deletion of their personal information across all data brokers, and for other purposes.”¹

There will also be new audit and disclosure requirements for data brokers to ensure their practices remain compliant.

In particular, every three years, the Delete Act will require data brokers to undergo an independent audit to verify they are remaining compliant with the Act.

Further, the Delete Act requires data brokers to register annually with the CCPA and to disclose the following information:

• Their name and primary physical, email and website addresses.
• Metrics regarding the number of consumer and Delete Act requests.
• Whether they collect certain information e.g., about minors or precise geolocation.
• A link to a webpage that explains how consumers may exercise consumer rights.
• To what extent they are regulated by other laws, e.g., the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and specific California privacy laws.
• When applicable, certain audit information.

How Do the Recent Draft Regulations Affect the Delete Act?

The draft regulations aim to expand definitions in the Delete Act by having data brokers register with the CCPA if they sell data of consumers that they did not directly collect from a consumer, even if they have a direct relationship with a consumer. This shows increased regulator attention to data privacy rights and mandates upon businesses collecting, using, selling, and sharing consumer data, especially by “data brokers.”

Penalties for Non-Compliance

Failure to comply with the Delete Act could result in receiving significant fines. For example, data brokers who fail to register with the CCPA are subject to administrative fines including fines per day of a violation, such as a failure to register or failure to honor a deletion request.

How Can Kronenberger Rosenfeld Help Your Business?

Kronenberger Rosenfeld, LLP regularly advises clients regarding privacy compliance and defends enforcement actions relating to privacy and advertising issues by staying up to date with the latest laws. Contact our firm using our online case submission form here.