The California Delete Act (SB 362) is a state law that provides a one-stop shop deletion mechanism for consumers to direct data brokers to delete their personal information.[1][2][3][4][5][6] The law requires data brokers to register with the California Privacy Protection Agency annually beginning January 2024, process deletion requests submitted through the deletion mechanism beginning August 2026, and undergo an independent audit every three years beginning January 2028.[7][8][9][10][11][12] It was the first law of its kind to be passed in the United States.[13]
California Delete Act | |
---|---|
California State Legislature | |
Full name | California Delete Act |
Introduced | February 8, 2023 |
Signed into law | October 10, 2023 |
Governor | Gavin Newsom |
Code | California Civil Code |
Section | 1798.99 |
Resolution | SB-362 (2023–2024 Session) |
Website | Senate Bill No. 362 |
Status: Current legislation |
The bill has some exceptions, and allows consumers to exclude specific data brokers from the deletion request.[14] It uses the same definition of data brokers as in the California Consumer Privacy Act, applying to companies which made more than $25 million in revenue the previous year, and which “annually buy, sell, or share the personal information of 100,000 or more consumers or households.” that make more than 50% of their annual revenue from the sale of personal information.[6] Once the request is made, data brokers are required to delete all personal information of the consumer every 45 days, and are banned from sharing or selling new personal information acquired about them.[14] Deletion requests denied because of the data brokers' inability to verify them are required to be processed as opt-outs for the sale and sharing of the consumer's personal information.[14]
History
editWhile the California Consumer Privacy Act of 2018 allows consumers to request that individual businesses delete their data,[15] it is difficult and time-consuming to use, and fully erasing your digital footprint requires contacting potentially hundreds of companies.[16] The bill, written by Sen. Josh Becker and introduced on 8 February 2023,[17] was intended to simplify the process and make it practical to use.[16][14] It followed some other failed attempts by governments to regulate data brokers, including a failed federal bill in 2022 to allow consumers to delete data in one-stop shop, and a 2022 California act that would have required registered data brokers to disclose more information to the state.[16] The bill was passed in the context of long-held calls by civil liberties and privacy advocates for heavier regulation the industry, citing concerns about the lack of transparency in the sharing of consumer data and of the use of the data by law enforcement without a need for subpoenas or warrants.[4]
Supporters raised concerns about threats to abortion seekers, undocumented immigrants, and activists; opponents to the bill raised concerns about harms to ad businesses, and the use of the data by law enforcement, academics, and nonprofits in collecting donations.[16] The concept of one-stop deletion of data faces heavy opposition by business groups,[16] and the bill faced heavy lobbying from them in opposition.[14] The Consumer Data Industry Association, a trade association for credit bureaus and background-checking companies, claimed that the bill could undermine consumer fraud protections.[14] The Association of National Advertisers claimed that small businesses and nonprofits would have difficulty finding customers and donors because of purported harm to advertising.[18]
Becker eventually made amendments to the bill increasing the time between which companies are required to delete consumer's personal data from the original 30 days to 45 days.[14] It was signed by California governor Gavin Newsom on October 10, 2023.[6] Data brokers began registering annually on January 31, 2024.[12] Proposed regulations related to the bill were released by the California Privacy Protection Agency on July 5, 2024, and public comments were considered until August 20, 2024.[19] Data brokers will be required to begin responding to requests for deletion on August 1, 2026, and begin undergoing audits every three years starting January 1, 2028.[12] Beginning January 1, 2029, they must disclose to the California Privacy Protection Agency whether they have undergone an audit and the most recent year in which they submitted a report from the audit to the agency.[12]
See also
editReferences
edit- ^ "Bill Text - SB-362 Data broker registration: accessible deletion mechanism". California Legislative Information. 2023-10-12. Retrieved 2024-06-04.
- ^ "CPPA Applauds Governor Newsom for Approving the California Delete Act". California Privacy Protection Agency. 2023-10-11. Retrieved 2024-06-04.
- ^ Wong, Queenie (2023-10-10). "Newsom signs bill that would make it easier to delete online personal data". Los Angeles Times. Retrieved 2024-06-04.
- ^ a b Bhuiyan, Johana (2023-10-10). "Californians can scrub personal info sold to advertisers with first-in-US law". The Guardian. ISSN 0261-3077. Retrieved 2024-06-04.
- ^ Hamilton, David (2023-09-15). "California's Delete Act: What you need to know". Fortune. Retrieved 2024-06-04.
- ^ a b c Davis, Wes (2023-10-11). "California's Delete Act lets consumers make one request to delete personal data". The Verge. Retrieved 2024-06-04.
- ^ Bracy, Jedidiah (2023-10-11). "California governor signs Delete Act into law". International Association of Privacy Professionals. Retrieved 2024-06-04.
- ^ Flores, Sergio; Pasillas, Cinthia (2023-10-12). "A new state law is giving you more power over your online personal data". NBC 7 San Diego. Retrieved 2024-06-04.
- ^ "California Enacts the Delete Act". Morgan Lewis. 2023-11-20. Retrieved 2024-06-04.
- ^ "California's Data Deletion Law Imposes a Host of New Obligations on Data Brokers". Skadden. 2023-12-14. Retrieved 2024-06-04.
- ^ "California's Delete Act – Key Takeaways for Data Brokers". Cooley. 2023-10-16. Retrieved 2024-06-04.
- ^ a b c d "Information for Data Brokers". California Privacy Protection Agency. Retrieved 2024-06-04.
- ^ Tedford, Owen. "California's New Data Broker Law Could Be The First Of Many". Forbes. Retrieved 2024-09-03.
- ^ a b c d e f g Wong, Queenie (2023-09-15). "California lawmakers pass bill to make it easier to delete online personal data". Los Angeles Times. Retrieved 2024-08-08.
- ^ "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2024-08-08.
- ^ a b c d e Wong, Queenie (2023-08-29). "California could make it easier to scrub your personal data from the web. Businesses are pushing back". Los Angeles Times. Retrieved 2024-08-08.
- ^ "Bill History - SB-362 Data broker registration: accessible deletion mechanism". California Legislative Information. State of California. Retrieved 2024-08-08.
- ^ "California governor signs Delete Act into law". International Association of Privacy Professionals. 11 October 2023. Retrieved 2024-08-08.
- ^ "CPPA Releases Notice of Proposed Regulatory Action for Data Broker Registration". California Privacy Protection Agency. 2024-04-24. Retrieved 2024-09-03.