How will California’s new Delete Act impact consumer data protection?
California is once again setting the standard in state-level data privacy legislation - this time with the Delete Act. Signed into law by Governor Gavin Newsom in October 2023, this law enhances consumer data rights and aims to rein in the data broker industry.
Bridging the privacy gap
Before the Delete Act, Californians had a good amount of control over their data through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). However, these laws required consumers to submit deletion requests to each business individually for their data to be deleted. This left significant regulatory gaps, particularly concerning data brokers—companies that collect and sell personal information without a direct relationship with the consumer.
There has been heightened scrutiny of data brokers in recent years, especially following high-profile cases and data breaches. The Cambridge Analytica scandal, which exposed the misuse of data from millions of Facebook users during the 2016 US election, underscored the urgent need for tighter data controls and consumer protections. More recently, the FTC took action against data brokers like Outlogic in 2024 and Kochava in 2022 for health data breaches, further exposing the vulnerabilities and ethical issues in the data industry.
To address these issues, the Delete Act introduces several key provisions aimed at strengthening consumer privacy and regulating data brokers more effectively.
What does data compliance under the Delete Act look like?
Under the Act, consumers can request the deletion of various types of personal data, including identifying information, commercial data, demographic data, and derived data. This excludes a few exceptions, including data that cannot be deleted due to security, compliance, or public records purposes. However, these exceptions are narrowly defined to keep the strength of data protection.
Other key provisions include:
Transfer of regulatory authority: the regulatory authority for data brokers is transferred from the California Attorney General to the California Privacy Protection Agency (CPPA). Data brokers must register with the CPPA and disclose expanded information in their annual registrations, including metrics related to deletion requests and compliance.
Centralized deletion mechanism: by January 1, 2026, the CPPA will create an "accessible deletion mechanism" that allows consumers to delete their personal information from all registered data brokers with a single request. Starting August 1, 2026, data brokers must process deletion requests through this mechanism every 45 days.
Registration and disclosure requirements: data brokers must provide more detailed information in their annual registrations, including metrics on deletion requests, whether they collect information from minors, precise geolocation data, or reproductive health information, and a clear outline of how consumers can exercise their rights.
Audit requirements: beginning January 1, 2028, data brokers must undergo independent audits every three years to ensure compliance with the Delete Act. The audit results must be maintained for six years and disclosed upon request.
Penalties for non-compliance: the Act imposes significant fines for non-compliance, including a $200 per day fine for failing to register with the CPPA and for each failure to delete a California consumer's personal information as requested.
Data privacy impact on consumers
For consumers, the Delete Act is a powerful tool in reclaiming their digital privacy. It allows Californians to easily erase a wide range of personal information, from names and addresses to browsing histories and geolocation data.
Senator Josh Becker, who championed the Delete Act, stated:
“The time of uncontrolled gambling with our personal information is almost over. Data brokers currently have the ability to use data on reproductive healthcare, geolocation, and purchasing data to sell it to the highest bidder, and the DELETE Act would protect our most sensitive information.”
The Act not only simplifies the process but also provides a free, user-friendly platform to manage data privacy proactively. This is crucial in an era where personal data is often commoditized without consumers' knowledge or consent.
How can businesses comply with the Delete Act?
While the Delete Act significantly benefits consumers, it imposes new challenges for businesses. Data brokers must adapt to meet the stringent compliance requirements, including integrating with the centralized deletion platform and undergoing regular audits. These changes might entail substantial operational adjustments and costs.
In practice, this law is not about eradicating the data broker industry but rather regulating it to ensure responsible data handling practices. By holding data brokers accountable and ensuring transparency, the Delete Act encourages a more privacy-focused business environment, which could help rebuild consumer trust in an industry often criticized for its opaque practices.
Data brokers should take immediate steps to comply with the Delete Act, including:
Register with the CPPA by January 31, 2024,
Develop systems to handle centralized deletion requests in preparation for 2026, and
Establish processes to ensure compliance and prepare for regular audits starting in 2028
These measures are crucial for fostering a privacy-focused business environment and could also inspire similar legislation in other states.
The California Delete Act represents a significant leap forward in data privacy - it simplifies the process for consumers to have control over their data and begins to regulate a previously neglected sector. As we move towards a more privacy-conscious future, the Delete Act stands as a testament to California’s ongoing commitment to protecting its residents’ personal information. Businesses must be aware of the requirements and prepare accordingly to ensure compliance and foster a more transparent and trustworthy industry.