With the Delete Act, California continues to go after how companies use consumer data. Here’s a concise summary of the key provisions and implications:
1. Mandatory Registration: The Delete Act mandates that all data brokers register with the California Privacy Protection Agency (CPPA). It broadens the definition of data brokers to encompass businesses that knowingly collect and sell personal information to third parties without a direct consumer relationship, closing a perceived loophole.
2. One-Stop Deletion Mechanism: By January 1, 2026, the CPPA must establish an online “one-stop” deletion mechanism, enabling consumers to submit a single verifiable request for data deletion, with the option to exclude specific data brokers. Data brokers are required to access this mechanism starting August 1, 2026.
3. Ongoing Compliance: Data brokers must regularly review and process deletion requests through the mechanism every 45 days, starting August 1, 2026. They need to establish monitoring protocols and may be charged a reasonable fee for accessing the deletion mechanism.
4. Disclosure Requirements: Data brokers must disclose detailed information when registering with the CPPA, including metrics on processing consumer privacy requests, data collection specifics (e.g., minors’ data, geolocation, reproductive healthcare), and transparency regarding regulatory oversight.
5. Reporting and Audits: Data brokers must provide annual reports on CCPA requests, including denials. Starting January 1, 2028, they must undergo third-party audits every three years. Compliance records must be maintained for at least six years.
6. Continuing Duty to Delete: Data brokers must continue deleting personal information collected from consumers at least once every 45 days unless otherwise requested.
7. Penalties for Non-Compliance: Non-compliance may result in daily administrative fines, reimbursement of unpaid fees to CPPA, and expenses related to investigations. However, a five-year statute of limitations applies, and there’s no provision for private lawsuits.
The Delete Act’s comprehensive regulations extend beyond existing U.S. data privacy laws and will necessitate proactive compliance efforts from covered organizations. It will be interesting to see what happens next — will there be gray areas where it isn’t clear whether a company is a data broker? Can this be manipulated by fraudsters to “try out” various stolen identities — and then have them erased? What will be the unintended consequences?