CA ‘Delete Act’ and Inadvertent Brokers: 5 Key Takeaways
This blog was originally published here and has since been updated to include further observations.
On February 9, 2024, I had the pleasure of participating in a panel at the California Lawyers Association (CLA) Privacy Summit with Delete Act Author Tom Kemp and Lothar Determan from Baker McKenzie to discuss CA SB 362, aka the ‘Delete Act’.
As I cover in my earlier blog, the law as written suffers from a number of loopholes that undermine its meaningful application. In discussing these issues with my co-panelists it is increasingly clear to me that a rulemaking process, if not legislative amendments, are needed to make compliance feasible – in particular for the inadvertent, digital-only 'data brokers' the law's broad definition creates.
Here are 5 key takeaways from my presentation.
1. Your company may be a data broker and not even know it.
For companies that qualify as a CA ‘business’, it is important to note that unlike other state laws, there is no ‘minimum sales threshold’ with the definition of a California ‘data broker’. Any entity that collects and/or sells data to third parties where the collector does not have a ‘direct relationship’ with the individual is potentially in scope.
With the first set of CCPA/CPRA regulations now in effect, it is imperative that any commercial agreements that include data licensing explicitly state whether the licensing is occurring with specific written instructions by the licensee as part of a ‘service provider' agreement. Where service provider language is not included, by default, the disclosure of data may be deemed a ‘sale’ or ‘share’ and (if the company is a ‘business’) - may potentially be deemed a ‘data broker’. If the data licensing is passed through by an intermediary, such as an ad agency, with no transparency or specific contractual terms addressing the intermediary legal status, then the intermediary could easily be swept up in the definition of being a data broker.
Bottom line: If you’re an intermediary handling any type of data licensing (of CA consumers) - be very careful and get well informed counsel to review any such agreements.
2. If your business is within the definitional scope of being a data broker, then it could currently be out of compliance with the Delete Act and fined $200 each day until it is registered.
Delete Act registration compliance is currently in effect as of January 31, 2024, with well defined statutory penalties for ‘mistaken’ data brokers (ie; $3000 as of this posting).
Meaning, if a business determines they are not a data broker, even by mistake, they may still be liable for statutory penalties for all the days they missed registration. There is no 'oops' clause in the Delete Act.
In addition, the new registration requirements are also in effect for data brokers to disclose further details to the CPPA during their registration. Notably, the categories of certain ‘sensitive’ data processing activities such as with sales of precise geolocation information.
See below for a full timeline of requirements.
3. The law should instead be entitled ‘The Suppression Act’.
Section 1798.99.86.(c)(1)(B) states “In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, [the data broker must] process the request as an opt-out of the sale or sharing of the consumer’s personal information”.
This language implies that most data brokers will need to build a massive suppression file from the CA ‘deletion mechanism’, as this requirement could include providers of hashed emails or phone numbers, postal addresses with mistyped or other erroneous information, or any digital identifiers that could be associated with any of the individuals non-verifiable information (eg; MAIDs associated with limited customer data). My interpretation is that the Delete Act will require companies engaged in ‘onboarding’ email addresses for addressable advertising will also need to ‘onboard’ this suppression list in order to apply it to their entire database of (CA) audiences.
Additionally, the law requires data brokers to direct all ‘service providers or contractors’ to also delete such information ((C) of the same section), and if the deletion request is denied because the request cannot be verified, the service providers or contractors must process the CA list as a suppression file instead ((D) of the same section). Given the difficulties of verification, especially with pseudonymized information, this provision is more likely to result in companies and their service providers and contractors processing requests as suppressions rather than deletions.
In an ironic twist of events, the data broker community and their vendors/contractors are more likely to add* large volumes of CA consumer data to their databases for suppression rather than delete it entirely from their databases.
Bottom line: Data brokers that do not comply with the deletion mechanism are subject to a fine of two hundred dollars ($200) per deletion request per day if the data broker fails to delete information plus reasonable expenses incurred by the CPPA in the investigation and administration of the action. For the avoidance of doubt, effective suppression management, including through data collaboration technologies, will be critical.
4. The vast majority of data brokers will be unaffected by California’s 2026 ‘deletion mechanism’.
Of the five (5) common types of data brokers, only two of which will be seriously impacted by this upcoming deletion mechanism. The other three (3) types will be impacted by the law's suppression management requirement.
The two impacted participants will be (i) people search companies, such as ‘whitepages’ type companies, and (ii) ‘primary source compilers’ such as credit bureaus with marketing divisions. While they may be exempt from certain aspects of compliance with their FCRA-related data licensing operations, it is clear they will have to sync with the deletion mechanism and apply the results to their non-FCRA or other non-exempt business models.
However, the vast majority of data broker activities are completed by three (3) other types of entities: (iii) digital-only data intermediaries who often only receive ‘pseudonymous’ information (that will not be ‘reverse engineered’ to comply), (iv) secondary licensees of data from other data brokers who do not store the data in any persistent manner where a deletion is applicable, and (v) inadvertent intermediaries who may not consider themselves to be data brokers, such as ad agencies or marketplace providers.
For example: Is Snowflake now a data broker simply because they operate a ‘data marketplace’ where they make available sample files? Would Snowflake be required to synchronize with the CA deletion mechanism on behalf of all of its data licensors?
As discussed in #3 above, the law only specifies if the data broker can sync with a suppression file. We can assume that it would not be technically feasible for digital-native data brokers to honor such lists without some interoperable, hash-based protocol.
5. Regulations should be forthcoming.
The Delete Act grants the CPPA the right, but not the requirement, to issue regulations regarding compliance. With so many potential interpretations of the law, and likely unconstitutional provisions surrounding the creation of the deletion mechanism, the CPPA should be issuing regulations that narrowly tailor compliance obligations to present minimum restrictions on interstate commerce.
The potential Delete Act regulations should also synthesize with the CCPA/CPRA regulations around the contractual requirements necessary to remove ‘inadvertent’ intermediaries from their compliance obligations. Further, such regulations should clarify third party agent roles with current CCPA/CPRA data subject deletion requests to obviate the need for data brokers to respond to any such third party agent requests following the deletion mechanism implementation.
While the CPPA is deliberating this issue, the CA legislature has already begun potential amendments to the Delete Act, such as with SB 1076, recently introduced by CA State Senator Wilk.
CA Delete Act (SB 362) Detailed Timeline:
January 31, 2024 (and January 31 of each subsequent year) data brokers must register with the CPPA;
July 1, 2024 (and July 1, of each subsequent year) data brokers must disclose certain privacy request metrics in their consumer-facing privacy policy, namely:
- the number of requests received in the previous calendar year;
- the median number of days it took for the data broker to respond;
- the mean number of days it took for the data broker to respond;
- the number of requests that the data broker denied in whole or in part because of any of the following:
- The request was not verifiable.
- The request was not made by a consumer.
- The request called for information exempt from deletion.
- The request was denied on other grounds.
January 1, 2026, the CPPA shall establish an accessible deletion mechanism;
August 1, 2026, data brokers must honor the deletion mechanism, namely:
- Access the deletion mechanism every 45 days;
- Process requests (delete/suppress) within 45 days of receipt;
- Process the request and delete all personal information of the consumer at least once every 45 days;
- The data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise.
January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section. Data brokers must submit such an audit within 5 business days of a request by the CPPA. A data broker shall maintain the report for at least six years.