The California Delete Act - The most ambitious privacy law in the country?
2
26
0
Or: The Do Not Call Registry of the Modern World
Tl;dr:
If you buy, sell, or derive value from data whom you don’t have a direct business relationship with, you need to comply with this bill (and the 3 others like it in the US).
The deadline to register was Jan 31st, 2024 - but if you missed it you should still register A$AP to stop hemorrhaging fines
To get in compliance you need to register with a lawyer, on your own, or with the help of a Registration Agency like Superset
Intro:
California’s back at it again, pushing the limits of what legislators can do to reign in America’s surveillance economy.
They started with CCPA in 2018— the first general data privacy law in the US. 19 more states have since followed in their footsteps.
After CCPA went into effect, they managed to pass an updated version, the CPRA in 2020 which set up an entire new government agency, the California Privacy Protection Agency (CPPA), and put them in charge of the state’s privacy laws.
Now California’s legislators enacted their most ambitious legislation yet: SB-362 — better known as The California Delete Act.
What makes the California Delete Act so controversial?
As crazy as it sounds, California wants to create the “universal opt-out button” — a single place where a consumer can go to opt-out of having their data collected and sold by ANY and EVRY Data Broker.
How does the California Delete Act work?
January 1, 2024 — It starts by establishing a public registry of every Data Broker (we’ll get into who qualifies as a Data Broker shortly). The registration is due annually by Jan 31st starting in 2024.
January 1, 2026 — Then the CPPA plans to make the opt-out form for consumers to express their interest to be deleted from the databases of all the registered Data Brokers.
August 1, 2026 — Finally every registered Data Broker is expected to go through the list of consumers that requested an opt-out at least every 45 days and delete any personal information related to consumers on the opt-out list.
Who needs to comply with the California Delete Act?
The California Delete Act regulates a VERY wide range of businesses, including companies that wouldn’t typically consider themselves Data Brokers intuitively:
“Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. — Senate Bill №362
This definition strangely excludes companies that have a direct relationship with consumers but make all of their money by selling data about those users *cough* Robinhood *cough*, AND the companies that are covered get MUCH broader when we combine that with their definition of Selling data:
(1) “Sell,” “selling,” “sale,” or “sold,’’ means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration. —CCPA
So functionally ANY company that 1) keeps personal data about consumers they don’t have a direct relationship with and 2) transfers that data to any third party for almost any business related reason is considered a Data Broker.
If you take away one thing from this article: if you buy, sell, or derive value from data whom you don’t have a direct business relationship with, you need to comply with this bill.
Examples of Data Brokers you wouldn’t expect:
Lead-generation agencies: While there are exemptions for business data, if a company that helps businesses find customers is selling or providing a consumer’s email or phone number, they’re legally a Data Broker.
CRMs with enrichment — If a Customer Relationship Management tool offers “enrichment” that includes personal information like phone numbers or work history, they’re legally a data broker.
A local bakery running ads — Even a non-technical business that buys consumer’s data and hands that list to Facebook or another platform to target them with ads is “transferring” data for “value” and is, in fact, legally a Data Broker.
What to do if your business is impacted by the Delete Act?
If you’ve read the above descriptions and realized you are legally a Data Broker, the first question you should ask yourself is probably: Do I have to be?
If transferring/selling/transmitting consumer’s data is a small part of your business, it’s probably best to just stop doing that now.
If your business requires the collecting and transferring of consumer data, you should go ahead register with the CPPA. As of the time of writing, the deadline has already passed for 2024, but it’s best to stop the bleeding now on fines.
Next you should probably evaluate if you need to comply with the Data Broker Registration laws in Texas, Oregon, and Vermont as well (*spoiler alert* — you probably do).
How to comply with the California Delete Act?
Most companies comply with the California Delete Act through the help of a lawyer, however a Data Broker Registration Agency is often a much more cost and time effective way to achieve compliance.
If you can’t tell from the website you landed on, here at Superset we’re REALLY GOOD at getting companies in compliance with all 4 state registries quickly and confidently.
It’s all self-serve so you can fill out your company information and achieve compliance across the entire US in only 15 minutes here.
Alternatively, if you only want to get in compliance in California, you can go to the CPPA website and fill out the required paperwork, print your application receipt, and write and mail in a physical check.
What are the penalties for non-compliance with the Delete Act?
Data Brokers that don’t register by Jan 31st, 2024 face fines of around $200/day up to a maximum of $100,000 per year with a 5 year statute of limitations PLUS the expenses incurred by the CCPA investigating and prosecuting you.
After August 2026, the penalties can jump significantly. Failing to delete a consumer’s data on time can result in a fine of $200 per user per day.
What does it cost to comply with the California Delete Act?
California is charging a $400 filing fee along with your annual registration. Currently the payment is required in the form of a check to be physically mailed in to the CPPA offices.
How does the Delete Act relate to other US Data Broker Registries?
The California Delete Act is actually not the only law regulating Data Brokers in the US.:
Vermont was the first state to pass regulation requiring data brokers to register with the Data Broker Act passed back in 2018
In 2023, the ball really started rolling when Texas passed SB2105- Data Broker Act in June 2023 requiring Data Brokers to register with the Secretary of State
Then Oregon showed up in July 2023 to pass HB 2052 requiring registration starting January 1st 2024
Finally California’s Amended Data Broker Registration Law was signed into law in October 2023
There are some small differences in the definition of Data Broker in each, but generally if you’re classified as a Data Broker under the Delete Act, you probably need to register in all 4 states.
Conclusion
LOTS of companies are Data Brokers now according to the law — not just the ones you would suspect.
If you still aren’t sure if the Delete Act impacts your business, book some time with us at Superset and we’ll help you evaluate your business’ needs free of charge.
If your business regulated by the California Delete Act, you may have missed the deadline but you should still register as soon as possible, and the easiest way to do that is a self-serve platform like Superset.
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.
Related Posts
