On October 10, the State of California adopted the Delete Act, a new law that allows California residents to simultaneously require all data brokers to delete their personal information. The Act will likely deeply impact privacy practices inside and outside the State. So, let’s see what this law is all about!
- What is the Delete Act?
- Didn’t Californians already have a right to erasure?
- How does the Delete Act work?
- How is the Delete Act different from other laws?
- Who does the Act apply to?
- Are there any exemptions to the Delete Act?
- What are the penalties under the Delete Act?
- What impact will the Delete Act have?
What is the Delete Act?
The Delete Act is a new California law on the right to have your data deleted from data brokers. The Delete Act will be enforced by the California Privacy Protection Agency (CPPA).
Didn’t Californians already have a right to erasure?
Yes, California residents have a right to erasure under the CCPA. But, there are two problems when it comes to data brokers.
First of all, it is unclear whether they can exercise that right against data brokers based on the wording of the CCPA. Second, assuming that they can, requesting data brokers to delete personal information would still be difficult in practice. Many different brokers typically control information about a single consumer, and consumers typically do not know who these brokers are and how to contact them.
Long story short, the right to erasure introduced by the Delete Act is not new in California law, but the Act makes it much easier for consumers to exercise it against data brokers.
How does the Delete Act work?
The deletion system described by the Act will consist of a unified registry for deletion requests. Data brokers must periodically access the system and review their databases to ensure they do not contain data about subjects who submitted a request.
Data brokers will also be under other obligations, such as documenting compliance with deletion requests and auditing the results of their procedures for honoring requests.
The Delete Act is vague about the system's technicalities and calls on the CPPA to iron out the kinks in its future regulation. According to the law, the system must be up and running by 2026 the latest. In all likelihood, planning the system will be no walk in the park for the CCPA- and implementing it will be no walk in the park for companies!
How is the Delete Act different from other laws?
The Delete Act is an innovative law. Privacy laws such as the GDPR and California’s own CCPA frame the right to erasure as a matter between an individual and a specific company or organization. On the other hand, the Delete Act broadens the scope of a single request to all data brokers. This system differs from typical erasure requests and rather resembles a do-not-call registry of sorts.
The Delete Act also differs from other privacy laws in that requests also impact any data collected after the submission. A data broker cannot simply delete your data and call it a day; they must periodically review their database and erase any new data about you. An ongoing process of review and erasure is required.
Who does the Act apply to?
On one side of the equation, the Act applies to California residents, much like the CCPA. No one else can submit a request under the Act.
On the other side of the equation, the Act applies to data brokers. The law defines data brokers as any business that knowingly collects and sells information of consumers with whom the business has no direct relationship. So, data brokers essentially act as intermediaries, acquiring personal information on consumers through a third party and selling it to another third party.
It should be noted that the Act uses the same broad definition of data sale as the CCPA/CPRA. The disclosure of consumer data in exchange for something valuable, will likely be considered as a sale, whether monetary payment is involved or not. This means that the Act may apply to many intermediaries in the advertising sector, depending on how regulators understand the definition.
It is yet unclear whether the definition of data broker also covers businesses who buy or receive data from intermediaries- in other words, the customers of data brokers. This yet unclear point is crucial, as many businesses (including smaller ones) enrich their customer data with third party information. Future regulation from the CCPA will hopefully clarify this.
One thing is clear, though: much like the CCPA, the Delete Act will also apply to data brokers outside California, and even outside the US.
On a side note, it is worth highlighting that California has a registry for data brokers, and that registration was mandatory even before the Data Act. This could make enforcement easier, as the CCPA will know who the data brokers are and how to contact them.
Are there any exemptions to the Delete Act?
Yes. Much like the CCPA, the Delete Act does not apply to companies that are bound by sector-specific regulation (such as the HIPAA for the health care sector).
What are the penalties under the Delete Act?
Data brokers can be fined $200 for each day they fail to honor a deletion requests. Data brokers can also be fined under pre-existing California laws for failing to register themselves in the data broker registry.
What impact will the Delete Act have?
The Delete Act will likely have a big impact on the advertising sector, and on other sectors heavily relying on data intermediaries (such as fraud detection). To comply with the law, companies must establish new procedures, and periodically review their databases to retrieve the data they need to delete.
This will likely increase legal and operation costs by no small amount. Additionally, it will require companies to implement robust data governance practices, if they haven’t already, to make it easy to filter out databases and retrieve the information that needs to be deleted.
Finally, it should be noted that data brokers need to verify deletion requests. In other words, brokers need to make sure that consumers are who they say they are, and to find out exactly what personal information in their databases relates to them.
This will be complicated because data brokers sometimes do not collect direct identifiers that would allow for easy verification. It would be wise for businesses to establish robust verification procedures before the requests start coming in and to keep an eye on the CPPA for any guidance on verification.
It is early to say to what extent the Delete Act will impact the digital economy. However, it is clear that it will make compliance harder for data brokers. Companies covered by the Act should think ahead and immediately start preparing to meet its obligations.
We are passionate about privacy. It is a human right, and one that is becoming more important with each day as the world becomes more and more interconnected.
This is why we created Simple Analytics. Our privacy-first tool allows our customers to get all the insights they need in an ethical, privacy-friendly way. Simple Analytics delivers accurate insights without cookies, without trackers, and without collecting a single bit of personal data! If this sounds good to you, feel free to give us a try!