The California governor has signed Bill 362, also known as the Delete Act, enabling residents to request the removal of their personal information from all data brokers operating in the state.
The Delete Act aims to provide consumers with greater control over their personal information that is collected and sold by data brokers. The new bill addresses a loophole in the existing California Consumer Privacy Act (CCPA), which required businesses to delete personal information collected directly from consumers but not information obtained indirectly or aggregated from other sources.
The California Privacy Protection Agency (CPPA) will be responsible for enforcing the registration and data deletion requirements and will have the authority to adopt regulations for implementing and administering the Delete Act. There are two notable dates for data brokers, which should have ample time to ensure they have complied with the requirements of the new law.
By January 1, 2026, the CPPA is mandated to develop a system allowing consumers or their authorised agents to submit a single verifiable data deletion request to all registered data brokers in California at no charge.
From January 1, 2028, data brokers will be required to undergo an audit by an independent third party every three years to ensure compliance with the Delete Act. Data brokers must submit an audit report to the CPPA within five days of a written request and maintain audit records for a minimum of six years.
Non-compliance with the Delete Act can result a $200 daily penalty for data brokers that fail to register as required.
Companies are advised to assess whether they fall under the scope of the Delete Act and, if applicable, develop a compliance program to meet the enhanced data deletion and transparency requirements. By January 31, 2024, data brokers must update their online privacy notices.
As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns on your organisation’s data protection, or any other global data privacy issues, we can support your team.