California Enacts Data Broker Deletion Requirements and Other Privacy-Related Legislation | Practical Law

California Enacts Data Broker Deletion Requirements and Other Privacy-Related Legislation | Practical Law

California has enacted a number of data privacy and cybersecurity statutes, including a data broker related one-submission consumer deletion request law, CCPA and CPRA amendments, amendments to California medical information law, and more.

California Enacts Data Broker Deletion Requirements and Other Privacy-Related Legislation

by Practical Law Data Privacy & Cybersecurity
Published on 16 Oct 2023California, USA (National/Federal)
California has enacted a number of data privacy and cybersecurity statutes, including a data broker related one-submission consumer deletion request law, CCPA and CPRA amendments, amendments to California medical information law, and more.
California Governor Gavin Newsom signed a series of bills related to data privacy and cybersecurity as California's 2023 legislative season came to a close on October 13, 2023.
Among the enacted bills is SB 362, commonly known as the Delete Act, which amends the state's existing data broker registry law. The Delete Act orders the California Privacy Protection Agency (CPPA) to create a secure deletion mechanism by January 1, 2026, allowing consumers, with a single submission, to request all data brokers delete their personal information. Beginning August 1, 2026, data brokers must access the mechanism at least every 45 days, for which the CPPA may charge an access fee.
In response to a deletion request, the data broker must:
  • Delete all the requesting consumer's personal information within 45 days.
  • Direct service providers and contractors to delete the consumer's personal information.
  • Continue to delete the consumer's personal information at least once every 45 days.
  • Refrain from selling or sharing the consumer's newly collected personal information.
Data brokers must treat unverifiable requests as sale and sharing opt outs. The Delete Act also:
  • Moves rulemaking, registry, and enforcement responsibility to the CPPA.
  • Adopts the California Consumer Privacy Act of 2018's (CCPA) definitions for personal information, sale, and other terms.
  • Requires data collection, response metrics, and audit disclosures at registration.
  • Beginning January 1, 2028, requires data brokers to undergo and report results of an independent third-party compliance audit and maintain them for six years.
  • Requires data brokers to, annually and by July 1, report deletion requests received, fulfilled, and denied in the prior calendar year and disclose these metrics in its privacy policy.
  • Amends enforcement provisions to allow the CPPA to bring administrative actions against violators within five years of violation with:
    • a raised fine of $200 per day for failure to register;
    • a new fine of $200 per day per unfulfilled deletion request; and
    • enforcement expenses.
The governor also signed amendments to the CCPA and the California Privacy Rights Act of 2020, including:
  • AB 947, amending the definition of sensitive personal information to add personal information that reveals citizenship or immigration status.
  • AB 1194, clarifying that an individual access or search for abortion or certain other care does not constitute a natural person being at risk or danger of death or serious injury, limiting compliance exemptions provided for adhering to local law, court order, law enforcement request, and government agency emergency access requests.
The governor signed bills amending California's Confidentiality of Medical Information Act, including:
  • AB 254, to:
    • cover reproductive or sexual health digital service providers, including certain mobile apps and websites, as health care providers for some purposes; and
    • cover certain information collected by a reproductive or sexual health app in its definition of medical information, including reproductive health, sexual activity, and other related listed data, and data from which one can infer a user's pregnancy status, menstrual cycle, birth control use, gender identity, sexual activity, or other specified characteristic.
  • AB 352, which:
    • requires certain businesses to develop capabilities and procedures to limit user access to, segregate, and prevent out-of-state disclosure of data related to sensitive services like gender-affirming care, abortion, and contraception by July 1, 2024; and
    • imposes narrow disclosure limits on individual-identifying data related to seeking, aiding, or receiving abortion or related services to out-of-state individuals and entities or from federal law enforcement.
  • SB 345, which:
    • prohibits a person or business from collecting, using, disclosing, or retaining the personal information of an individual physically located at, or within a precise geolocation of, a family planning center, except as necessary to fulfill the individual's request; and
    • allows aggrieved individuals or entities, including family planning centers, to bring a civil action against a person or business who violates the law.
The governor also signed:
  • AB 39, creating a licensing scheme for digital financial asset-related businesses with enforcement procedures, requirements, and other provisions, including a licensing requirement to maintain information security and operational security programs.
  • AB 1027, applicable to social media companies, repealing a revenue-based exemption and requiring platforms to:
    • retain usernames and content removed under its policy related to illegal controlled substances for 90 days; and
    • include in their publicly posted policy statement a description of their retention policy for electronic communication information as defined by Cal. Penal Code § 1546.
  • SB 296, requiring vehicle manufacturers, sellers, and lessors of new vehicles equipped standard with an in-vehicle camera to disclose its presence, with specific requirements for each entity type. SB 296 also protects image and video recordings collected by the cameras with access, disclosure, and sale restrictions but excludes commercial vehicles.
  • SB 793, codifying existing insurance regulations to annually provide customers with a clear and conspicuous privacy notice, allowing the notice to be combined with other required notices, and providing deemed compliance for meeting certain criteria.
Bills enacted will become effective on January 1, 2024 unless otherwise noted. The California legislature adjourned for its interim recess on September 15, 2023 and is expected to reconvene on January 3, 2024.