California Takes an Aggressive Approach to Regulating Data Brokers

The Delete Act (SB 362), signed into law by California Gov. Gavin Newsom on October 10, 2023 imposes additional disclosure and registration requirements on data brokers. It requires data brokers to support deletion requests through a central “deletion mechanism” managed by the California Privacy Protection Agency (CPPA). The law also empowers consumers to request deletion of their personal information from all registered data brokers with a single submission.

As our Privacy + Cyber professionals explain in a more detailed summary, the expanded new requirements of the Delete Act are a legal and operational game-changer for organizations that qualify as data brokers. Data brokers will now have to provide more information during registration, including details about their collection of minors’ personal information, precise geolocation data, and reproductive health care data. They are also required to compile and disclose certain metrics related to CCPA requests annually, undergo audits, and maintain audit records for at least six years. The act presents several challenges for any organization deemed to be a data broker, including determining applicability, managing broader business impacts, handling technical complexities related to verification of requests and a continuing duty of deletion, and bearing potentially high costs.

Even if your business isn’t considered a data broker, data obtained or used by your business likely comes from a data broker. Our team’s advisory includes best practices to comply with the growing number of data protection laws in the United States, including conducting data-mapping assessments, reviewing registration requirements, maintaining deletion request policies, developing record-keeping policies, conducting training, and considering the impact of data deletion on vendor management and contracts.