United States of America: Amended California SB 362 on data brokers (DELETE Act)

On 10 April 2023, the California State Senate provided some amendments to the proposal, introduced by California State Senator Becker, for an Act amending the Civil Code relating to data brokers. This bill includes a series of provisions that would incorporate the definitions from the California Consumer Privacy Act of 2018 (CCPA) into the data protection provisions already enshrined in California law. The bill would require all data brokers to register and exchange information with the agency instead of the Attorney General, including information related to requests received under the CCPA, whether the data broker collects specified information, and specified information regarding an audit, otherwise becoming liable for administrative fines and costs in an administrative action brought by the agency. The bill would prohibit the Attorney General from filing a civil action and the agency from filing an administrative action under these provisions if the other has already issued a decision or brought an action concerning the same conduct. In addition, the agency would be required to establish an accessible deletion mechanism that allows consumers to request the deletion of their data by every data broker that maintains any of it through a single verifiable consumer request. Beginning 1 August 2025, data brokers would be required to access the mechanism at least once every 31 days, paying a fee to the agency to do so and, among other things, process all pending deletion requests. Beginning 1 July 2025, data brokers would be forbidden from collecting, retaining, selling, or sharing personal information on a consumer who has submitted a deletion request unless requested by the consumer. Beginning 1 January 2027 and every three years thereafter, all data brokers would be required to undergo an audit by an independent third party to determine compliance with these provisions and to submit an audit report to the agency. Data brokers not compliant with the above would be liable for civil penalties, administrative fines, fees, and costs. The bill would also raise the amount of the existing civil penalty provisions, and it would require that civil penalties, administrative fines, fees, and costs recovered under these provisions be deposited in the Data Brokers’ Registry Fund instead of the Consumer Privacy Fund. The use cases for these funds would then be expanded to include the costs incurred by the state courts and the Attorney General in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism.