In an era where data is the new oil, the protection of personal information has become a paramount concern. The state of California has taken a significant step in this direction with the introduction of the “Delete Act” (Senate Bill 362). This legislation, which recently passed the California State Assembly Privacy Subcommittee unanimously, is set to revolutionize data deletion and consumer privacy rights.

The Delete Act: A Brief Overview

The Delete Act aims to require data brokers to respect a “universal opt-out request” for any California resident. It proposes the creation of a “one-stop shop” for asserting rights over hundreds of entities that collect, aggregate, and resell consumer personal information. Given the influence that Californian regulatory norms can have over national policy, it could eventually lead to radical improvements in American consumer privacy rights.

The Delete Act only applies to businesses (called “data brokers”) that collect and sell personal data of California residents to third parties who do not have a direct relationship with the individual. The Governor has until October 14, 2023, to sign the bill into law.

The Impact on Data Brokers

Under the existing California Consumer Privacy Act (CCPA), California residents can take advantage of a unique opt-out process to request data brokers to remove the information collected about them. However, citizens of other states are required to go through more complex and time-consuming voluntary data broker opt-out processes. The Delete Act addresses this gap with a new data broker registry and a central online portal.

Data brokers would have to register with the California Privacy Protection Agency (CPPA) public registry, pay a registration fee, and disclose the information they collect as well as opt-out requests they get from consumers. Californians would be able to opt-out from data broker tracking and request data removal through a universal opt-out process.

The Future of Consumer Privacy

The obligations set by the Delete Act are set to roll out over the next several years. By January 1, 2026, the CPPA must establish a deletion mechanism that allows consumers to submit a centralized request for deletion of personal data held by data brokers. By August 1, 2026, all data brokers must monitor (at least once every 45 days) the deletion mechanism to process and comply with deletion requests made by consumers.

Beginning on January 1, 2028, all data brokers must undergo an audit, at least once every three years, conducted by an independent third party to determine their compliance with the requirements of the Delete Act. Data brokers must also prepare and submit a report on this audit to the CPPA, and maintain a record of this report for at least six years.

The California Delete Act is a significant step towards enhancing consumer privacy rights. By providing a universal opt-out process and requiring data brokers to respect these requests, the Act empowers consumers to take control of their personal information. As we move towards a future where data privacy is increasingly important, the Delete Act, and variations like it, will undoubtedly start showing up in legislatures across the country.