Privacy & Information Security Law Blog

On October 30, 2024, the California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register, an amount equal to the fees due during the period the data broker failed to register, and any fees related to an administrative action brought by the CPPA. Although California law has imposed registration obligations on data brokers since 2020, the Act shifted responsibility to maintain the registry from the California Attorney General to the CPPA on January 1, 2024.

The Act defines data brokers as businesses that collect and sell personal information belonging to consumers with whom they do not have a direct relationship. In addition to registration requirements, which are similar to requirements in Vermont, Texas and Oregon, the Act also imposes data deletion obligations and requires data brokers to disclose the number of data deletion requests they receive and the average time it takes to respond to such requests. The Act also includes additional disclosure requirements, including whether the data broker collects personal information of minors, reproductive healthcare data and precise geolocation data. In addition, the Act requires data brokers to undergo an independent audit once every three years to verify compliance with the Act; however, this requirement does not go into effect until January 1, 2028.

In announcing the investigative sweep, the CPPA also noted the Act’s mandate for the CPPA to stand up a website by January 1, 2026, that allows consumers to submit a single request for all registered data brokers to delete their information. Beginning on August 1, 2026, data brokers will be required to access the CPPA’s single request system at least once every 45 days to review and process new deletion requests. Data brokers will also have to delete any new personal information that they have collected about consumers who have already submitted relevant deletion requests once every 45 days, unless an exemption applies, and direct service providers to also fulfill deletion requests.