SB 362: Data broker registration: accessible deletion mechanism.

The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.

Existing law requires a data broker to register with the Attorney General, pay a registration fee, and provide specified information on or before January 31 following each year in which a business meets the definition of data broker. Existing law defines various terms for these purposes. Existing law establishes the Data Brokers Registry Fund and requires that these registration fees be deposited into the fund, to be available for expenditure by the Department of Justice, upon appropriation, for specified purposes. Existing law provides that a data broker that fails to register as required by these provisions is liable for civil penalties, fees, and costs in an action brought by the Attorney General, as specified, and requires these moneys be deposited in the Consumer Privacy Fund with the intent that they be used to fully offset costs incurred in connection with these provisions. Existing law requires the Attorney General to create and maintain an internet website where specified information provided by data brokers is accessible to the public.

This bill would incorporate the definitions from the CCPA into the data broker provisions described above. The bill would require a data broker to register with, pay a registration fee to, and provide information to, the agency instead of the Attorney General and would require the agency to maintain the informational internet website described above. The bill would require a data broker to compile and disclose specified information relating to requests received under the CCPA. The bill would also require, on or before July 1 following each year in which a business meets the definition of a data broker, that business to provide specified information described above and make related changes. The bill would make a data broker that fails to register as required by the provisions described above liable for administrative fines and costs in an administrative action brought by the agency, as specified, instead of in an action brought by the Attorney General.

This bill would require the agency to establish, by January 1, 2026, an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2026, require a data broker to access the mechanism at least once every 45 days and, among other things, process all deletion requests, except as specified. Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumers data pursuant to the bills provisions, the bill would require the data broker to delete all personal information of the consumer at least once every 45 days, as specified, and would prohibit the data broker from selling or sharing new personal information of the consumer, as specified. The bill would, beginning January 1, 2028, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions and would require the data broker to submit an audit report to the agency upon the agencys written request, as specified. The bill would authorize the agency to charge a fee to data brokers for accessing the accessible deletion mechanism, as specified.

This bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for administrative fines, fees, expenses, and costs, as specified. The bill would require that moneys collected or received by the agency and the Department of Justice under these provisions be deposited in the Data Brokers Registry Fund, which the bill would require to be administered by the agency, instead of the Consumer Privacy Fund and would expand the specified uses of moneys in the Data Brokers Registry Fund to include the costs incurred by the state courts and the agency in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.

This bill would require a data broker to provide additional information to the agency, including information related to requests received under the CCPA, whether the data broker collects specified information, and specified information regarding an audit under the provisions described above.

This bill would prohibit an administrative action pursuant to these provisions from being commenced more than 5 years after the date on which a violation occurred.

This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.