California Delete Act (SB 362) FAQ
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
There is increasing interest in the California Delete Act — Senate Bill 362 (SB 362) — as it nears a vote in the California Assembly’s Appropriations Committee (having passed the State Senate and the Assembly Privacy Subcommittee). Below are some frequently asked questions (FAQ) about SB 362.
What is the executive summary of SB 362?
The bill would create an online portal for Californians to request that data brokers delete any data they have on the consumer and no longer track them.
So, what are data brokers?
Data brokers are defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship. Unlike Big Tech firms like Meta and Google, which primarily collects our online activity, data brokers collect information about us from online and offline sources, thus surveilling us just as significantly. Data brokers’ data sources include property records, purchase history, social media profiles, and online web and mobile app activity tracking.
So, what are the issues with data brokers?
Data brokers and their practices are increasingly under the spotlight as there has been growing concern that their data is being weaponized or misused. For example, the White House recently hosted a roundtable on harmful data broker practices. As Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra noted:
“Reports about monetization of sensitive information—everything from the financial details of members of the U.S. military to lists of specific people experiencing dementia—are particularly worrisome when data is powering ‘artificial intelligence’ and other automated decision-making about our lives.”
There has also been plenty of reporting of data brokers selling and sharing very sensitive personal data such as our location (e.g., people going to/from abortion clinics), what types of healthcare apps we have installed (e.g., pregnancy trackers), our religion (e.g., people who have a Muslim prayer app installed), our sexuality (e.g., if you are using a gay/bi dating app), etc. And there have been documented instances of data brokers’ practices putting elderly individuals at higher risk for scams, identity theft, and financial exploitation that rely on the collection and misuse of personal information.
Another example involves victims of domestic violence. As Senators Klobuchar and Murkowski noted
“As reports of domestic violence, sexual violence, and stalking have increased during the pandemic, the threat of the virus has made it even more difficult for victims to find safety and support. While some states have addressed confidentiality programs that allow victims to use a post office box as their legal address, we have serious concerns that third party data brokers play a role in revealing the protected address and providing access to personal information that can lead to continued abuse.”
OK, can you give me the nitty-gritty details of the bill?
Let me quote the Appropriations Committee’s analysis which provides a good summary:
This bill transfers duties relating to the Data Broker Registration Law (DBRL) from the Attorney General to the California Privacy Protection Agency (CPPA) and requires CPPA to develop a mechanism that makes it easier for a consumer to request registered data brokers delete personal information they maintain about the consumer.
Specifically, among other provisions, this bill:
1) Removes statutory authority from the Attorney General and the California Department of Justice (DOJ) to administer and enforce the DBRL and places this authority with CPPA.
2) Increases civil penalties for a data broker’s non-registration from one hundred dollars ($100) to two hundred dollars ($200) per day.
3) Requires, by January 1, 2026, CPPA to establish an accessible deletion mechanism that allows a consumer to make one request that every data broker that maintains personal information related to that consumer delete that information, implements and maintains reasonable security procedures and practices, allows a consumer to selectively exclude specific data brokers from their deletion request, and meets other specified parameters.
4) Requires, beginning August 1, 2026, a data broker to access the deletion mechanism at least once every 31 days and process all deletion requests, delete all personal information related to consumers who submitted requests, and send information to CPPA about the number of records were deleted.
I would add that another provision of note is that additional information is required from data brokers as part of their annual registration process. Namely, whether the data broker collects the personal information of minors, whether the data broker collects consumers’ precise geolocation, and whether the data broker collects consumers’ reproductive health care data.
Opposition to SB 362 has said the bill is “unnecessary” and “it is duplicative of rights already afforded Californians.” Any truth to that?
Nope. The analysis of SB 362 by the Privacy Subcommittee staff clearly stated that the current California Consumer Privacy Act (CCPA)’s right to delete is insufficient to protect consumers from data brokers, as it is limited to information "collected from the consumer." Data brokers do not collect information from consumers directly, thus exposing a limitation in the CCPA that leaves Californians vulnerable to the risks associated with unauthorized data collection and sale. As the Committee analysis notes:
“The right of deletion under the CCPA provides: “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” (Civ. Code § 1798.105(a) [emphasis added].) A data broker by statutory definition “does not have a direct relationship” with consumers. (Civ. Code § 1798.99.80(d).) It buys information about consumers from others. So it will not have collected information from the consumer. Therefore, a deletion request directed at a data broker will likely be ineffective at deleting information about the consumer that is in the data broker’s possession.”
The opponents of SB 362 dispute this, claiming “ data brokers are subject to CCPA deletion requests if they buy or receive PI from another business.” This is their main knock against the bill. But the Privacy Committee’s bill analysis shoots that argument down big-time:
“There are at least two flaws with this line of argument. First, in order to ensure data broker deletion of their personal information, a person would have to direct a deletion request to every business that has ever collected personal information about them. Compiling such a list is likely an impossible task. Second, as discussed … deletion requests are only effective at the point in time they are made; once new personal information about the consumer reaches a data broker, it can resume using and selling information about the consumer.”
And goes on to add:
“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned. But deletion is a must if one is concerned with protecting oneself from the risks set forth above. Even if one were to instead, say, exercise the CCPA right to opt-out of sale or sharing of personal information by a data broker, one would still have to (i) exercise that right 496 times and (ii) continually monitor the data broker registry for new data brokers with which to submit “opt-out” requests. This would be a difficult task for most people, and likely impossible for those who urgently need to safeguard their privacy, such as domestic violence victims. It would also require faith that no data broker holding one’s information were ever the victim of a data breach.”
The opposition also says that the costs for SB 362 will “bloat” the state deficit. Any truth to that?
Nope, under most unbiased definitions of “bloating.” The Appropriations Committee analysis makes clear that the pre-existing funds in the data broker registry can be applied to the creation of the consumer-facing deletion mechanism, and further factoring in the registry fees charged to data brokers, this should keep the initial startup cost to less than $1 million per year in the first year or so and then maybe a few hundred thousands of dollars per year after that. Certainly no “bloating” and the value to California residents will be immense.
What’s next for SB 362?
The Assembly Appropriations Committee will vote on a huge number of bills on September 1, 2023. Assuming SB 362 passes that hurdle, it will need to pass floor votes for the Assembly and then back to the Senate by September 14. Then the Governor has until October 14, 2023 to sign it.
Is SB 362 modeled after any other legislative proposals?
Clearly, this bill draws inspiration from the FTC’s highly popular Do Not Call Registry.
SB 362 is also modeled after various calls for the Federal Trade Commission (FTC) to create a data broker registry and further allow consumers to make global deletion requests of data brokers in the registry. For example, Apple CEO Tim Cook proposed in a 2019 TIME magazine opinion piece that the FTC should establish a “data-broker clearinghouse.” This would facilitate consumers being able to track the data brokers “that have bundled and sold their data from place to place.” And the clearinghouse would also give consumers “the power to delete their data on demand, freely, easily and online, once and for all.”
A bipartisan federal proposal came out in February of 2022 (and reintroduced in 2023) to provide such a data-broker clearinghouse. Introduced by US Senators Bill Cassidy (Republican Senator from Louisiana) and Jon Ossoff (Democratic Senator from Georgia), the bill is the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act. The bill would “direct the Federal Trade Commission (FTC) to create an online dashboard for Americans to submit a one-time data deletion request that would be sent to all data brokers registered.” In addition, it would also create a “do-not-track list” to protect registrants from future data collection. Underpinning this proposal is the creation of a federal data broker registry.
A variation of this same bill was included in a proposed Federal omnibus privacy bill (the American Data Privacy and Protection Act or ADPPA) that passed its House Committee 53-2 in 2022. This omnibus bill never made it to the floor because of concerns that it would preempt state law, e.g., CCPA. Ironically, data brokers who complain about various states passing privacy laws and saying they want a uniform federal privacy law will likely face comparable global deletion capabilities in any federal privacy bill, as evidenced by the language in ADPPA.
Any parting thoughts?
To quote the “fact sheet” put for by Senator Josh Becker, who authored the bill, “by enhancing transparency and giving consumers control over their data, SB 362 help protects Californians' privacy and mitigates the risks associated with the collection and sale of sensitive personal information by data brokers.”