The California Delete Act (SB 362) establishes a framework for data brokers to comply with consumer deletion requests, enhancing privacy rights for California residents. This regulation mandates that data brokers implement a deletion system, allowing individuals to request the removal of their personal information from data broker databases. As organizations navigate this evolving landscape, understanding the compliance requirements and enforcement mechanisms is essential for mitigating risks and ensuring adherence to the law.
| Regulation | California Delete Act (SB 362) |
|---|---|
| Max Penalty | USD 200 per day per violation |
| Enforcing Authority | California Privacy Protection Agency (CPPA) |
| Official Source | California Legislative Information |
What Is California Delete Act (SB 362)?
The California Delete Act, also known as SB 362, was enacted to empower consumers with the right to request the deletion of their personal information held by data brokers. This legislation builds upon the foundation laid by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), expanding consumer rights in the digital age. Under this act, data brokers are required to establish a systematic process for handling deletion requests, ensuring that consumers can easily exercise their rights.
The act defines a data broker as any entity that collects and sells personal information about consumers with whom it does not have a direct relationship. This broad definition captures a wide range of businesses, emphasizing the need for compliance across various sectors. By mandating a deletion system, the California Delete Act aims to enhance consumer control over personal data and promote transparency in data handling practices.
Who Must Comply
The California Delete Act applies specifically to data brokers, which are defined as entities that collect and sell personal information about consumers without a direct relationship with those consumers. This includes a wide array of organizations, from large corporations to smaller businesses that engage in data brokerage activities. Notably, the act does not apply to entities that are already subject to the CCPA or CPRA, provided they are not classified as data brokers.
Organizations that fall under the definition of a data broker must ensure compliance with the requirements outlined in the act. This includes establishing a robust deletion system and adhering to the procedural and substantive obligations set forth by the California Privacy Protection Agency (CPPA). Failure to comply can result in significant penalties, emphasizing the importance of understanding the scope of the regulation.
Core Compliance Requirements
Deletion system implementation. Data brokers are required to establish a deletion system that allows consumers to submit requests for the deletion of their personal information. This system must be user-friendly and accessible, enabling consumers to easily navigate the process. Organizations should ensure that their deletion mechanisms are clearly communicated and effectively integrated into their existing data management practices.
Verification of consumer requests. Upon receiving a deletion request, data brokers must implement a verification process to confirm the identity of the requester. This step is crucial to prevent unauthorized deletions and protect consumer privacy. Organizations should develop clear procedures for verifying identities, which may include requiring consumers to provide specific information or documentation to substantiate their requests.
Timely response to requests. Data brokers are obligated to respond to deletion requests within a specified timeframe, typically within 45 days. This requirement underscores the importance of timely action in addressing consumer requests. Organizations should establish internal workflows to ensure that requests are processed efficiently and that consumers receive prompt notifications regarding the status of their requests.
Record-keeping obligations. Data brokers must maintain records of deletion requests and the actions taken in response to those requests. This documentation serves as evidence of compliance and can be critical in the event of an audit or investigation by the CPPA. Organizations should implement robust record-keeping practices to ensure that they can demonstrate compliance with the act’s requirements.
Consumer notice requirements. Data brokers are required to provide clear and conspicuous notices to consumers regarding their rights under the Delete Act. This includes informing consumers about their right to request deletion, the process for submitting requests, and the verification procedures in place. Organizations should prioritize transparency in their communications to foster trust and ensure that consumers are aware of their rights.
Penalties and Enforcement
The California Privacy Protection Agency (CPPA) is responsible for enforcing the provisions of the California Delete Act. Organizations that fail to comply with the act’s requirements may face penalties of up to USD 200 per day for each violation. This enforcement mechanism underscores the seriousness of compliance and the potential financial repercussions of non-compliance.
In addition to financial penalties, organizations may also face reputational damage and loss of consumer trust if they fail to adequately protect consumer privacy. The CPPA has the authority to investigate complaints and conduct audits to ensure compliance with the Delete Act. Organizations should be proactive in their compliance efforts to mitigate the risk of enforcement actions and penalties.
Building a Defensible Compliance Program
To effectively navigate the complexities of the California Delete Act, organizations should develop a comprehensive compliance program. This program should include the following steps:
-
Conduct a data inventory to identify all personal information collected and processed by the organization.
-
Assess existing data management practices to identify gaps in compliance with the Delete Act.
-
Develop and implement a deletion system that meets the requirements of the act.
-
Establish verification procedures to confirm the identity of consumers submitting deletion requests.
-
Create a clear communication strategy to inform consumers of their rights and the deletion process.
-
Train employees on compliance obligations and the importance of consumer privacy.
-
Implement record-keeping practices to document deletion requests and responses.
-
Regularly review and update compliance practices to adapt to evolving regulatory requirements.
By following these steps, organizations can build a defensible compliance program that not only meets the requirements of the California Delete Act but also fosters a culture of privacy within the organization.
Practical Implementation Priorities
Assess current data practices. Organizations should begin by conducting a thorough assessment of their current data practices to identify areas that require improvement. This includes evaluating how personal information is collected, stored, and shared, as well as understanding the existing processes for handling deletion requests.
Develop a user-friendly deletion system. Creating an accessible deletion system is critical for compliance. Organizations should prioritize user experience in the design of their deletion mechanisms, ensuring that consumers can easily navigate the process and submit requests without unnecessary barriers.
Implement robust verification processes. Establishing effective verification processes is essential to protect against unauthorized deletion requests. Organizations should develop clear guidelines for verifying consumer identities and ensure that these procedures are consistently applied.
Train staff on compliance obligations. Employee training is a vital component of a successful compliance program. Organizations should educate staff on the requirements of the California Delete Act, emphasizing the importance of consumer privacy and the procedures for handling deletion requests.
Monitor compliance and adapt practices. Organizations should regularly monitor their compliance efforts and be prepared to adapt their practices as needed. This may involve conducting periodic audits, reviewing policies, and staying informed about changes in the regulatory landscape.
Run a Free Privacy Scan
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against California Delete Act (SB 362) requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under California Delete Act (SB 362) and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: CCPA/CPRA, GDPR right to erasure. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.