California Delete Act

Last updated
California Delete Act
Seal of California.svg
California State Legislature
Full nameCalifornia Delete Act
IntroducedFebruary 8, 2023
Signed into lawOctober 10, 2023
Governor Gavin Newsom
Code California Civil Code
Section1798.99
ResolutionSB-362 (2023–2024 Session)
Website Senate Bill No. 362
Status: Current legislation

The California Delete Act (SB 362) is a state law that provides a one-stop shop deletion mechanism for consumers to direct data brokers to delete their personal information. [1] [2] [3] [4] [5] [6] The law requires data brokers to register with the California Privacy Protection Agency annually beginning January 2024, process deletion requests submitted through the deletion mechanism beginning August 2026, and undergo an independent audit every three years beginning January 2028. [7] [8] [9] [10] [11] [12] It is the first law of its kind in the United States. [13]

Contents

The bill has some exceptions, and allows consumers to exclude specific data brokers from the deletion request. [14] It uses the same definition of data brokers as in the California Consumer Privacy Act, applying to companies which made more than $25 million in revenue the previous year, and which “annually buy, sell, or share the personal information of 100,000 or more consumers or households.” that make more than 50% of their annual revenue from the sale of personal information. [6] Once the request is made, data brokers are required to delete all personal information of the consumer every 45 days, and are banned from sharing or selling new personal information acquired about them. [14] Deletion requests denied because of the data brokers' inability to verify them are required to be processed as opt-outs for the sale and sharing of the consumer's personal information. [14]

History

While the California Consumer Privacy Act of 2018 allows consumers to request that individual businesses delete their data, [15] it is difficult and time-consuming to use, and fully erasing your digital footprint requires contacting potentially hundreds of companies. [16] The bill, written by Sen. Josh Becker and introduced on 8 February 2023, [17] was intended to simplify the process and make it practical to use. [16] [14] It followed some other failed attempts by governments to regulate data brokers, including a failed federal bill in 2022 to allow consumers to delete data in one-stop shop, and a 2022 California act that would have required registered data brokers to disclose more information to the state. [16] The bill was passed in the context of long-held calls by civil liberties and privacy advocates for heavier regulation the industry, citing concerns about the lack of transparency in the sharing of consumer data and of the use of the data by law enforcement without a need for subpoenas or warrants. [4]

Supporters raised concerns about threats to abortion seekers, undocumented immigrants, and activists; opponents to the bill raised concerns about harms to ad businesses, and the use of the data by law enforcement, academics, and nonprofits in collecting donations. [16] The concept of one-stop deletion of data faces heavy opposition by business groups, [16] and the bill faced heavy lobbying from them in opposition. [14] The Consumer Data Industry Association, a trade association for credit bureaus and background-checking companies, claimed that the bill could undermine consumer fraud protections. [14] The Association of National Advertisers claimed that small businesses and nonprofits would have difficulty finding customers and donors because of claimed harm to advertising. [18]

Becker eventually made amendments to the bill increasing the time between which companies are required to delete consumer's personal data from the original 30 days to 45 days. [14] It was signed by California governor Gavin Newsom on October 10, 2023. [6] Data brokers began registering annually on January 31, 2024. [12] Proposed regulations related to the bill were released by the California Privacy Protection Agency on July 5, 2024, and public comments were considered until August 20, 2024. [19] Data brokers will be required to begin responding to requests for deletion on August 1, 2026, and begin undergoing audits every three years starting January 1, 2028. [12] Beginning January 1, 2029, they must disclose to the California Privacy Protection Agency whether they have undergone an audit and the most recent year in which they submitted a report from the audit to the agency. [12]

See also

Related Research Articles

<span class="mw-page-title-main">Gramm–Leach–Bliley Act</span> Act of the 106th United States Congress (1999–2001)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

The Electronic Privacy Information Center (EPIC) is an independent nonprofit research center established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Based in Washington, D.C., their mission is to "secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation." EPIC believes that privacy is a fundamental right, the internet belongs to people who use it, and there's a responsible way to use technology.

Civil liberties in the United States are certain unalienable rights retained by citizens of the United States under the Constitution of the United States, as interpreted and clarified by the Supreme Court of the United States and lower federal courts. Civil liberties are simply defined as individual legal and constitutional protections from entities more powerful than an individual, for example, parts of the government, other individuals, or corporations. The explicitly defined liberties make up the Bill of Rights, including freedom of speech, the right to bear arms, and the right to privacy. There are also many liberties of people not defined in the Constitution, as stated in the Ninth Amendment: The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

A data broker is an individual or company that specializes in collecting personal data or data about people, mostly from public records but sometimes sourced privately, and selling or licensing such information to third parties for a variety of uses. Sources, usually Internet-based since the 1990s, may include census and electoral roll records, social networking sites, court reports and purchase histories. The information from data brokers may be used in background checks used by employers and housing.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Ed Chau</span> American judge

Edwin “Ed” Chau is an American jurist and politician who served in the California State Assembly as a Democrat representing the 49th state assembly District from 2012 to 2021. On November 29, 2021, California Governor Gavin Newsom appointed Chau to be a judge in the Los Angeles County Superior Court.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories in some circumstances. The issue has arisen from desires of individuals to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past". The right entitles a person to have data about them deleted so that it can no longer be discovered by third parties, particularly through search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

<span class="mw-page-title-main">California Privacy Rights Act</span> Privacy and data protection law in California, U.S.

The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations.

The California Privacy Protection Agency (CPPA) is a California state government agency created by the California Privacy Rights Act (CPRA). As the first dedicated privacy regulator in the United States, the agency implements and enforces the CPRA and the California Consumer Privacy Act.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

<span class="mw-page-title-main">American Data Privacy and Protection Act</span> United States proposed federal online privacy bill

The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.

A personal information removal service is designed to help individuals reduce their digital footprint by removing their private data from the internet, particularly from data brokers and people search websites. These services cater to internet users' concerns over data privacy and data brokers' widespread collection and sale of personal information.

DeleteMe is a privacy service founded in 2010.

References

  1. "Bill Text - SB-362 Data broker registration: accessible deletion mechanism". California Legislative Information. 2023-10-12. Retrieved 2024-06-04.
  2. "CPPA Applauds Governor Newsom for Approving the California Delete Act". California Privacy Protection Agency. 2023-10-11. Retrieved 2024-06-04.
  3. Wong, Queenie (2023-10-10). "Newsom signs bill that would make it easier to delete online personal data". Los Angeles Times. Retrieved 2024-06-04.
  4. 1 2 Bhuiyan, Johana (2023-10-10). "Californians can scrub personal info sold to advertisers with first-in-US law". The Guardian. ISSN   0261-3077 . Retrieved 2024-06-04.
  5. Hamilton, David (2023-09-15). "California's Delete Act: What you need to know". Fortune. Retrieved 2024-06-04.
  6. 1 2 3 Davis, Wes (2023-10-11). "California's Delete Act lets consumers make one request to delete personal data". The Verge. Retrieved 2024-06-04.
  7. Bracy, Jedidiah (2023-10-11). "California governor signs Delete Act into law". International Association of Privacy Professionals. Retrieved 2024-06-04.
  8. Flores, Sergio; Pasillas, Cinthia (2023-10-12). "A new state law is giving you more power over your online personal data". NBC 7 San Diego. Retrieved 2024-06-04.
  9. "California Enacts the Delete Act". Morgan Lewis. 2023-11-20. Retrieved 2024-06-04.
  10. "California's Data Deletion Law Imposes a Host of New Obligations on Data Brokers". Skadden. 2023-12-14. Retrieved 2024-06-04.
  11. "California's Delete Act – Key Takeaways for Data Brokers". Cooley. 2023-10-16. Retrieved 2024-06-04.
  12. 1 2 3 4 "Information for Data Brokers". California Privacy Protection Agency. Retrieved 2024-06-04.
  13. Tedford, Owen. "California's New Data Broker Law Could Be The First Of Many". Forbes. Retrieved 2024-09-03.
  14. 1 2 3 4 5 6 7 Wong, Queenie (2023-09-15). "California lawmakers pass bill to make it easier to delete online personal data". Los Angeles Times. Retrieved 2024-08-08.
  15. "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2024-08-08.
  16. 1 2 3 4 5 Wong, Queenie (2023-08-29). "California could make it easier to scrub your personal data from the web. Businesses are pushing back". Los Angeles Times. Retrieved 2024-08-08.
  17. "Bill History - SB-362 Data broker registration: accessible deletion mechanism". California Legislative Information. State of California. Retrieved 2024-08-08.
  18. "California governor signs Delete Act into law". International Association of Privacy Professionals. 11 October 2023. Retrieved 2024-08-08.
  19. "CPPA Releases Notice of Proposed Regulatory Action for Data Broker Registration". California Privacy Protection Agency . 2024-04-24. Retrieved 2024-09-03.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.