Bill Text: CA SB362 | 2023-2024 | Regular Session | Amended

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Data broker registration: accessible deletion mechanism.

Spectrum: Partisan Bill (Democrat 7-0)

Status: (Passed) 2023-10-10 - Chaptered by Secretary of State. Chapter 709, Statutes of 2023. [SB362 Detail]

Download: California-2023-SB362-Amended.html

Amended  IN  Senate  April 27, 2023
Amended  IN  Senate  April 10, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Senate Bill
No. 362


Introduced by Senator Becker
(Principal coauthor: Senator Wiener)
(Coauthor: Assembly Member Wicks)

February 08, 2023


An act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Sections 1798.99.85 and 1798.99.86 to, the Civil Code, relating to data brokers.


LEGISLATIVE COUNSEL'S DIGEST


SB 362, as amended, Becker. Data brokers: privacy.
The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumer’s personal information, as specified. The CCPA defines various terms for these purposes. The CCPA establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law requires a data broker to register with the Attorney General, pay a registration fee, and provide specified information on or before January 31 following each year in which a business meets the definition of data broker. Existing law defines various terms for these purposes. Existing law establishes the Data Brokers’ Registry Fund and requires that these registration fees be deposited into the fund, to be available for expenditure by the Department of Justice, upon appropriation, for specified purposes. Existing law provides that a data broker that fails to register as required by these provisions is liable for civil penalties, fees, and costs, as specified, and requires these moneys be deposited in the Consumer Privacy Fund with the intent that they be used to fully offset costs incurred in connection with these provisions. Existing law requires the Attorney General to create and maintain an internet website where specified information provided by data brokers is accessible to the public.
This bill would incorporate the definitions from the CCPA into the data broker provisions described above. The bill would require a data broker to register with, pay a registration fee to, and provide information to, the agency instead of the Attorney General, and would require the agency to maintain the informational internet website described above. The bill would require a data broker to compile and disclose specified information relating to requests received under the CCPA. The bill would make a data broker that fails to register as required by the provisions described above liable for administrative fines and costs in an administrative action brought by the agency, as specified, and would require the agency to stay an administrative action or investigation upon request by the Attorney General, as specified. The bill would prohibit the Attorney General from filing a civil action pursuant to these provisions if the agency has issued a decision pursuant to these provisions for the same underlying conduct. The bill would prohibit the agency from filing an administrative action pursuant to these provisions if the Attorney General has brought an action pursuant to these provisions for the same underlying conduct.
This bill would require the agency to establish an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2025, require a data broker to access the mechanism at least once every 31 days and, among other things, process all pending deletion requests, except as specified. The bill would, beginning July 1, 2025, prohibit a data broker from collecting, retaining, selling, or sharing personal information on a consumer who has submitted a deletion request pursuant to these provisions unless the data collection is requested by the consumer. Beginning July 1, 2025, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to the bill’s provisions, the bill would require the data broker to delete all personal information of the consumer at least once every 31 days, and would prohibit the data broker from selling or sharing new personal information of the consumer, unless the consumer requests otherwise. The bill would, beginning January 1, 2027, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions, and would require the data broker to submit an audit report to the agency, as specified. The bill would authorize the agency to charge a fee to data brokers for accessing the accessible deletion mechanism, as specified.
The bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for civil penalties, administrative fines, fees, and costs, as specified, and would raise the amount of the existing civil penalty provisions described above. The bill would require that civil penalties, administrative fines, fees, and costs recovered under these provisions be deposited in the Data Brokers’ Registry Fund instead of the Consumer Privacy Fund, and would expand the specified uses of moneys in the Data Brokers’ Registry fund Fund to include the costs incurred by the state courts and the Attorney General in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.
The bill would require a data broker to provide additional information to the agency, including information related to requests received under the CCPA, whether the data broker collects specified information, and specified information regarding an audit under the provisions described above.
The bill would declare that it furthers the purposes and intent of the CCPA for specified reasons.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.99.80 of the Civil Code is amended to read:

1798.99.80.
 For purposes of this title:
(a) The definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

SEC. 2.

 Section 1798.99.81 of the Civil Code is amended to read:

1798.99.81.
 A fund to be known as the “Data Brokers’ Registry Fund” is hereby created within the State Treasury. All registration fees received pursuant to paragraph (1) of subdivision (b) of Section 1798.99.82 and all penalties, fines, fees, and expenses recovered in an action prosecuted under subdivisions (c) to (f), inclusive, of Section 1798.99.82 shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the Department of Justice and the California Privacy Protection Agency, upon appropriation by the Legislature, to offset all of the following costs:
(a) The reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84.
(b) The costs incurred by the state courts and the Attorney General in connection with enforcing this title, as specified in Section 1798.99.82.
(c) The reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86.

SEC. 3.

 Section 1798.99.82 of the Civil Code is amended to read:

1798.99.82.
 (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.
(C) Whether the data broker collects the personal information of minors.
(D) Whether the data broker collects consumers’ precise geolocation.
(E) Whether the data broker collects consumers’ reproductive health care data.
(F) Beginning January 1, 2028, whether the data broker has undergone an audit as described in subdivision (f) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
(G) A link to a page on the data broker’s internet website that does both of the following:
(i) Details how consumers may exercise their privacy rights by doing all of the following:
(I) Deleting personal information, as described in Section 1798.105.
(II) Correcting inaccurate personal information, as described in Section 1798.106.
(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.
(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.
(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.
(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
(ii) Does not make use of any dark patterns.
(H) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:
(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(I) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the Attorney General as follows:
(1) A civil penalty of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.
(d) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.
(e) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the Attorney General as follows:
(1) A civil penalty of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
(2) Expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.
(f) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
(2) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.
(g) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivisions (c) to (f), inclusive, shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to of Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the Attorney General in connection with this title.
(h) The California Privacy Protection Agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action, and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action.
(i) (1) The Attorney General shall not file a civil action pursuant to this section after the California Privacy Protection Agency has issued a decision pursuant to this section for the same underlying conduct.
(2) The California Privacy Protection Agency shall not file an administrative action pursuant to this section after the Attorney General has brought an action pursuant to this section for the same underlying conduct.

SEC. 4.

 Section 1798.99.84 of the Civil Code is amended to read:

1798.99.84.
 The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data brokers described in paragraph (2) of subdivision (b) of Section 1798.99.82 and the accessible deletion mechanism described in Section 1798.99.86 shall be accessible to the public.

SEC. 5.

 Section 1798.99.85 is added to the Civil Code, to read:

1798.99.85.
 (a) On or before January 31 following each year in which a business meets the definition of a data broker as provided in this title, the business shall do all of the following:
(1) Compile the number of requests pursuant to Sections 1798.105, 1798.110, 1798.115, and 1798.120 that the data broker received, complied with in whole or in part, and denied.
(2) Compile the median and the mean number of days within which the data broker substantively responded to requests pursuant to Sections 1798.105, 1798.110, 1798.115, and 1798.120 that the data broker received.
(3) Disclose the metrics compiled pursuant to paragraphs (1) and (2) on the data broker’s internet website and provide a link to that internet website in the data broker’s privacy policy.
(b) In its disclosure pursuant to paragraph (3) of subdivision (a), a data broker shall disclose the number of requests that the data broker denied in whole or in part because of any of the following:
(1) The request was unverifiable.
(2) The request was not made by a consumer.
(3) The request called for information exempt from disclosure.
(4) The request was denied on other grounds.

SEC. 6.

 Section 1798.99.86 is added to the Civil Code, to read:

1798.99.86.
 (a) By January 1, 2025, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does both of the following:
(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request pursuant to Section 7063 of Title 11 of the California Code of Regulations.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
(c) The California Privacy Protection Agency may promulgate regulations to improve the operational privacy and security of the system.
(d)  (1) Beginning August 1, 2025, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 31 days and do all of the following:
(A) Process all pending deletion requests made pursuant to this section.
(B) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(C) Immediately following the deletion described in subparagraph (A), send an affirmative representation to the California Privacy Protection Agency indicating the number of records deleted by the data broker and any service providers or contractors directed to delete personal information pursuant to subparagraph (B).
(2) Notwithstanding paragraph (1), a data broker may retain any of the following information:
(A) Personal information that is processed or maintained solely as part of human subjects research conducted in compliance with any legal requirements for the protection of human subjects.
(B) Personal information necessary to comply with a warrant, subpoena, court order, rule, or other applicable law, but only for as long as is needed to comply.
(C) Personal information necessary for the exercising of free speech or necessary to ensure the right of another consumer to exercise that consumer’s right of free speech or another right provided for by law.
(3) Personal information described in paragraph (2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(e) (1) Beginning July 1, 2025, a data broker shall not collect, retain, sell, or share personal information of a consumer who has submitted a deletion request pursuant to this section unless the data collection is requested by the consumer. after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 31 days unless the consumer requests otherwise.
(2) Beginning July 1, 2025, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise.
(f) (1) Beginning January 1, 2027, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) By six months after the completion of an audit pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(g) (1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.
(h) Regulations promulgated pursuant to this section shall be adopted in compliance with the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).

SEC. 7.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers’ rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that data brokers delete their personal information and prohibiting data brokers from collecting consumers’ personal information in the future.
feedback