Bill Text: CA SB362 | 2023-2024 | Regular Session | Chaptered


Bill Title: Data broker registration: accessible deletion mechanism.

Spectrum: Partisan Bill (Democrat 7-0)

Status: (Passed) 2023-10-10 - Chaptered by Secretary of State. Chapter 709, Statutes of 2023. [SB362 Detail]

Download: California-2023-SB362-Chaptered.html

Senate Bill No. 362
CHAPTER 709

An act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Sections 1798.99.85, 1798.99.86, 1798.99.87, and 1798.99.89 to, the Civil Code, relating to data brokers.

[ Approved by Governor  October 10, 2023. Filed with Secretary of State  October 10, 2023. ]

LEGISLATIVE COUNSEL'S DIGEST


SB 362, Becker. Data broker registration: accessible deletion mechanism.
The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumer’s personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law requires a data broker to register with the Attorney General, pay a registration fee, and provide specified information on or before January 31 following each year in which a business meets the definition of data broker. Existing law defines various terms for these purposes. Existing law establishes the Data Brokers’ Registry Fund and requires that these registration fees be deposited into the fund, to be available for expenditure by the Department of Justice, upon appropriation, for specified purposes. Existing law provides that a data broker that fails to register as required by these provisions is liable for civil penalties, fees, and costs in an action brought by the Attorney General, as specified, and requires these moneys be deposited in the Consumer Privacy Fund with the intent that they be used to fully offset costs incurred in connection with these provisions. Existing law requires the Attorney General to create and maintain an internet website where specified information provided by data brokers is accessible to the public.
This bill would incorporate the definitions from the CCPA into the data broker provisions described above. The bill would require a data broker to register with, pay a registration fee to, and provide information to, the agency instead of the Attorney General and would require the agency to maintain the informational internet website described above. The bill would require a data broker to compile and disclose specified information relating to requests received under the CCPA. The bill would also require, on or before July 1 following each year in which a business meets the definition of a data broker, that business to provide specified information described above and make related changes. The bill would make a data broker that fails to register as required by the provisions described above liable for administrative fines and costs in an administrative action brought by the agency, as specified, instead of in an action brought by the Attorney General.
This bill would require the agency to establish, by January 1, 2026, an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2026, require a data broker to access the mechanism at least once every 45 days and, among other things, process all deletion requests, except as specified. Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to the bill’s provisions, the bill would require the data broker to delete all personal information of the consumer at least once every 45 days, as specified, and would prohibit the data broker from selling or sharing new personal information of the consumer, as specified. The bill would, beginning January 1, 2028, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions and would require the data broker to submit an audit report to the agency upon the agency’s written request, as specified. The bill would authorize the agency to charge a fee to data brokers for accessing the accessible deletion mechanism, as specified.
This bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for administrative fines, fees, expenses, and costs, as specified. The bill would require that moneys collected or received by the agency and the Department of Justice under these provisions be deposited in the Data Brokers’ Registry Fund, which the bill would require to be administered by the agency, instead of the Consumer Privacy Fund and would expand the specified uses of moneys in the Data Brokers’ Registry Fund to include the costs incurred by the state courts and the agency in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.
This bill would require a data broker to provide additional information to the agency, including information related to requests received under the CCPA, whether the data broker collects specified information, and specified information regarding an audit under the provisions described above.
This bill would prohibit an administrative action pursuant to these provisions from being commenced more than 5 years after the date on which a violation occurred.
This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.99.80 of the Civil Code is amended to read:

1798.99.80.
 For purposes of this title:
(a) The definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) “Authorized agent” has the same meaning as used in Chapter 1 (commencing with Section 7000) of Division 6 of Title 11 of the California Code of Regulations.
(c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(4) An entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146. For purposes of this paragraph, “business associate” and “covered entity” have the same meanings as defined in Section 1798.146.

SEC. 2.

 Section 1798.99.81 of the Civil Code is amended to read:

1798.99.81.
 A fund to be known as the “Data Brokers’ Registry Fund” is hereby created within the State Treasury. The fund shall be administered by the California Privacy Protection Agency. All moneys collected or received by the California Privacy Protection Agency and the Department of Justice under this title shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset all of the following costs:
(a) The reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84.
(b) The costs incurred by the state courts and the California Privacy Protection Agency in connection with enforcing this title, as specified in Section 1798.99.82.
(c) The reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86.

SEC. 3.

 Section 1798.99.82 of the Civil Code is amended to read:

1798.99.82.
 (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.
(C) Whether the data broker collects the personal information of minors.
(D) Whether the data broker collects consumers’ precise geolocation.
(E) Whether the data broker collects consumers’ reproductive health care data.
(F) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
(G) A link to a page on the data broker’s internet website that does both of the following:
(i) Details how consumers may exercise their privacy rights by doing all of the following:
(I) Deleting personal information, as described in Section 1798.105.
(II) Correcting inaccurate personal information, as described in Section 1798.106.
(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.
(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.
(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.
(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
(ii) Does not make use of any dark patterns.
(H) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:
(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(I) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.
(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.
(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.

SEC. 4.

 Section 1798.99.84 of the Civil Code is amended to read:

1798.99.84.
 The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data brokers described in paragraph (2) of subdivision (b) of Section 1798.99.82 and the accessible deletion mechanism described in Section 1798.99.86 shall be accessible to the public.

SEC. 5.

 Section 1798.99.85 is added to the Civil Code, to read:

1798.99.85.
 (a) On or before July 1 following each calendar year in which a business meets the definition of a data broker as provided in this title, the business shall do all of the following:
(1) Compile the number of requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received, complied with in whole or in part, and denied during the previous calendar year.
(2) Compile the median and the mean number of days within which the data broker substantively responded to requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received during the previous calendar year.
(3) Disclose the metrics compiled pursuant to paragraphs (1) and (2) within the data broker’s privacy policy posted on their internet website and accessible from a link included in the data broker’s privacy policy.
(b) In its disclosure pursuant to paragraph (3) of subdivision (a) regarding requests made pursuant to subdivision (c) of Section 1798.99.86, a data broker shall disclose the number of requests that the data broker denied in whole or in part because of any of the following:
(1) The request was not verifiable.
(2) The request was not made by a consumer.
(3) The request called for information exempt from deletion.
(4) The request was denied on other grounds.
(c) In its disclosure pursuant to paragraph (3) of subdivision (a), a data broker shall, for each provision of Section 1798.145 or 1798.146 under which deletion was not required, specify the number of requests in which deletion was not required in whole, or in part, under that provision.

SEC. 6.

 Section 1798.99.86 is added to the Civil Code, to read:

1798.99.86.
 (a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:
(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
(4) Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
(10) The accessible deletion mechanism shall provide a description of all of the following:
(A) The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
(B) The process for submitting a deletion request pursuant to this section.
(C) Examples of the types of information that may be deleted.
(c) (1) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:
(A) Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.
(B) In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(C) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(D) Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(2) Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:
(A) It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
(B) The deletion is not required pursuant to Section 1798.145 or 1798.146.
(3) Personal information described in paragraph (2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(d) (1) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).
(2) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.
(e) (1) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(f) (1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.

SEC. 7.

 Section 1798.99.87 is added to the Civil Code, to read:

1798.99.87.
 (a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title.
(b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).

SEC. 8.

 Section 1798.99.89 is added to the Civil Code, to read:

1798.99.89.
 No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

SEC. 9.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers’ rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that data brokers delete their personal information and prohibiting data brokers from collecting consumers’ personal information in the future.
feedback