Senate Bill No. 362
California Data Broker Law

Senate Bill No. 362

CHAPTER 709

An act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Sections 1798.99.85, 1798.99.86, 1798.99.87, and 1798.99.89 to, the Civil Code, relating to data brokers.

[Approved by Governor October 10, 2023. Filed with Secretary of State October 10, 2023.]

LEGISLATIVE COUNSEL'S DIGEST

SB 362, Becker. Data broker registration: accessible deletion mechanism.

The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to:

• Request that a business disclose specified information that has been collected about the consumer.
• Request that a business delete personal information collected from the consumer.
• Direct a business not to sell or share the consumer’s personal information, as specified.

The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. It establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.

Existing law:

• Requires a data broker to register with the Attorney General, pay a registration fee, and provide specified information on or before January 31 each year in which a business meets the definition of data broker.
• Establishes the Data Brokers’ Registry Fund, where registration fees are deposited and used for specified purposes.
• Requires the Attorney General to create and maintain a website where specified information provided by data brokers is accessible to the public.
• Makes a data broker liable for civil penalties, fees, and costs if they fail to register as required.

This bill incorporates the definitions from the CCPA into the data broker provisions and makes the following changes:

• Requires data brokers to register with, pay fees to, and provide information to the California Privacy Protection Agency instead of the Attorney General.
• Requires a data broker to compile and disclose information relating to requests received under the CCPA.
• Makes data brokers liable for administrative fines and costs in an action brought by the agency instead of the Attorney General.

SECTION 1

Section 1798.99.80 of the Civil Code is amended to read:

1798.99.80. For purposes of this title:

• The definitions in Section 1798.140 shall apply unless otherwise specified in this title.
• "Authorized agent" has the same meaning as used in Chapter 1 (commencing with Section 7000) of Division 6 of Title 11 of the California Code of Regulations.
• "Data broker" means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
  • "Data broker" does not include:
    • An entity covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
    • An entity covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
    • An entity covered by the Insurance Information and Privacy Protection Act (Article 6.6 commencing with Section 791 of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
    • An entity or a business associate of a covered entity to the extent their processing of personal information is exempt under Section 1798.146.

SECTION 2

Section 1798.99.81 of the Civil Code is amended to read:

1798.99.81
A fund known as the "Data Brokers’ Registry Fund" is hereby created within the State Treasury. The fund shall be administered by the California Privacy Protection Agency. All moneys collected or received by the California Privacy Protection Agency and the Department of Justice under this title shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset all of the following costs:

• The reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84.
• The costs incurred by the state courts and the California Privacy Protection Agency in connection with enforcing this title, as specified in Section 1798.99.82.
• The reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86.

SECTION 3

Section 1798.99.82 of the Civil Code is amended to read:

1798.99.82.
(a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:

• Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
• Provide the following information:
  • The name of the data broker and its primary physical, email, and internet website addresses.
  • The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.
  • Whether the data broker collects the personal information of minors.
  • Whether the data broker collects consumers’ precise geolocation.
  • Whether the data broker collects consumers’ reproductive health care data.
  • Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
  • A link to a page on the data broker’s internet website that does both of the following:
    • Details how consumers may exercise their privacy rights by:
      • Deleting personal information, as described in Section 1798.105.
      • Correcting inaccurate personal information, as described in Section 1798.106.
      • Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.
      • Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.
      • Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.
      • Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
    • Does not make use of any dark patterns.
  • Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:
    • The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
    • The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
    • The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
    • The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
  • Any additional information or explanation the data broker chooses to provide concerning its data collection practices.

(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:

• An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
• An amount equal to the fees that were due during the period it failed to register.
• Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.

(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:

• An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
• Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.

(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.

SECTION 4

Section 1798.99.84 of the Civil Code is amended to read:

1798.99.84.
The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data brokers described in paragraph (2) of subdivision (b) of Section 1798.99.82 and the accessible deletion mechanism described in Section 1798.99.86 shall be accessible to the public.

SECTION 5

Section 1798.99.85 is added to the Civil Code, to read:

1798.99.85.
(a) On or before July 1 following each calendar year in which a business meets the definition of a data broker as provided in this title, the business shall do all of the following:

• Compile the number of requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received, complied with in whole or in part, and denied during the previous calendar year.
• Compile the median and the mean number of days within which the data broker substantively responded to requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received during the previous calendar year.
• Disclose the metrics compiled pursuant to paragraphs (1) and (2) within the data broker’s privacy policy posted on their internet website and accessible from a link included in the data broker’s privacy policy.

(b) In its disclosure pursuant to paragraph (3) of subdivision (a) regarding requests made pursuant to subdivision (c) of Section 1798.99.86, a data broker shall disclose the number of requests that the data broker denied in whole or in part because of any of the following:

• The request was not verifiable.
• The request was not made by a consumer.
• The request called for information exempt from deletion.
• The request was denied on other grounds.

(c) In its disclosure pursuant to paragraph (3) of subdivision (a), a data broker shall, for each provision of Section 1798.145 or 1798.146 under which deletion was not required, specify the number of requests in which deletion was not required in whole, or in part, under that provision.

SECTION 6

Section 1798.99.86 is added to the Civil Code, to read:

1798.99.86.
(a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:

• Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
• Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
• Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
• Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.

(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:

• The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
• The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
• The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
• The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
• The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
• The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
• The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
• The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request.
• The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
• The accessible deletion mechanism shall provide a description of all of the following:
  • The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
  • The process for submitting a deletion request pursuant to this section.
  • Examples of the types of information that may be deleted.

(c) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:

• Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.
• In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
• Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
• Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.

Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:

• It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
• The deletion is not required pursuant to Section 1798.145 or 1798.146.

Personal information described in paragraph (2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.

(d) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).

Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.

(e) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.

For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.

A data broker shall maintain the report and materials described in paragraph (2) for at least six years.

(f) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.

A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.

SECTION 7

Section 1798.99.87 is added to the Civil Code, to read:

1798.99.87.
(a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title.

(b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).

SECTION 8

Section 1798.99.89 is added to the Civil Code, to read:

1798.99.89.
No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

SECTION 9

The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers’ rights, including the constitutional right to privacy, are protected by enabling and empowering Californians to request that data brokers delete their personal information and prohibiting data brokers from collecting consumers’ personal information in the future.