California Privacy Protection Agency Announces Delete Act Enforcement Sweep
Keeping the season spooky for data brokers, the enforcement division of the California Privacy Protection Agency announced on October 30, 2024, that it is conducting a public investigative sweep of data broker registration compliance under California’s Delete Act.
What Is a Data Broker?
A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a [California] consumer with whom the business does not have a direct relationship.” “Selling” includes transfers of personal information for any valuable or monetary consideration.
There are several exclusions to the definition of a data broker. For example, the Delete Act does not apply to entities covered by the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), among others.
What Do Data Brokers Need to Do?
Signed into law in October 2023, the Delete Act requires data brokers to annually register, pay a fee, and provide the following information to the California Privacy Protection Agency:
- Whether the company collects the personal information of minors, reproductive health care data, or precise geolocation data;
- The number of consumer rights requests the broker received during the prior calendar year; and
- The median and mean number of days by which the data broker substantively responded to those requests.
These statistics and information regarding consumers’ rights under the California Consumer Privacy Act must also be disclosed in a link on the data broker’s website.
Covered businesses that operated as a data broker during the 2024 calendar year have until January 31, 2025, to register or face a penalty of $200 per day.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.