Bill Text


Bill PDF |Add To My Favorites |Track Bill | print page

SB-1076 Data brokers: accessible deletion mechanism.(2023-2024)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 02/12/2024 09:00 PM
SB1076:v99#DOCUMENT


CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Senate Bill
No. 1076

Introduced by Senator Wilk

February 12, 2024

An act to amend Sections 1798.99.86 and 1798.99.87 of the Civil Code, relating to data brokers.


LEGISLATIVE COUNSEL'S DIGEST


SB 1076, as introduced, Wilk. Data brokers: accessible deletion mechanism.
The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer, as specified. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (CPPA) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law defines and requires the CPPA to regulate data brokers. Existing law, by January 1, 2026, requires the CPPA to establish an accessible deletion mechanism that meets certain requirements, including that it support the ability of a consumer’s authorized agents to aid in the deletion request.
This bill would impose additional requirements on the accessible deletion mechanism regarding authorized agents. In this regard, the bill would, among other things, require an authorized agent aiding in a deletion request to be registered with, and certified by, the CPPA, and would prohibit the authorized agent from charging the consumer a fee, as specified. The bill would also require the accessible deletion mechanism to include certain information for a data broker to directly contact the consumer requesting the deletion, and procedures to authenticate the identity of the consumer, as specified.
Existing law requires a data broker, when denying a consumer’s deletion request because the request cannot be verified, to process the request as an opt out of the sale or sharing of the consumer’s personal information, as specified, and to direct all service providers or contractors associated with the data broker to process the request in the same way.
This bill would recast that provision to instead authorize a data broker that denies a consumer request to delete because the request cannot be verified to ask if the consumer wants the data broker to process the request as an opt out, as specified. The bill would also authorize the data broker to deny the request if the data broker has a good faith, reasonable, and documented belief that the request is fraudulent, as specified, or if the request was submitted through an authorized agent who has not provided the consumer’s signed permission demonstrating the agent’s authority to act on the consumer’s behalf.
Existing law authorizes the CPPA to adopt regulations to implement and administer this title, as specified.
This bill would instead require the CPPA to adopt those regulations on or before August 1, 2025.
This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) California has emerged as a trailblazer in fortifying consumer privacy rights with the chaptering of SB 362 (2023), recognizing the paramount need to shield personal information from unauthorized use, disclosure, access, destruction, or modification in the dynamic digital era.
(b) The California Privacy Protection Agency, established to meticulously oversee and enforce privacy laws, assumes a pivotal role in championing and upholding the robust privacy rights of consumers throughout the state.
(c) Striking a balance between privacy protection and fraud prevention is essential. A practical and strategic approach is imperative to address concerns surrounding data deletion, focusing on fortifying the verification of consumer identity while ensuring transparency in the process, while at the same time being able to process thousands of requests.
(d) Authorized agents empower consumers’ data deletion rights by assisting in deletion requests, and should be registered and certified by the California Privacy Protection Agency. This additional layer of protection is subject to stringent requirements and safeguards, emphasizing transparency to consumers to enhance fraud protection.
(e) There are already examples of abuse and lessons to be learned from companies charging consumers for services that are otherwise available at no charge, such as fraudulent credit repair services. In a landscape where some data privacy companies charge consumers for these essential services, the accessible deletion mechanism is intended to be a government service that remains free of charge, reinforcing the commitment to transparency and consumer empowerment.
(f) The imperative to implement and sustain robust security measures reverberates in the realm of consumer protection. Technical safeguards are nonnegotiable elements in the battle against fraudulent activities.
(g) SB 362 (2023), while striving to fortify consumer privacy, introduces a potential imbalance as many large data aggregators are not covered under the data broker registry. This limitation of the types of companies included in consumer deletion rights raises concerns about transparency and fairness, creating an environment of potential abuse by companies not covered by that act.

SEC. 2.

 Section 1798.99.86 of the Civil Code is amended to read:

1798.99.86.
 (a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:
(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
(4) Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request. request subject to all of the following requirements:
(A) An authorized agent shall not aid in a deletion request unless the authorized agent is registered with, and certified by, the California Privacy Protection Agency.
(B) Consumer requests made by an authorized agent shall be subject to Section 7063 of Title 11 of the California Code of Regulations.
(C) Data broker processing of requests made by an authorized agent shall be subject to Section 7063 of Title 11 of the California Code of Regulations.
(D) An authorized agent shall ensure that the consumer is reasonably informed about a deletion decision and the rights granted to the consumer under this title.
(E) An authorized agent shall facilitate the consumer’s exercise of any rights granted to the consumer under subdivision (a).
(F) An authorized agent shall not sell, share, or use, or act on behalf of or in concert with an entity that sells, shares, or uses personal information to deliver advertising and marketing services to another business.
(G) An authorized agent shall not charge the consumer a fee, or act on behalf of or in concert with an entity that charges the consumer a fee, to facilitate a deletion request.
(H) If an authorized agent submits a consumer’s email as part of a deletion request, the email address shall allow the data broker to directly contact the consumer without an authorized agent.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
(10) The accessible deletion mechanism shall provide a description of all of the following:
(A) The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
(B) The process for submitting a deletion request pursuant to this section.
(C) Examples of the types of information that may be deleted.
(11) The accessible deletion mechanism shall include sufficient information for a data broker to directly contact the consumer in a manner that is substantially similar to the manner the consumer used to request the deletion.
(12) The accessible deletion mechanism shall include procedures to authenticate to a high level of certainty the identity of a consumer who submits a deletion request that comply with industry and government best practices and standards for identity verification, assurance, and fraud protection.
(c) (1) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:
(A) Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.

(B)In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.

(C)

(B) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(2) When accessing the accessible deletion mechanism pursuant to the requirements described in paragraph (1), a data broker may do any of the following:
(A) (i) In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, ask the consumer if the consumer wants the data broker to process the request as an opt out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(ii) When processing a request pursuant to clause (i), the data broker may ask the consumer for information necessary to complete the request, including, but not limited to, information necessary to identify the consumer.

(D)Direct

(iii) When processing a request pursuant to clause (i), the data broker shall direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146. the request in the same manner as the data broker processed the request.
(B) (i) Deny the request if the data broker has a good faith, reasonable, and documented belief that the request is fraudulent.
(ii) If a data broker denies a request pursuant to clause (i), the data broker shall inform the consumer that the data broker will not comply with the request and provide an explanation describing why the data broker believes the request is fraudulent.
(C) Deny the request if the request was submitted through an authorized agent and the agent has not provided the consumer’s signed permission demonstrating that the authorized agent has the authority to act on the consumer’s behalf.

(2)

(3) Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:
(A) It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
(B) The deletion is not required pursuant to Section 1798.145 or 1798.146.

(3)

(4) Personal information described in paragraph (2) (3) shall only be used for the purposes described in paragraph (2) (3) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(d) (1) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) (3) of subdivision (c).
(2) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.
(e) (1) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(f) (1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.

SEC. 3.

 Section 1798.99.87 of the Civil Code is amended to read:

1798.99.87.
 (a) Except as provided in subdivision (b), On or before August 1, 2025, the California Privacy Protection Agency may shall adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title.
(b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).

SEC. 4.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers’ rights, including the constitutional right to privacy, are protected by enacting additional consumer protection provisions regarding consumers’ requests that data brokers delete their personal information, including additional safeguards related to consumers’ use of authorized agents to make those requests.