The Delete Act (SB 362), signed into law by California Gov. Gavin Newsom on October 10, imposes additional disclosure and registration requirements on data brokers. It requires data brokers to support deletion requests through a central “deletion mechanism” managed by the California Privacy Protection Agency (CPPA). The law also empowers consumers to request deletion of their personal information from all registered data brokers with a single submission.

As our Privacy + Cyber professionals explain in a more detailed summary, the expanded new requirements of the Delete Act are a legal and operational game-changer for organizations that qualify as data brokers. Data brokers will now have to provide more information during registration, including details about their collection of minors’ personal information, precise geolocation data, and reproductive health care data. They are also required to compile and disclose certain metrics related to CCPA requests annually, undergo audits, and maintain audit records for at least six years. The act presents several challenges for any organization deemed to be a data broker, including determining applicability, managing broader business impacts, handling technical complexities related to verification of requests and a continuing duty of deletion, and bearing potentially high costs.

Even if your business isn’t considered a data broker, data obtained or used by your business likely comes from a data broker. Our team’s advisory includes best practices to comply with the growing number of data protection laws in the United States, including conducting data-mapping assessments, reviewing registration requirements, maintaining deletion request policies, developing record-keeping policies, conducting training, and considering the impact of data deletion on vendor management and contracts.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Karla Ballesteros Karla Ballesteros

Karla is an associate in the firm’s Privacy + Cyber practice. Her daily work includes counseling insureds on the initial incident response, potential ransom payment, restoration, data mining, and notification segments of the incident response practice. She also leads efforts to identifying and…

Karla is an associate in the firm’s Privacy + Cyber practice. Her daily work includes counseling insureds on the initial incident response, potential ransom payment, restoration, data mining, and notification segments of the incident response practice. She also leads efforts to identifying and remediating shortcomings in cybersecurity and privacy practices of firm clients.

Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.