US State Law California, United States

California Data Broker Registration: Delete Act Requirements and Annual Reporting

Data broker registration, annual reporting, and deletion request obligations under the California Delete Act (SB 362) and data broker law.

Regulation

CCPA/CPRA / California Delete Act

Max Penalty

USD 200 per day per violation

Enforcing Authority

California Privacy Protection Agency (CPPA)

Official Source

cppa.ca.gov

Executive Summary

  • The California Delete Act mandates registration and annual reporting for data brokers.
  • Organizations must provide consumers with the right to request deletion of their personal data.
  • Non-compliance can result in penalties of USD 200 per day per violation.
  • A robust compliance program includes data inventory, consumer processes, and employee training.
  • Regular audits and assessments are essential for maintaining compliance and addressing regulatory changes.

The California Data Broker Registration and Delete Act establishes specific compliance obligations for data brokers operating within California. This regulation requires data brokers to register with the California Privacy Protection Agency (CPPA), adhere to consumer rights regarding data deletion, and submit annual reports detailing their data practices. Understanding these requirements is crucial for organizations to mitigate risks and ensure compliance in the evolving landscape of data privacy.

RegulationCCPA/CPRA / California Delete Act
Max PenaltyUSD 200 per day per violation
Enforcing AuthorityCalifornia Privacy Protection Agency (CPPA)
Official SourceCalifornia Privacy Protection Agency

What Is CCPA/CPRA / California Delete Act?

The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), form the backbone of California’s data privacy framework. The California Delete Act, an extension of these regulations, specifically targets data brokers by requiring them to register with the CPPA and provide consumers with the ability to request the deletion of their personal information. This act is part of California’s broader initiative to enhance consumer privacy rights and increase transparency in how personal data is collected, used, and shared.

The Delete Act mandates that data brokers maintain a public registry, allowing consumers to identify entities that collect their data. This transparency is designed to empower consumers, giving them more control over their personal information. Additionally, the act aligns with the principles established in the CCPA and CPRA, reinforcing the need for organizations to implement robust data governance practices.

Who Must Comply

The California Delete Act applies to any entity that qualifies as a data broker under the law. A data broker is defined as a business that collects consumers’ personal information and sells or shares that information to third parties. This definition encompasses a wide range of organizations, from traditional data brokers to technology companies that monetize consumer data in various forms.

Organizations that meet the threshold of collecting personal information from over 50,000 consumers, or that derive more than 50% of their annual revenue from selling personal data, are subject to the registration and reporting requirements. It is essential for organizations to assess their data practices to determine whether they fall within the scope of the Delete Act, as non-compliance can lead to significant penalties.

Core Compliance Requirements

Registration with CPPA. Data brokers must register annually with the California Privacy Protection Agency. This registration process involves providing detailed information about the types of personal data collected, the purposes for which it is used, and the categories of third parties with whom the data is shared. The registration must be updated whenever there are significant changes to data practices or business operations.

Consumer rights to deletion. Under the Delete Act, consumers have the right to request the deletion of their personal information held by data brokers. Organizations must establish a clear and accessible process for consumers to submit deletion requests. This includes providing a designated contact method, such as a web form or email address, and ensuring that requests are processed in a timely manner.

Annual reporting obligations. Data brokers are required to submit annual reports to the CPPA detailing their data collection and sharing practices. These reports must include information about the categories of personal data collected, the sources of that data, and the purposes for which it is used. Additionally, organizations must disclose the number of deletion requests received and how many were fulfilled. This reporting is essential for maintaining transparency and accountability.

Consumer notification. Organizations must inform consumers about their data practices through clear and accessible privacy notices. These notices should outline what personal information is collected, how it is used, and the rights consumers have under the Delete Act. Providing this information upfront helps build trust and ensures compliance with transparency requirements.

Data security measures. To protect the personal information of consumers, data brokers must implement reasonable security measures. This includes safeguarding data against unauthorized access, breaches, and other security threats. Organizations should regularly assess their security practices and update them as necessary to address evolving risks.

Penalties and Enforcement

The California Privacy Protection Agency is responsible for enforcing compliance with the Delete Act. Organizations that fail to register, do not fulfill consumer deletion requests, or submit inaccurate annual reports may face penalties. The maximum penalty for non-compliance is USD 200 per day per violation, which can accumulate quickly, leading to substantial financial liabilities.

In addition to monetary penalties, non-compliance can result in reputational damage and loss of consumer trust. Organizations should prioritize compliance efforts to avoid these risks and demonstrate their commitment to protecting consumer privacy.

Building a Defensible Compliance Program

To effectively navigate the requirements of the California Delete Act, organizations should develop a comprehensive compliance program. This program should encompass the following steps:

  1. Conduct a data inventory to identify all personal information collected and processed.

  2. Assess whether the organization qualifies as a data broker under the Delete Act.

  3. Establish a registration process with the CPPA, including the necessary documentation.

  4. Develop a consumer deletion request process that is clear and accessible.

  5. Create and maintain annual reports detailing data practices and compliance efforts.

  6. Implement security measures to protect personal information from unauthorized access.

  7. Train employees on compliance obligations and data protection best practices.

  8. Regularly review and update the compliance program to address changes in regulations or business operations.

By following these steps, organizations can build a defensible compliance program that not only meets regulatory requirements but also fosters a culture of privacy and accountability.

Practical Implementation Priorities

Data mapping and inventory. Organizations should begin by mapping their data flows and conducting a comprehensive inventory of personal information. This process will help identify what data is collected, how it is used, and where it is stored. Understanding data flows is critical for compliance with both the Delete Act and broader privacy regulations.

Developing consumer-facing processes. Establishing clear processes for consumer deletion requests is essential. Organizations should create user-friendly mechanisms for consumers to submit requests, ensuring that these processes are well-publicized. This may include dedicated web pages, FAQs, and customer service support to assist consumers in exercising their rights.

Training and awareness. Employee training is a vital component of any compliance program. Organizations should ensure that employees are aware of their roles in data protection and understand the implications of the Delete Act. Regular training sessions can help reinforce compliance culture and keep staff informed about regulatory changes.

Regular audits and assessments. Conducting regular audits of data practices can help organizations identify compliance gaps and areas for improvement. These audits should evaluate the effectiveness of data security measures, the accuracy of annual reports, and the responsiveness of consumer request processes. Continuous assessment is key to maintaining compliance in a dynamic regulatory environment.

Run a Free Privacy Scan

Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against CCPA/CPRA / California Delete Act requirements within minutes.

Run your free scan or speak with a privacy expert to discuss your compliance obligations under CCPA/CPRA / California Delete Act and build a prioritized remediation plan.

Regulatory Crosswalk

Organizations subject to this regulation often operate under these overlapping frameworks: CCPA/CPRA, Vermont data broker law. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.

Regulatory Crosswalk

CCPA/CPRAVermont data broker law

Organizations subject to this regulation often operate under these overlapping frameworks. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.

Evaluate your compliance posture now

BD Emerson's automated scanner audits your public-facing properties against your applicable regulations in minutes, not weeks.

Run Free Scan Speak to an Expert