Governor Gavin Newsom in California recently signed several bills into law that may have a significant impact on your company’s privacy compliance obligations. These new laws amend and build on existing California privacy laws, including the California Consumer Privacy Act (CCPA).
The Delete Act in particular will create difficult compliance obligations for companies that are currently subject to California’s data broker registration law. The new law will not only increase the information that data brokers are required to provide as part of their annual registration (which will now need to be submitted to the California Privacy Protection Agency (CPPA) instead of the California Attorney General), but it will also require them to implement technical mechanisms to honor deletion and opt-out requests made by consumers to all data brokers on the registry. (Consumers will essentially have a “one-stop shop” with regard to deleting and opting out of certain uses of their information as it pertains to data brokers.) While this new requirement will not go into effect until 2026, it is likely to create meaningful challenges for companies subject to its obligations, especially given that the Delete Act cross-references many of the CCPA’s broad definitions (including for concepts such as “personal information,” “selling” and “sharing”).
We have provided summaries of these most recent California privacy updates below. We are happy to answer any questions you may have about these developments. You can stay on top of all of our updates by subscribing to the WilmerHale Privacy and Cybersecurity Blog.
- The Delete Act – On October 10, 2023, Governor Newsom signed Senate Bill 362, known as the Delete Act. As we’ve detailed in our previous post, the Delete Act will enable California consumers—with a single request—to opt out of the “sale” or “sharing” of their personal information or to require “data brokers” to delete their personal information.
Under the Delete Act, data brokers are defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the businesses do not have a direct relationship. The Delete Act requires data brokers to register with the CPPA annually and disclose to the agency the type of data that they collect. Data brokers must also have a link on their website instructing consumers how they may exercise their privacy rights.
By January 2026, the CPPA will implement an accessible deletion mechanism that will enable consumers to instruct every data broker that maintains their personal information to delete that information with a single request. The deletion mechanism must provide a description of the types of data specified for deletion, the process for submitting a deletion request, and examples of the types of information that can be deleted. Beginning August 2026, data brokers and their service providers and contractors will be required to process all such deletion requests.
Data brokers that fail to register with the CPPA will be liable for administrative fines of $200 for each day they fail to register. Data brokers are also potentially liable for $200 for each day that they fail to comply with deletion requests made through a valid deletion mechanism. - Assembly Bill 947 – On October 8, 2023, Governor Newsom signed AB 947, which will revise the CCPA’s definition of “sensitive personal information” to include personal information revealing one’s citizenship or immigration status. Under the CCPA (amended by the California Privacy Rights Act (CPRA)), consumers have specific rights with regard to sensitive personal information and businesses have obligations in collecting and handling consumers’ sensitive personal information.
Companies that collect information relating to consumers’ citizenship or immigration status must ensure they are complying with the CCPA/CPRA. To meet the obligations with regard to sensitive personal information under these laws, companies must provide a link on their homepage to allow consumers to limit the use of their sensitive personal information, use a single link to allow consumers to limit the use of their sensitive personal information and to opt out of the selling and sharing of this information, or use an automatic opt-out preference signal with regard to the processing of such information. - Assembly Bill 1194 – On October 8, 2023, Governor Newsom also signed AB 1194, which will offer additional protections to people seeking reproductive care by limiting the scope of the exceptions in the CCPA/CPRA. Under the bill, if a business collects data about consumers that contains information related to accessing, procuring or searching for services regarding contraception, pregnancy care (including abortion services) and perinatal care, the business must comply with CCPA/CPRA obligations. There is an exception if such information is used for specified business purposes as defined under the CPRA, is retained only in aggregated and anonymized form, and is not sold or shared.
This bill is the latest in a series of privacy laws nationwide that have focused on reproductive health data. The most extensive compliance obligations with regard to such data have come from Washington’s My Health My Data Act (as well as similar legislation that passed in Connecticut and Nevada). Given this trend, it is likely that during the 2024 legislative sessions, more states will pass laws aimed specifically at protecting reproductive health data.