August 20, 2024 signaled the end of the California Privacy Protection Agency’s (CPPA) Notice of Proposed Regulatory Action (NPRA) comment period for Senate Bill 362, also known as the Delete Act (the “Act”). The Act, which was signed into law almost a year ago, amends California’s existing Data Broker Registration law and imposes more obligations on data brokers. One of the most notable provisions was a mandate to the CPPA to develop (by January 1, 2026) an “accessible deletion mechanism” that would allow consumers to request that all or some data brokers delete their personal information through a single request. Most recently, the CPPA kicked off a formal public comment period in early July to establish regulations for the Act aimed at addressing common questions and issues data brokers reported during the initial registration period.
In this post, we summarize the most important provisions proposed and how they might impact covered businesses as we wait for the regulations to be finalized. We are happy to answer any questions you may have regarding these proposed regulations and your business. To stay up to date on the latest privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Notable Provisions in the Proposed Regulations to the Delete ACT
In its published Notice of Proposed Rulemaking, the CPPA stated that the proposed regulations would (1) provide more transparency and information for consumers to make informed decisions about their personal information and (2) facilitate increased compliance with the California Consumer Privacy Act (CCPA) by clarifying terms, allowing covered businesses to pay the registration fee by credit card, and providing more details on how to register. The agency aims to achieve these stated benefits by:
- Clarifying the definition of “data broker”: The Delete Act defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The regulations further define this term by proposing that a “direct relationship” be defined as meaning “that a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years... A business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.” This definition is intended to aid businesses in understanding if they are within scope of the regulations and provide consistency in application of the law.
- Specifying the definition of “minor”: The propose regulations add yet another age threshold and requirement for covered businesses to track. During registration, a data broker must state whether it collects the personal information of “minors,” who is a consumer less than 16 years old. The rules also propose that “A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
- Broadly defining “reproductive health care data”: During registration, a data broker must state whether it collects consumers’ “reproductive health care data,” which the regulations propose to include:
- goods including “contraception (e.g., condoms, birth-control pills), pre-natal and fertility vitamins and supplements, menstrual-tracking apps, and hormone-replacement therapy;”
- services like “sperm- and egg-freezing, In Vitro Fertilization, abortion care, vasectomies, sexual health counseling; treatment or counseling for sexually transmitted infections, erectile dysfunction, and reproductive tract infections” and—significantly—the precise geolocation information about such treatments; and
- “[i]nformation about the consumer’s sexual history and family planning, which includes information a consumer inputs into a dating app about their history of sexually transmitted infections or desire to have children” and any associated inferences from this information.
- Requiring parent and subsidiary companies to all register as data brokers when applicable: The proposed regulations state that “A business, regardless of its status as a parent company or subsidiary of another business, which independently meets the definition of ‘data broker’…must register.” To provide greater transparency and support consumer understanding, a company and each business must register separately if they each process information separately as a data broker.
- Requiring more information regarding other governing laws: If a data broker states in its registration that it is regulated by another legal regime, the proposed rules would also require it to disclose the types of personal information that it collects/sells and specific products or services that are subject to the other laws as well as the “approximate proportion of data collected and sold that is subject to the enumerated laws in comparison with their total annual data collection and sales.”
- Limiting the ability to amend data broker registrations: Subject to exceptions, the proposed regulations would prohibit amendment or withdrawal of data broker registration information after the registration period ends every year on January 31st.
- Adding more data broker disclosures during registration: In addition to the information required under the Delete Act, the new rules would require covered businesses to disclose a business’s alternate name and contact information.
Finally, the CPPA also hosted a public hearing regarding the proposed regulations on the same day that the public comment period ended. Although the Agency has not publicly published the comments yet (they will likely be published on this page once released), there were a handful of participants who offered comment in the August 20, 2024 public hearing. The provision that received the most attention in the hearing was the proposed definition for “reproductive health care data.” Women’s rights advocates expressed concerns that companies are collecting geolocation information at all, and industry groups pointed out that this information should be labeled as sensitive information under the CCPA and request that the regulations draw a distinction between reproductive health care data that is collected commercially versus other purposes (that use privacy-enhancing methods of collection and processing for the data). It remains to be seen whether these comments will have an impact on the final rules.