If you are a data broker or a company that relies on data brokers for targeted advertising, you should be aware that ca Data broker law They may be changed significantly under the proposed bill. under Senate Bill 362, the California Privacy Protection Agency (CPPA) will be required to create a deletion mechanism accessible by January 1, 2026, where consumers can request deletion via CPPA and which all data brokers must honor. Data brokers will have to check the CPPA mechanism for processing all deletion requests every 31 days, as well as delete personal information on every California resident who made a request through the mechanism every 31 days.
If the bill is passed, it could profoundly affect how data brokers handle personal information and, in turn, impact companies that partner with data brokers for targeted advertising.
Where are we now
For now, it appears data brokers are still a long way from the blaze: California Civil Code § 1798.99.80 et seq. only requires data brokers to register with the Attorney General and pay an annual registration fee. When registering with the Attorney General, data brokers are required to provide their name, primary physical addresses, email addresses, and website addresses.
What Senate Bill 362 proposes
Senate Bill 362 would add additional obligations by introducing a single “accessible deletion mechanism,” which is provided online by the CPPA. Consumers will be able to use this mechanism to request that each data broker holding any personal information about a consumer delete such personal information held by the data brokers or their associated service providers or contractors. Data brokers will be required to process deletion requests made through the CPPA mechanism within 31 days of receipt and, effective July 1, 2026, to continuously delete the requesting consumer’s personal information and not sell or share new consumer personal information. consumer. Data intermediaries will also be required to direct all service providers or contractors associated with the data intermediary to delete all personal information in their possession relating to the requesting consumer. This means that California consumers will be able to request the deletion of any and all personal information held by different data brokers with just one deletion request.
The bill would also require data brokers to provide additional information to the CPPA when registering as data brokers, including identifying whether they collect personal information of minors, precise geolocation of consumers, and reproductive health care data of consumers. Data brokers will also be required to maintain a website free of dark patterns detailing how consumers exercise their privacy rights. Beginning January 1, 2028, and every 3 years thereafter, data brokers will be required to submit an audit report to the CPPA upon written request from the CPPA.
Senate Bill 362 would also replace the Attorney General with the Data Privacy Protection Authority (CPPA) as the data broker law enforcement authority. The Consumer Privacy Protection Act (CPPA) is the same agency that implements the CCPA and, in conjunction with the California Attorney General, enforces it.
What does this mean
If California consumers use this deletion mechanism widely, it could reduce the size of the data broker database. Partner companies that rely heavily on data brokers for their marketing initiatives may feel a ripple effect with less effective targeted ads.
If Senate Bill 362 becomes law, data monetization in California faces another blow as data brokers will be subject to additional obligations under California’s streamlined deletion mechanism for consumers. The extent of consumer engagement with the mechanism will play a crucial role in the impact of the bill.