| Last Version Text |
<?xml version="1.0" ?>
<ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd">
<ns0:Description>
<ns0:Id>20250SB__036194CHP</ns0:Id>
<ns0:VersionNum>94</ns0:VersionNum>
<ns0:History>
<ns0:Action>
<ns0:ActionText>INTRODUCED</ns0:ActionText>
<ns0:ActionDate>2025-02-13</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-03-24</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText>
<ns0:ActionDate>2025-06-26</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText>
<ns0:ActionDate>2025-08-26</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>PASSED_ASSEMBLY</ns0:ActionText>
<ns0:ActionDate>2025-09-10</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>PASSED_SENATE</ns0:ActionText>
<ns0:ActionDate>2025-09-11</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>ENROLLED</ns0:ActionText>
<ns0:ActionDate>2025-09-13</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>CHAPTERED</ns0:ActionText>
<ns0:ActionDate>2025-10-08</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>APPROVED</ns0:ActionText>
<ns0:ActionDate>2025-10-08</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>FILED</ns0:ActionText>
<ns0:ActionDate>2025-10-08</ns0:ActionDate>
</ns0:Action>
</ns0:History>
<ns0:LegislativeInfo>
<ns0:SessionYear>2025</ns0:SessionYear>
<ns0:SessionNum>0</ns0:SessionNum>
<ns0:MeasureType>SB</ns0:MeasureType>
<ns0:MeasureNum>361</ns0:MeasureNum>
<ns0:MeasureState>CHP</ns0:MeasureState>
<ns0:ChapterYear>2025</ns0:ChapterYear>
<ns0:ChapterType>CHP</ns0:ChapterType>
<ns0:ChapterSessionNum>0</ns0:ChapterSessionNum>
<ns0:ChapterNum>466</ns0:ChapterNum>
</ns0:LegislativeInfo>
<ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Senator Becker</ns0:AuthorText>
<ns0:Authors>
<ns0:Legislator>
<ns0:Contribution>LEAD_AUTHOR</ns0:Contribution>
<ns0:House>SENATE</ns0:House>
<ns0:Name>Becker</ns0:Name>
</ns0:Legislator>
</ns0:Authors>
<ns0:Title> An act to amend Sections 1798.99.82, 1798.99.84, and 1798.99.86 of the Civil Code, relating to privacy. </ns0:Title>
<ns0:RelatingClause>privacy</ns0:RelatingClause>
<ns0:GeneralSubject>
<ns0:Subject>Data brokers: data collection and deletion.</ns0:Subject>
</ns0:GeneralSubject>
<ns0:DigestText>
<html:p>The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumer’s personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce
the CCPA.</html:p>
<html:p>Existing law requires a data broker to register with the agency, and defines “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health care data.</html:p>
<html:p>This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers’ names, dates of birth, ZIP Codes, email addresses,
phone numbers, login or account information, various government identification numbers, mobile advertising, connected television, or vehicle identification numbers, citizenship data, union membership status, sexual orientation status, gender identity and gender expression data, biometric data, and up to 3, but no fewer than one, of the most common types of personal information that the data broker collects, as provided. The bill would also require a data broker to provide information regarding whether, in the past year, the data broker shared or sold consumers’ data to a foreign actor, as defined, the federal government, other state governments, law enforcement, as provided, or a developer of a GenAI system, as defined. The bill would make changes to the administrative fines and costs that apply to data brokers who fail to register.</html:p>
<html:p>Existing law requires, beginning January 1, 2026, the California Privacy Protection Agency to establish an accessible deletion
mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. Existing law requires, beginning August 1, 2026, a data broker to access the accessible deletion mechanism at least once every 45 days and, among other things, process a denied request to delete personal information as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA, as specified.</html:p>
<html:p>This bill would require a data broker to process the above-described denied request within 45 days of receiving the request.</html:p>
<html:p>Existing law requires the agency to create a page on its internet website where registration information provided by data brokers and the
accessible deletion mechanism is accessible to the public.</html:p>
<html:p>This bill would prohibit the agency from making accessible to the public on its internet website information regarding whether the data broker collects consumers’ names, dates of birth, zip codes, email addresses, phone numbers, mobile advertising, connected television, or vehicle identification numbers, and the most common types of personal information that it collects.</html:p>
<html:p>This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.</html:p>
</ns0:DigestText>
<ns0:DigestKey>
<ns0:VoteRequired>MAJORITY</ns0:VoteRequired>
<ns0:Appropriation>NO</ns0:Appropriation>
<ns0:FiscalCommittee>YES</ns0:FiscalCommittee>
<ns0:LocalProgram>NO</ns0:LocalProgram>
</ns0:DigestKey>
<ns0:MeasureIndicators>
<ns0:ImmediateEffect>NO</ns0:ImmediateEffect>
<ns0:ImmediateEffectFlags>
<ns0:Urgency>NO</ns0:Urgency>
<ns0:TaxLevy>NO</ns0:TaxLevy>
<ns0:Election>NO</ns0:Election>
<ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses>
<ns0:BudgetBill>NO</ns0:BudgetBill>
<ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill>
</ns0:ImmediateEffectFlags>
</ns0:MeasureIndicators>
</ns0:Description>
<ns0:Bill id="bill">
<ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble>
<ns0:BillSection id="id_26FCF442-30AD-4DA9-85CC-48A635C76FD1">
<ns0:Num>SECTION 1.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.48.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.99.82.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 1798.99.82 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_B200B75C-FB48-436E-AF49-322764636D79">
<ns0:Num>1798.99.82.</ns0:Num>
<ns0:LawSectionVersion id="id_37292DF5-3952-4975-8655-05B16B04E23A">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to
the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Provide the following information:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
The name of the data broker and its primary physical, email, and internet website addresses.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Whether the data broker collects the personal information of minors.
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ names, dates of birth, ZIP Codes, email addresses, or phone numbers.
</html:p>
<html:p>
(E)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ account login or account number in combination with any required security code, access code, or password that would permit access to a consumer’s account with a third party.
</html:p>
<html:p>
(F)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ drivers’ license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
</html:p>
<html:p>
(G)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers (VIN).
</html:p>
<html:p>
(H)
<html:span class="EnSpace"/>
Whether the data
broker collects consumers’ citizenship data, including immigration status.
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ union membership status.
</html:p>
<html:p>
(J)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ sexual orientation status.
</html:p>
<html:p>
(K)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ gender identity and gender expression data.
</html:p>
<html:p>
(L)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ biometric data.
</html:p>
<html:p>
(M)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ precise geolocation.
</html:p>
<html:p>
(N)
<html:span class="EnSpace"/>
Whether the data broker collects consumers’ reproductive health care data.
</html:p>
<html:p>
(O)
<html:span class="EnSpace"/>
Whether the data broker has shared
or sold consumers’ data to a foreign actor in the past year.
</html:p>
<html:p>
(P)
<html:span class="EnSpace"/>
Whether the data broker has shared or sold consumers’ data to the federal government in the past year.
</html:p>
<html:p>
(Q)
<html:span class="EnSpace"/>
Whether the data broker has shared or sold consumers’ data to other state governments in the past year.
</html:p>
<html:p>
(R)
<html:span class="EnSpace"/>
Whether the data broker has shared or sold consumers’ data to law enforcement in the past year, unless that data was shared pursuant to a subpoena or court order.
</html:p>
<html:p>
(S)
<html:span class="EnSpace"/>
Whether the data broker has shared or sold consumers’ data to a developer of a GenAI system or model in the past year.
</html:p>
<html:p>
(T)
<html:span class="EnSpace"/>
Up to three, but no fewer than one, of the most common types of personal information that the data broker collects, if the data
broker does not collect the information described in subparagraphs (D) and (G).
</html:p>
<html:p>
(U)
<html:span class="EnSpace"/>
Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.
</html:p>
<html:p>
(V)
<html:span class="EnSpace"/>
A link to a page on the data broker’s internet website that does both of the following:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
Details how consumers may exercise their privacy rights by doing all of the following:
</html:p>
<html:p>
(I)
<html:span class="EnSpace"/>
Deleting personal information, as described in Section 1798.105.
</html:p>
<html:p>
(II)
<html:span class="EnSpace"/>
Correcting inaccurate personal information, as
described in Section 1798.106.
</html:p>
<html:p>
(III)
<html:span class="EnSpace"/>
Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.
</html:p>
<html:p>
(IV)
<html:span class="EnSpace"/>
Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.
</html:p>
<html:p>
(V)
<html:span class="EnSpace"/>
Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.
</html:p>
<html:p>
(VI)
<html:span class="EnSpace"/>
Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
Does not make use of any dark patterns.
</html:p>
<html:p>
(W)
<html:span class="EnSpace"/>
Whether and to what extent the data broker or any of its subsidiaries is
regulated by any of the following:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
</html:p>
<html:p>
(iii)
<html:span class="EnSpace"/>
The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
</html:p>
<html:p>
(iv)
<html:span class="EnSpace"/>
The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law
104-191).
</html:p>
<html:p>
(X)
<html:span class="EnSpace"/>
Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
An amount equal to the fees that were due during the period it failed to register.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury
pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
For purposes of this section, the following definitions apply:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
(A)
<html:span class="EnSpace"/>
“Foreign actor” means either of the following:
</html:p>
<html:p>
(i)
<html:span class="EnSpace"/>
The government of a foreign adversary country.
</html:p>
<html:p>
(ii)
<html:span class="EnSpace"/>
A partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a foreign adversary country.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
For purposes of subparagraph (A), “foreign adversary country” has the same meaning as “covered nation” as
defined in Section 4872 of Title 10 of the United States Code.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
“Developer of a GenAI system” means a business, person, partnership, corporation, or other entity that designs, codes, produces, or substantially modifies a GenAI system.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
“Generative artificial intelligence system” or “GenAI system” means an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system’s training data.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_3E4ABC17-6AED-4C3E-B9A5-C394F73EBD85">
<ns0:Num>SEC. 2.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.48.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.99.84.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 1798.99.84 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_97CEE2C9-C245-4F15-9608-EA6410355623">
<ns0:Num>1798.99.84.</ns0:Num>
<ns0:LawSectionVersion id="id_E3D0C97D-029D-4384-A510-DCB3C4FF03DB">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data brokers described in paragraph (2) of subdivision (b) of Section 1798.99.82, except as provided in subdivision (b), and the accessible deletion mechanism described in Section 1798.99.86 shall be accessible to the public.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
Information provided by a data broker pursuant to subparagraphs (D), (G), and (T) of paragraph (2) of subdivision (b) of Section 1798.99.82 shall not be made accessible to the public on the California Privacy Protection Agency’s internet website.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_BAA8B840-601C-402C-B7F3-250A7D052EBA">
<ns0:Num>SEC. 3.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.48.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.99.86.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 1798.99.86 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_6B3C8E72-966D-486C-841A-31660542E738">
<ns0:Num>1798.99.86.</ns0:Num>
<ns0:LawSectionVersion id="id_19BBE94F-1CDF-43BA-BA90-9924DD609B19">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal
information related to that consumer held by the data broker or associated service provider or contractor.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by
the California Privacy Protection Agency.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
</html:p>
<html:p>
(6)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
</html:p>
<html:p>
(7)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
</html:p>
<html:p>
(8)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request.
</html:p>
<html:p>
(9)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall allow the consumer, or their authorized agent, to
verify the status of the consumer’s deletion request.
</html:p>
<html:p>
(10)
<html:span class="EnSpace"/>
The accessible deletion mechanism shall provide a description of all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The process for submitting a deletion request pursuant to this section.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Examples of the types of information that may be deleted.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
Within
45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146, within 45 days of receiving the request.
</html:p>
<html:p>
(C)
<html:span class="EnSpace"/>
Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
</html:p>
<html:p>
(D)
<html:span class="EnSpace"/>
Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:
</html:p>
<html:p>
(A)
<html:span class="EnSpace"/>
It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
</html:p>
<html:p>
(B)
<html:span class="EnSpace"/>
The deletion is not required pursuant to Section 1798.145 or 1798.146.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Personal information described in paragraph (2) shall only
be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal
information is permitted under Section 1798.145 or 1798.146.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
(1)
<html:span class="EnSpace"/>
The California Privacy Protection Agency may charge an access fee to a data
broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (c) that does not exceed the reasonable costs of providing that access.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_89ED8207-0C7D-4500-81CC-904BA46D5740">
<ns0:Num>SEC. 4.</ns0:Num>
<ns0:Content>
<html:p>The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers’ rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers.</html:p>
</ns0:Content>
</ns0:BillSection>
</ns0:Bill>
</ns0:MeasureDoc>
|
| Last Version Text Digest |
The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumer’s personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. Existing law requires a data broker to register with the agency, and defines “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health care data. This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers’ names, dates of birth, ZIP Codes, email addresses, phone numbers, login or account information, various government identification numbers, mobile advertising, connected television, or vehicle identification numbers, citizenship data, union membership status, sexual orientation status, gender identity and gender expression data, biometric data, and up to 3, but no fewer than one, of the most common types of personal information that the data broker collects, as provided. The bill would also require a data broker to provide information regarding whether, in the past year, the data broker shared or sold consumers’ data to a foreign actor, as defined, the federal government, other state governments, law enforcement, as provided, or a developer of a GenAI system, as defined. The bill would make changes to the administrative fines and costs that apply to data brokers who fail to register. Existing law requires, beginning January 1, 2026, the California Privacy Protection Agency to establish an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. Existing law requires, beginning August 1, 2026, a data broker to access the accessible deletion mechanism at least once every 45 days and, among other things, process a denied request to delete personal information as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA, as specified. This bill would require a data broker to process the above-described denied request within 45 days of receiving the request. Existing law requires the agency to create a page on its internet website where registration information provided by data brokers and the accessible deletion mechanism is accessible to the public. This bill would prohibit the agency from making accessible to the public on its internet website information regarding whether the data broker collects consumers’ names, dates of birth, zip codes, email addresses, phone numbers, mobile advertising, connected television, or vehicle identification numbers, and the most common types of personal information that it collects. This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons. |