California Invasion of Privacy Act (CIPA) demand letters have become the scourge of many businesses. Find out how to avoid becoming a target for litigation.
With the recent passage of the Delete Act, California is continuing to raise the bar when it comes to data privacy in the United States. As the first state to pass a comprehensive privacy law, and the only one with an agency dedicated exclusively to privacy enforcement, the state has moved aggressively to fill the vacuum left by the lack of federal regulation.
While the Delete Act works alongside the California Consumer Privacy Act (CCPA), and in some ways supplements it, most CCPA-compliant businesses will not need to concern themselves with the new law’s requirements. That’s because the Delete Act has its sights set squarely on one particular type of business: data brokers.
Here is a quick summary of the California Delete Act and what it means for both businesses and consumers.
The Delete Act is a relatively short bill (especially when compared to its cousin, the CCPA), but still manages to pack a lot in. Here are its five main components.
The Delete Act only applies to data brokers, so it’s important to know what that means. A data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
The Delete Act shares common defined terminology with the CCPA, so terms like “business,” “sell,” and “third parties” all have the same meaning as they do in the CCPA. While a lot of businesses may “sell” personal information according to the CCPA, the vast majority of them have a direct relationship with those consumers (e.g., as customers or website visitors), so they won’t need to worry about the Delete Act’s new requirements.
Businesses that fail to comply with the California Delete act are liable for administrative fines:
For larger businesses, the first fine may not be much of a deterrent (maxing out at $73,000 a year), but the second set of fines could add up very quickly. For example, if a data broker fails to delete the data of 10,000 consumers who have filed a request online, the resulting fine would be $2 million per day.
Interestingly, the amounts don’t appear to be discretionary. In other words, the statute doesn’t say the fine may be up to $200 per day, but rather that the fine is $200 per day.
Here are the Delete Act’s important dates:
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.