CPPA Expands Applicability of CA Delete Act in Proposed Regulations
Time 3 Minute Read

On July 5, 2024, the California Privacy Protection Agency (“CPPA”) issued a set of proposed regulations to implement S.B. 362 (the “CA Delete Act”), a law that imposes certain requirements on data brokers and grants residents certain rights designed to facilitate control over their personal information.  If implemented, the regulations would significantly broaden the CA Delete Act’s applicability by expanding the range of entities covered by the CA Delete Act’s definition of “data broker.”

Under the CA Delete Act, a “data broker” is a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” a definition that specifically excludes entities covered by the FCRA, GLBA and HIPAA.  The CA Delete Act generally requires entities falling under this definition to register with the CPPA and comply with deletion requests received from consumers, among additional obligations, and authorizes fines for noncompliance.

The proposed regulations would define the term “direct relationship” as used in the CA Delete Act as one in which “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.”  In addition, the regulations would specify that a “business is still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”

In effect, the expanded definition of “data broker” proposed by the draft regulations would include businesses that (1) maintain information about consumers who have not interacted with the business in more than three years, and (2) have direct relationships with consumers, but also sell personal information about the consumer that was not collected directly from the consumer (e.g., purchased from other data brokers).

In addition to expanding the CA Delete Act’s applicability, the proposed regulations also would limit the registration period for data brokers to between January 1 and 31 each year, and prohibit a data broker from withdrawing its registration after January 31, unless the registration was fraudulent or erroneous.  The regulations also include a proposal for a definition of “reproductive health care data,” which would include searches for “goods or services associated with the human reproductive system” as well as information submitted to dating apps about sexually transmitted diseases or a desire to have children.  Data brokers that collect “reproductive health care data” would have to disclose this fact to the CPPA in their annual registration with the agency.

The CPPA requests comments to the proposed regulations by August 20, 2024. 

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page