If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by January 1, 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.

Should the bill pass, it could profoundly impact how data brokers handle personal information, and subsequently impact the businesses that partner with data brokers for targeted advertising.

Where we are right now

Currently, data brokers seem to remain a foot away from the fire: California Civil Code § 1798.99.80, et seq., just require data brokers to register with the Attorney General and pay an annual registration fee. In registering with the Attorney General, data brokers are required to provide its name, primary physical, email, and internet website addresses.

What Senate Bill 362 is proposing

Senate Bill 362 would add additional obligations by introducing a single “accessible deletion mechanism,” provided online by the CPPA. Consumers would be able to use such mechanism to request that every data broker that maintains any personal information about the consumer delete such personal information held by the data brokers or associated service providers or contractors. The data brokers would be required to process deletion requests that are made through the CPPA mechanism within 31 days of receiving them, and beginning July 1, 2026, continuously delete the personal information of the requesting consumer and not sell or share new personal information of the consumer. Data brokers would also be required to direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the requesting consumer. This means that California consumers would be able to request deletion of any and all personal information maintained by different data brokers with just a single deletion request.

The bill would also require data brokers to provide additional information to the CPPA when registering as data brokers, including to specify whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data. Data brokers would also be required to maintain a website free of dark patterns that details how consumers may exercise their privacy rights. Beginning January 1, 2028, and every 3 years thereafter, data brokers would be required to submit an audit report to the CPPA upon the CPPA’s written request.

Senate Bill 362 would also replace the Attorney General with the CPPA as the authority tasked with enforcing the Data Broker Law. The CPPA is the same agency that implements and, together with the California Attorney General, enforces the CCPA.

What this means

Should California consumers extensively use this deletion mechanism, this could reduce the size of a data broker’s database. Partnering businesses that rely heavily on data brokers for their marketing initiatives might feel a ripple effect with less effective targeted advertising.

Looking forward

Should Senate Bill 362 become law, data monetization in California faces another blow as data brokers would be subject to additional obligations under the streamlined deletion mechanism for California consumers. The extent of consumer engagement with the mechanism will play a determining role in the impact of the bill.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Michelle is an associate in Baker McKenzie's International Commercial practice group based in San Francisco.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.