October 12, 2023 at 09:59AM
California Governor Gavin Newsom signed a bill into law that defines the responsibilities and processes of data brokers. The law requires businesses in California to meet new procedures to protect consumers’ personal privacy. The California Privacy Protection Agency will now enforce data broker obligations. Data brokers must register with the agency, pay a registration fee, and delete consumer data upon request. Concerns include the definition of a “direct relationship” and potential fraud. The new law could serve as a blueprint for federal data privacy legislation in the US.
Based on the meeting notes, the California Delete Act has been signed into law by California Gov. Gavin Newsom. This new law defines the legal obligations of data brokers and consolidates California-specific processes under a state agency called the California Privacy Protection Agency.
Under this law, businesses serving people in California will need to follow new processes to safeguard consumers’ personal privacy. Data brokers will be required to register with the California Privacy Protection Agency and provide information such as business contact information, data deletion links, and audit reports. They will also need to start accessing the agency’s mechanism to process consumer deletion requests every 45 days from August 1, 2026.
The new law moves the enforcement of data broker obligations from the California District Attorney’s office to the California Privacy Protection Agency. The agency will be responsible for maintaining a website informing consumers of their rights and establishing a mechanism by January 1, 2026 that allows consumers to request the deletion of their personal data from data brokers.
It is worth noting that the new law increases fines for data brokers that fail to register with the California Privacy Protection Agency to $200 per day. However, concerns have been raised by data brokers and the Consumer Data Industry Association, who worry about the potential for fraud and the cost of implementing these regulations for businesses.
Joey Stanford, the vice president of data privacy and compliance at Platform.sh, believes that while regulation benefits consumers, it can also come with implementation costs and a negative impact on businesses’ bottom line.
The meeting notes also mention the UK-US Data Bridge, a data transfer agreement between the US and the UK that takes effect on October 12. This agreement sets conditions for transferring personal data between the two countries. The US currently does not have a unified federal privacy regulation like the UK’s GDPR, but Stanford suggests that a combination of the CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), and the Delete Act could potentially serve as a blueprint for federal privacy legislation in the US.