Man painting colored arrows

The California Privacy Protection Agency recently published materials in advance of its upcoming discussion of the Delete Act Regulations, which regulate the centralized data broker Delete Request and Opt-out Platform (the “DROP”).

Key takeaways from the FSOR Q&A:

Liability and Verification:

  • Unlike under CCPA, under the Delete Act, the agency itself verifies residency and certain identifiers, reducing the need for data brokers to independently verify requests.
  • The Agency intends to use technical safeguards, such as third-party verification and multi-factor authentication, to ensure accuracy of deletion requests and identifiers transmitted to data brokers.
  • The CPPA declines to provide a safe harbor for data brokers who act in good faith, but later discover a deletion was unauthorized, though it will consider facts and circumstances in enforcement.
  • The CPPA removed the 50% match rate threshold for consumer deletion list identifiers, making it 100% to ensure a more precise match and reduce the likelihood of erroneous deletions.

Scope of deletion:

  • Deletion must include inferences and all personal information associated with a matched identifier, unless exempted. The CPPA will provide educational materials to clarify exemptions and the scope of deletion rights.
  • If multiple consumers share an identifier (e.g., a business phone number), data brokers must opt out all associated consumers from sale/sharing, but not necessarily delete all records, to avoid over-deletion.
  • Data brokers must report the status of deletion requests and maintain deletion lists to prevent re-collection or re-sale of deleted data.

Downstream and retention:

  • The CPPA acknowledges concerns about operational burdens, especially for small and mid-sized data brokers, but maintains that standardization and periodic access to DROP are necessary for effective implementation.
  • Retention of data should be limited to the minimum necessary for compliance.
  • The Delete Act does not contain a provision treating contractors and service providers as separate entities from the data broker for the purposes of the delete request.
  • Data brokers must direct their service providers and contractors to delete records associated with a matched identifier in the data broker’s records; data brokers must also report the status of deletion requests.