Companies and data brokers, armed with sophisticated data collection techniques, amass vast amounts of personal data, often without the explicit consent or awareness of the individuals concerned. The urgency of the matter has propelled jurisdictions worldwide to enact stringent data protection laws.
This article explores a new development in privacy law: the Data Delete Act. This law is just one in a longer (but recent) history of laws that include the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA).
Here, we’ll discuss the law, its relationship to more extensive privacy regulations, and what best practices affected organizations can take to comply with it.
Understanding Data Deletion Requirements
The concept of data deletion refers to the right of individuals to have their data erased from the records of entities that have collected it. If a business collects information from a user, it’s that user’s right to delete it upon request. This right is quintessential to empowering individuals with control over their digital identities and ensuring their personal information is not misused or retained indefinitely without cause.
Data deletion is both a security and an ethical concern. Not only does it provide consumers with the tools they need to take more control over their data and how it is used,
Also, data deletion mandates encourage organizations to adopt a disciplined approach to data management, where data is retained only as long as necessary and purged after that, promoting a culture of data minimization and prudent data governance.
Data Privacy and Regulations: GDPR vs. CCPA
While they share a common objective of enhancing data privacy, their approach towards data deletion diverges. Below is a breakdown highlighting the contrasts and commonalities between GDPR and CCPA concerning data deletion:
- Right to Erasure/Deletion: GDPR Introduces the “right to be forgotten,” permitting individuals to request the erasure of their data under specific circumstances. CCPA, however, grants consumers the right to request the deletion of their personal data collected by a business.
- Conditions for Deletion: GDPR requires deletion when data is no longer necessary, consent is withdrawn, or data has been unlawfully processed, among other conditions. CCPA mandates deleting data collected directly from the consumer, with certain exceptions
- Exceptions: Exceptions under GDPR include compliance with legal obligations, public interest in public health, or archiving purposes in the public interest, among others. CCPA exceptions encompass scenarios like completing a transaction or detecting security incidents.
- Scope of Erasure: GDPR requires controllers to delete data under their control and inform other partner controllers about the request. CCPA, however, only requires the deletion of data called explicitly for within a request.
- Response Timeframe: GDPR stipulates a response to erasure requests without undue delay, generally within one month, extendable by two months where necessary. CCPA requires businesses to respond to deletion requests within 45 days, extendable by an additional 45 days with notice to the consumer.
The California Data Delete Act
Lawmakers noticed some problems with the data deletion requirements in the CCPA. Some limitations include the limited scope of deletion or a lack of mechanisms to support deletion requests via registration and audits.
To augment the data deletion rights for Californians, the Delete Act has emerged as a pivotal piece of legislation, bridging the gaps identified in the CCPA and another piece of legislation known as the Data Broker Registration law. Signed into law October 10, 2023, this act addresses the loophole concerning data deletion, especially in scenarios where data is collected indirectly or aggregated from other sources.
At the core of the Delete Act is the provision allowing consumers to request a one-time deletion of their personal data from all registered data brokers in the state. To support this mission, there are several key regulations and requirements:
- Definition and Registration of Data Brokers: This new law requires data brokers to register with the CCPA, pay a registration fee, and disclose the types of personal information they collect.
- One-Time Data Deletion Request: Consumers can issue a verifiable data deletion request to all registered data brokers, who must then delete the consumer’s personal information. The CPPA must create a one-stop data deletion mechanism that facilitates this process by January 1, 2026.
- Audit and Compliance Requirements: Starting January 1, 2028, data brokers must undergo an audit by an independent third party every three years to assess their compliance with the law. The CPPA can impose administrative penalties for non-compliance, including a fine of $200 per day for failure to register as required
- Consumer Data Privacy Enhancement: The act patches a loophole in the CCPA, which only mandates the deletion of data obtained directly from consumers, not data collected indirectly or aggregated from other sources. Data brokers must update their privacy notices to include metrics on consumer requests received and fulfilled as part of the CCPA and the Delete Act
How Can My Organization Prepare for the Data Delete Act?
Adhering to the California Delete Act will require organizations, particularly data brokers, to reevaluate and potentially augment their existing data management and privacy practices. Here are some best practices that organizations can adopt to prepare for the enactment of the Data Delete Act:
- Understand Legislation: Understanding the law itself is the first and foremost step in preparing for the Delete Act. Organizations should thoroughly understand the requirements and implications of the Delete Act along with other relevant privacy laws like the CCPA and GDPR. It’s advisable to consult with legal experts specializing in data privacy laws to ensure full compliance and understand the nuances of the legislation.
- Start Mapping Data: Conducting a Data Inventory and Mapping exercise is crucial. Organizations should conduct a comprehensive data inventory to understand what personal information is being collected, how it is being used, and where it is stored. Implementing data mapping to track the flow of personal data within and outside the organization will provide a clearer picture of the data lifecycle and help identify any areas that may need adjustment to comply with the Delete Act.
- Implement Data Governance: Governance is key to ensuring compliance with the Delete Act. Establishing strong data governance frameworks to manage data throughout its lifecycle is essential. Implementing clear policies and procedures for data deletion, ensuring that they align with the requirements of the Delete Act, will be critical in ensuring that deletion requests are handled promptly.
- Make Sure Infrastructure is Up to Standard: Investing in technology solutions that facilitate data deletion and management, such as automated data deletion tools, will be beneficial. Ensuring systems can handle deletion requests efficiently and comply with the Delete Act is crucial for smooth operations and compliance.
- Data Broker Registration: Broker registration is a specific requirement under the Delete Act. Organizations categorized as data brokers should ensure they are registered with the CPPA as the Delete Act mandates. Being registered will also necessitate adherence to the auditing and other compliance requirements stipulated in the Act. This registration will be a crucial step towards compliance and showcase the organization’s commitment to data privacy laws.
Meet the Demands of Privacy Law with Lazarus Alliance:
The journey from GDPR to CCPA and now to the California Delete Act exemplifies the global momentum toward fortifying data privacy rights. Each framework, with its unique set of provisions, contributes to the broader narrative of empowering individuals in the digital realm. The California Delete Act, in particular, reflects a significant advancement in California’s data privacy landscape, drawing it closer to the comprehensive data protection ethos of the GDPR.