Search for:

In brief

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by January 1, 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.

Should the bill pass, it could profoundly impact how data brokers handle personal information and subsequently impact the businesses that partner with data brokers for targeted advertising.


Where we are right now

Currently, data brokers seem to remain a foot away from the fire: California Civil Code § 1798.99.80, et seq., just require data brokers to register with the Attorney General and pay an annual registration fee. In registering with the Attorney General, data brokers are required to provide its name, primary physical, email, and internet website addresses.

What Senate Bill 362 is proposing

Senate Bill 362 would add additional obligations by introducing a single “accessible deletion mechanism,” provided online by the CPPA. Consumers would be able to use such mechanism to request that every data broker that maintains any personal information about the consumer delete such personal information held by the data brokers or associated service providers or contractors. The data brokers would be required to process deletion requests that are made through the CPPA mechanism within 31 days of receiving them, and beginning July 1, 2026, continuously delete the personal information of the requesting consumer and not sell or share new personal information of the consumer. Data brokers would also be required to direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the requesting consumer. This means that California consumers would be able to request deletion of any and all personal information maintained by different data brokers with just a single deletion request.

The bill would also require data brokers to provide additional information to the CPPA when registering as data brokers, including to specify whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data. Data brokers would also be required to maintain a website free of dark patterns that details how consumers may exercise their privacy rights. Beginning January 1, 2028, and every three years thereafter, data brokers would be required to submit an audit report to the CPPA upon the CPPA’s written request.

Senate Bill 362 would also replace the Attorney General with the CPPA as the authority tasked with enforcing the Data Broker Law. The CPPA is the same agency that implements and, together with the California Attorney General, enforces the CCPA.

What this means

Should California consumers extensively use this deletion mechanism, this could reduce the size of a data broker’s database. Partnering businesses that rely heavily on data brokers for their marketing initiatives might feel a ripple effect with less effective targeted advertising.

Looking forward 

Should Senate Bill 362 become law, data monetization in California faces another blow as data brokers would be subject to additional obligations under the streamlined deletion mechanism for California consumers. The extent of consumer engagement with the mechanism will play a determining role in the impact of the bill.

Author

Lothar Determann has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto. He is a member of the Firm's International/Commercial Practice Group and the TMT and Healthcare industry groups.

Author

Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.

Author

Helena Engfeldt helps companies around the world expand their businesses internationally especially by taking privacy law compliance global. She is a partner in Baker McKenzie's International/Commercial Practice Group in San Francisco. She is licensed to practice law in California, New York and Washington.

Author

Michelle Shin is an associate in the International Commercial Group and is based in our San Francisco office. She advises US and multinational companies on data privacy compliance, intellectual property, and consumer protection laws.