A Complete Guide to the California Delete Act

09/29/2023

"Delete" button

 

 

What is the California Delete Act?

 

Many consumers have no idea that an entire economy is built on the collecting, buying and selling of their data. And it literally covers everything: consumer’s location data, their purchase histories, their financial and healthcare information, and even their TV usage. The California Delete Act (or SB-362) is a bill that is designed to give consumers the ability to put a stop to this marketplace with the ease of a single request – a “Delete Key” for all of their personal data. The bill was passed by the California legislature in September of 2023, and if signed by the governor, would amend the existing California Consumer Privacy Act (CCPA), a comprehensive privacy law that grants consumers various rights over their personal data, such as the right to access, delete, opt out, and sue for violations.

 

 

New Consumer Privacy Rights

 

The Delete Act would create new consumer privacy rights specifically for data collected and traded by “data brokers”, which often obtain it from other sources without the consumer’s knowledge or consent. These rights include:

 

The right to delete:

 

Consumers would have the right to request that data brokers delete their personal data, unless the data broker has a legal obligation or a valid business purpose to retain it. Data brokers would have to comply with the deletion request within 45 days, and notify any third parties to whom they have sold the consumer’s data in the past 90 days to also delete it.

 

The right to know:

 

Consumers would have the right to request that data brokers disclose the categories and sources of personal data they have collected, the categories of third parties they have sold it to, and the business purpose for collecting and selling it. Data brokers would have to provide this information within 45 days, and update it at least once every 90 days.

 

The right to opt out:

 

Consumers would have the right to opt out of the sale of their personal data by data brokers. Data brokers would have to honor the opt-out request within 15 days, and refrain from selling the consumer’s data unless they obtain their affirmative consent.

 

The right to notice:

 

Data brokers would have to provide a clear and conspicuous notice on their websites informing consumers of their rights under the Delete Act, and how to exercise them. Data brokers would also have to provide a link to the notice in any communication they send to consumers.

 

 

Industry Concerns

 

The Delete Act has faced opposition from some industry groups, who argue that it would impose excessive burdens on data brokers and harm their ability to provide valuable services to consumers and businesses. Some of the concerns raised by industry groups include:

 

The definition of data broker is too broad:

 

The bill defines a data broker as any business that knowingly collects and sells personal information of consumers with whom they do not have a direct relationship. Industry groups claim that this definition is vague and over-inclusive and may entangle companies that are not data brokers.

 

The deletion requirement is too strict:

 

The bill requires data brokers to delete consumer data upon request, unless they have a legal obligation or a valid business purpose to retain it. Industry groups contend that this requirement is too restrictive and could undermine the accuracy and completeness of data broker databases, which are used for various legitimate purposes, such as identity verification and risk assessment.

 

The opt-out mechanism is too complex:

 

The bill requires data brokers to register with the California Privacy Protection Agency (CPPA), which is the state agency responsible for enforcing the CCPA and the Delete Act. The CPPA would create and maintain a centralized website where consumers can opt out of the sale of their personal data by all registered data brokers. Industry groups argue that this mechanism is unnecessary and cumbersome, and that consumers should be able to opt out directly from each data broker’s website. Ironically, consumers already have this right today via the CCPA but the issue is that there are hundreds of data brokers and consumers generally have no idea they exist or how to contact them.

 

 

Potential Impacts on Advertisers

 

The Delete Act could have significant impacts on advertisers who rely on data broker data for targeting and measuring their campaigns. Some of the potential impacts on marketing measurement include:

 

Reduced availability and quality of data:

 

The Delete Act could reduce the amount and quality of data available for advertisers, as more consumers may exercise their rights to delete or opt out of their personal data from data brokers. This could limit the ability of advertisers to reach and segment their audiences based on various attributes, such as demographics, interests, or behaviors. This is already happening with privacy moves made by Apple and will get much worse next year with Google’s Privacy Sandbox initiative going live. 

 

Increased costs and compliance risks:

 

The Delete Act could increase the costs and compliance risks for advertisers who use data broker data, as they would have to ensure that they obtain the necessary consents from consumers, respect their deletion and opt-out requests, and verify the accuracy and currency of the data. Advertisers could also face potential fines or lawsuits if they violate the Delete Act or the CCPA. This is not a theoretical risk: the State of California has already begun enforcements of the CCPA which have impacted big brands.

 

 

Why it Matters for Marketing Measurement

 

The Delete Act will have significant impacts on advertisers who rely on identity data for marketing attribution. Some of the potential marketing measurement impacts include:

 

Reduced availability and quality of data:

 

The Delete Act will reduce the amount and quality of data available for advertisers to measure their campaign performance – in particular if they are relying on attribution methods that use PII and cross-device data.

 

Accuracy issues:

 

Even small reductions of identity data throw off attribution measures that rely on PII. The match rate between ads served and purchases made has already gotten much worse over the last handful of years and continues to disappear with each new privacy change in the market. It is even worse for brands that have offline conversions (stores, bank branches, sales agents, call centers, etc.).

 

 

Why Brands Need to Move to Privacy-Safe Marketing Measurement

 

The Delete Act will likely spawn a host of copy-cat regulations in other states. This was seen with the CCPA as states moved to adopt similar privacy regulations after California took the lead.

 

The implications around data loss, compliance risks and accuracy issues are a wake-up call for brands to shift their measurement approaches to privacy-safe and future-proof methodologies including marketing mix modeling (MMM).

 

Brands that make this move will find modern solutions built for speed, flexibility and actionable detail. Yesterday’s approaches to marketing measurement no longer cut it in today’s hyper-competitive environment, so brands that make the switch will also benefit from being more competitive in their markets as a result. Those brands that continue to rely on traditional methods will suffer from poorer performance, reduce competitiveness and missed opportunities. Given the massive shift in the privacy space occurring currently, the time to make the switch to privacy-safe and future-proof approaches is now.