The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), is regarded as one of the strongest and most comprehensive privacy laws in the United States and in recent days it has been expanded further! Governor Gavin Newsom has signed into law Assembly Bills 947 and 1194 to expand protections for sensitive personal information about citizen or immigration status and reproductive health care services. The Governor also signed Senate Bill No. 362, called the Delete Act, granting California residents more control over their personal information collected by data brokers.
Under the CCPA, information that is considered “sensitive personal information” receives enhanced protections, including restrictions on how, or whether, businesses may use such information. For example, businesses’ use of sensitive personal information is limited to business purposes in connection with providing goods and services that may be reasonably expected by consumers requesting those goods or services.
AB 947 broadens the definition of “sensitive personal information” to now include a person’s “citizenship or immigration status.” This expanded definition will provide some measure of additional comfort to vulnerable residents whose immigration status or citizenship, if exposed, could subject them to imprisonment, deportation, or other consequences; however, AB 947 will not protect data and information regarding a person’s citizenship or immigration status under all circumstances. For example, “sensitive personal information” does not include publicly available information or lawfully obtained information that is a matter of public concern. The reach of these exceptions may be tested going forward on the front lines of immigration concerns.
The CCPA exempts certain businesses from its non-disclosure requirements under particular circumstances, such as when a business is required to disclose personal information in order to cooperate with law enforcement or comply with other state laws. AB 1194 amends the CCPA to exclude from those exemptions information related to abortions and other reproductive health care services, including details about contraception, pregnancy care, and perinatal care. Accordingly, businesses that process personal information related to such reproductive health care services must now comply with the CCPA even where exemptions may otherwise apply.
In a signing message to the Members of the California State Assembly, Governor Newsom explained that “California will remain a leader in protecting women, their family and friends, and health care workers who seek or provide reproductive care” but also stated that, as written, AB 1194 is too broad, and he encourages future legislation to “ensure an appropriate balance between protections and necessary exemptions.”
SB 362 “The Delete Act”
Beginning in 2026, SB 362, also known as the “Delete Act,” will allow California residents to easily delete all personal information collected about them by California’s registered data brokers by visiting the California Privacy Protection Agency (the “Agency”) website and submitting a single deletion request by clicking a “delete” button on the Agency’s website, similar to the Federal Trade Commission’s National Do Not Call Registry. The Agency must make this delete mechanism available to consumers at no cost, but may charge data brokers a fee for accessing the delete mechanism. Covered data brokers will also be required to delete all personal information of the resident at least once every 45 days following a deletion request and will be further restricted from sharing or selling any new personal information collected about the resident. Starting in 2028 and every three years thereafter, data brokers will be subject to a compliance audit by an independent third party.
Legislative sponsors of the Delete Act aimed to close what was perceived as a loophole in the CCPA: consumers have a right under the CCPA to require a data broker to delete personal information collected directly from the consumer, but the consumer cannot require a data broker to delete personal information acquired about the consumer from other sources. Data brokers generally do not collect personal information directly from a consumer, but rather aggregate data from a myriad of other sources. The Delete Act will provide a “one-stop shop” for consumers at the Agency’s website.
Privacy advocates are praising SB 362 as a means for consumers to have greater control over their data and a clear and accessible means to opt-out from collection and sale of their personal information by data brokers. Further, advocates say that consumers will have more peace of mind knowing that they have increased visibility over personal information collected about them, such as reproductive health services information, and a way to control how that information is used.
While consumers will no longer be required to submit and monitor multiple opt-out requests to separate data brokers, it remains to be seen whether consumers will visit the Agency’s website to utilize the global opt-out platform. This will still require educating the public on a complicated topic and encouraging consumers to take a proactive step on their own behalf. Further, advertising, technology and other industries strongly oppose SB 362, arguing that the CCPA already applies to data brokers and protects consumers, and that SB 362 will harm businesses of all sizes, reduce funding for nonprofits and other charitable organizations in California, and increase instances of identity theft and fraud by removing data used to verify a person’s digital identity. Due to the delayed effective date of SB 362, industry groups are widely expected to try to water down or eliminate some of the requirements and obligations imposed on data brokers by SB 362. The jury is still out on what this portion of the law will look like when 2026 rolls around.