1798.99.86.
(a) By January 1, 2025, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does both of the following:(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information
delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency
to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has
been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request pursuant to Section 7063 of Title 11 of the California Code of Regulations.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
(c) The California Privacy Protection Agency may promulgate regulations to improve the operational privacy and security of the system.
(d) (1) Beginning August
1, 2025, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 31 days and do all of the following:
(A) Process all pending deletion requests made pursuant to this section.
(B) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(C) Immediately following the deletion described in subparagraph (A), send an affirmative representation to the California Privacy Protection Agency indicating the number of records deleted by the data broker and any service providers or contractors directed to delete personal information pursuant to subparagraph (B).
(2) Notwithstanding paragraph (1), a data broker may retain any of the following information:
(A) Personal information that is processed or maintained solely as part of human subjects research conducted in compliance with any legal requirements for the protection of human subjects.
(B) Personal information necessary to comply with a warrant, subpoena, court order, rule, or other applicable law, but only for as long as is needed to comply.
(C) Personal information necessary for the exercising of free speech or necessary to ensure the right of another consumer to exercise that consumer’s right of free speech or another right provided for by law.
(3) Personal information described in paragraph (2)
shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(e) Beginning July 1, 2025, a data broker shall not collect, retain, sell, or share personal information of a consumer who has submitted a deletion request pursuant to this section unless the data collection is requested by the consumer.
(f) (1) Beginning January 1, 2027, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) By six months after the completion of an audit pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(g) (1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.
(h) Regulations promulgated pursuant to this section shall be adopted in compliance with the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government
Code).