California Legislature Passes Bill Regulating Data Brokers

7 months ago AndyC

Listen to this post

On September 14, 2023, the California legislature passed

California Legislature Passes Bill Regulating Data Brokers
Listen to this post

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

The Act would grant California consumers the right to request that data brokers (1) delete and (2) limit the further sale and sharing of consumers’ personal data. In addition, the bill would create new registration, disclosure, recordkeeping, and audit requirements applicable to data brokers. Specifically, the Act would:

  • Require data brokers to register with the California Privacy Protection Agency (“CPPA”), pay a fee, and comply with disclosure and recordkeeping obligations;
  • Direct the CPPA to create an accessible deletion mechanism that allows consumers to exercise deletion requests simultaneously with regards to multiple data brokers;
  • Require data brokers to continue to delete any new information received about the consumer every 45 days;
  • Prohibit data brokers that receive a consumer’s deletion request from selling or sharing any new personal information about the consumer, unless the consumer specifically requests doing so;
  • Allow authorized agents to assist consumers in submitting deletion requests;
  • Require data brokers to undergo independent compliance audits every three years; and
  • Authorize penalties and administrative costs for noncompliance.

If enacted, the Act’s provisions would become effective in multiple steps between 2024 and 2028. Note that the Act defines the term “data broker” broadly to include any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” However, the Act would not extend to entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, as well as entities covered by the California Insurance Code.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , ,

More Stories

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

2 days ago AndyC
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

3 days ago AndyC
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

4 days ago AndyC
EDPB Issues Opinion on Pay-Or-Consent Models

EDPB Issues Opinion on Pay-Or-Consent Models

5 days ago AndyC
UK ICO Launches Latest Installment in the AI Consultation Series

UK ICO Launches Latest Installment in the AI Consultation Series

2 weeks ago AndyC
Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

3 weeks ago AndyC

You may have missed

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

6 hours ago AndyC

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

9 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

12 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

12 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

18 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.