What is the California Delete Act?
The California Delete Act is an addition to the existing California privacy laws: the California Consumer Privacy Act (CCPA) and the follow-on amendment, the California Privacy Rights Act (CPRA). (Related reading: our Guide to California Privacy Regulations.)
Also referred to as Senate Bill 362 (SB 362), The California Delete Act strengthens California consumers’ privacy protections with respect to data brokers. It will enable consumers to make a single request to have their personal data deleted from all data brokers. In other words, consumers have a one-stop-shop to request their data to be deleted, everywhere.
How to determine if your business is affected
Many companies may read this bill and think–“we’re not a data broker, so we don’t need to worry about this.” However, the California Delete Act suggests a pretty generous definition of the term data broker. It includes:
- Companies that buy and sell data
- Companies that don’t have a direct relationship with the consumer (Cal. Civ. Code § 1798.99.80)
This expands beyond what we traditionally think of as a “data broker.” There are many companies, especially in the digital advertising ecosystem, that fall into this category and may not be currently registered as a data broker. The bottom line: if you buy, sell, or derive value from user data whom you don’t have a direct business relationship with, you need to comply with this bill.
If it wasn’t clear before, it should be now: this requirement is going to require an infrastructure investment for many companies. The potential increase in request volume won’t be something lawyers can duct tape their way through. You need to start thinking about creating a scalable process for enforcing consumer deletion requests within 45 days of receiving the request.
California Delete Act enforcement timeline
The California Delete Act will go into effect on January 1, 2024. We can clearly understand the timeline and rollout of the requirements as follows:
- January 1, 2024: The bill is officially in effect. All enforcement authority over the California data broker registry will be transferred to the CPPA.
- January 1, 2026: The deadline for the CPPA to establish the “one-stop-shop” deletion mechanism for California consumers. By this date, consumers must have access to a single method for requesting their personal data be deleted from all data brokers operating in California.
- August 1, 2026: Data brokers must be equipped to process new consumer data delete requests in 45 days from receiving the request.
While the timeline may seem generous, this is a complex undertaking for most businesses. Let’s unpack the process for receiving and fulfilling a delete request.
How do you prepare for an increase in consumer deletion requests?
In "privacy speak," a consumer delete request is considered a type of DSR: data subject request. A DSR is a formal inquiry made by a customer, to a business, requesting some action on their personal data. Actions include requesting their data be deleted, requesting access to a copy of their data, and so on.
The California Delete Act requirement may seem straightforward: you receive a customer request to delete their data, so you delete it. But for most businesses, the execution is complex. To help you understand the complexity and detailed requirements for processing a data subject delete request, we've outlined three key steps.
1. Map user identities to ensure a complete response to each delete request
Deleting a customer's data requires not only deleting data in your databases, but also from the various 3rd party applications, CRMs, CDPs, and all the SaaS tools that might have interacted. Think Salesforce, Hubspot, Marketo, Amplitude, Segment, Snowflake, and the likes.
This process can be complex and time-consuming. To create a unified view of what data belongs to a user, you will need to build an identity graph that links a users various identities in all your different data tools with their primary identity so that the scope of future incoming requests are clear.
For example, the California Privacy Protection Agency (aka the CPPA, the enforcing authority for the California Delete Act) may send you a deletion request based on a person’s email address. You might start by associating that email to the person’s account ID. From there, the account ID will need to associate to other unique identifiers across any number of locations in your data ecosystem, such as third-party applications, CRMs, CDPs, and internal databases.
Given the volume of data that you likely collect and store about your users, you won’t be able to link identities at scale–especially on short notice. This functionality must be designed early, before you ever think about automating and scaling your data deletion functionalities.
Alternatively, Ketch has a proprietary, automated identity graph solution that crawls and assembles unique identities for users, saving you and your team time and effort.
2. Create an automated deletion flow across all data storage and third party applications
Once you have the collection of unique identifiers based off of an incoming deletion request, you will need to actually do the deletion in those corresponding systems. This means executing the delete queries in your databases, as well as calling the relevant APIs for the 3rd party applications such as CRMs, CDPs, and other tools to remove user data from those tools as well.
Calling APIs for every application and system in your business is a lot of development and maintenance work. Depending on the data system, the level of customization and dev/engineering resources can be prohibitive and disruptive to your team’s existing workload. 3rd party APIs constantly change, and it can be difficult to both know when one of the numerous 3rd party systems are changing their APIs, and even more difficult to know when those API requests failed to actually delete the underlying user data.
If your business is like most, you are constantly adopting new tools and creating new datasets. Without automatic scanning and detection, it can be difficult to ensure the deletion requests are comprehensive enough to cover new systems.
There’s a way to avoid this in-house effort. Ketch DSR automation includes hundreds of integrations to different systems and apps, and we keep them up-to-date. Ketch also automatically scans and detects new systems and data assets that might contain personal information.
3. Design the functionality to register and log delete requests
In the face of regulatory scrutiny, you need systems in place to stay organized when delete volume is high. Logging delete requests is more than just a requirement for compliance; it’s a good business practice. The log should keep a record of:
- The details of each request
- The action you took
- How long it took you to respond
This prepares you for audits and keeps you accountable to your customers. Once you register the requests, you'll need to log them in some kind of tamper-proof system of record.
Ketch logs requests out of the box, so instead of building your own logging system for delete requests, you will get that automatically with our suite of privacy automation software.
Automation with Ketch can help
The California Delete Act is a prime example that today's privacy strategy demands infrastructure investment. Creating a scalable process for receiving and processing consumer delete requests is not something that lawyers can help duct tape at the end if a company does not have a data management strategy with visibility into the data.
It’s certainly one option to consider architecting and building all of this in-house. But for many companies, that’s simply not a good use of legal, engineering, and development resources. (Read more: 4 challenges with building an in-house privacy solution.) Privacy management technology like Ketch can help you outsource the challenging, complex work of fulfilling these delete requests at scale.
A few reasons our customers use Ketch for data subject rights fulfillment, specifically deletion request automation:
- Proprietary, automated identity graph: Ketch automatically crawls and assembles the unique identities for a particular user.
- Enforcing deletion requests across your systems: Ketch has hundreds of integrations with apps and systems out of the box, freeing your team from non-stop upkeep to build and monitor changing APIs and integration standards; automation without maintenance.
- Register and log all requests: The Ketch platform automatically registers and logs all requests. If any regulators come knocking on your door, you will have perfect record-keeping ready to go.
Ketch helps automate delete requests from intake to fulfillment, with tools that scale for businesses with a few delete requests, or millions. Get in touch with our team to learn more.