Nancy Libin, partner and co-chair of the technology, communications, privacy, and security practice at Davis Wright Tremaine LLP, commented on California’s bold stance: “It’ll be interesting to see how it’s applied and enforced moving forward.”
California’s History of Leading the Way
California has a rich history of pioneering data privacy and security initiatives. In 2002, it became the first state to introduce a data breach notification law. This pivotal move set a precedent that all other U.S. states subsequently followed. In 2018, California passed the groundbreaking California Consumer Privacy Act, inspiring over a dozen states to implement similar data protection laws. Furthermore, a novel law, established in California last year, compelled social media platforms to enhance privacy protections for children, serving as a model for other states.
David Stauss, co-leader of the privacy and data security practice group at Husch Blackwell LLP, asserted, “The Delete Act sets a high-water mark for data broker laws, and if history repeats itself, we will certainly see lawmakers in other states look to what California has done.”
Reporting and Technical Obligations
The Delete Act imposes reporting and technical obligations on companies. The fledgling California Privacy Protection Agency is tasked with launching a one-stop-shop website by 2026, allowing consumers to request data deletion from all registered data brokers. Companies must check this database every 45 days, maintain websites detailing their data collection and sale practices, and describe how they handle deletion requests.
