California Senate Bill 362 Passes First Test in State Assembly

[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]

California Senate Bill 362 (SB 362) — aka the California Delete Act — passed its first test in the State Assembly by passing through the Privacy and Consumer Protection Committee with a vote of 7-0. The bill would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. The bill is sponsored by State Senator Josh Becker (my district’s State Senator), and during the Privacy Committee hearing picked up additional co-authors with Assemblymembers Gabriel and Lowenthal joining as co-authors of the bill. Other co-authors of SB 362 include Senators Wiener and Min and Assemblymember Wicks (who co-authored the California Age Appropriate Design Code). [Full disclosure: I proposed this bill to Senator Becker and co-drafted it.]

SB 362 had previously winded its way through the State Senate and passed the floor of that house of the California Legislature by a vote of 32-8. SB 362 still has a ways to go — it has moved on to the Assembly Judiciary Committee, and if it passes through there, on to the Appropriations Committee, and then on to the Assembly floor.  Because the bill has been amended in the Assembly, the State Senate will need to approve, and then on to Governor Newsom.  So many steps remain.

As previously discussed, SB 362 draws inspiration from Senator Ossoff’s and Cassidy’s 2022 federal proposal of a similar name, Apple CEO Tim Cook’s call for a data broker clearinghouse, and the incredibly popular “Do Not Call” registry (operated by the Federal Trade Commission with over 240 million registrants). Ironically, a few days before the vote on SB 362, Senator Ossoff and Cassidy reintroduced the federal Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act, showing growing bipartisan momentum behind regulating data brokers. [Note: I cover in detail the DELETE Act in my book Containing Big Tech in the chapter on Data Brokers.]

It was clear from the Privacy Committee hearing that there was a great deal of interest in this bill and the growing concerns over the weaponization of data collected by data brokers, including its impact on immigrant rights, domestic violence survivors, and reproductive rights.  While the 3 Republican members of the Committee did not vote on the bill (i.e., they did not vote yes or no), it was clear that they too had concerns (e.g., the government using data brokers to get data concerning citizens without a subpoena). I feel with additional evangelism that this bill could add bipartisan support, but as of now, it is moving nicely through the Senate and Assembly with unanimous Democratic support.

The analysis of SB 362 by the Committee staff was pretty amazing — 25 pages of detailed insight into the bill. The analysis spotted one of the salient points behind SB 362, namely the current California Consumer Privacy Act (CCPA) right to delete is insufficient to protect consumers from data brokers, as it is limited to information "collected from the consumer." Data brokers do not collect information from consumers directly, thus exposing a limitation in the CCPA that leaves Californians vulnerable to the risks associated with unauthorized data collection and sale.  As the Committee analysis notes:

“The right of deletion under the CCPA provides: “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” (Civ. Code § 1798.105(a) [emphasis added].) A data broker by statutory definition “does not have a direct relationship” with consumers. (Civ. Code § 1798.99.80(d).) It buys information about consumers from others. So it will not have collected information from the consumer. Therefore, a deletion request directed at a data broker will likely be ineffective at deleting information about the consumer that is in the data broker’s possession.”

The opponents of SB 362 dispute this, claiming “ data brokers are subject to CCPA deletion requests if they buy or receive PI from another business.”  This is their main knock against the bill. But the Privacy Committee’s bill analysis shoots that argument down big-time:

“There are at least two flaws with this line of argument. First, in order to ensure data broker deletion of their personal information, a person would have to direct a deletion request to every business that has ever collected personal information about them. Compiling such a list is likely an impossible task. Second, as discussed above under #3, deletion requests are only effective at the point in time they are made; once new personal information about the consumer reaches a data broker, it can resume using and selling information about the consumer.”

And goes on to add:

“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned. But deletion is a must if one is concerned with protecting oneself from the risks set forth above. Even if one were to instead, say, exercise the CCPA right to opt-out of sale or sharing of personal information by a data broker, one would still have to (i) exercise that right 496 times and (ii) continually monitor the data broker registry for new data brokers with which to submit “opt-out” requests. This would be a difficult task for most people, and likely impossible for those who urgently need to safeguard their privacy, such as domestic violence victims. It would also require faith that no data broker holding one’s information were ever the victim of a data breach.”

I think this is a great summary of why California needs SB 362.