On June 26, 2024, the California Privacy Protection Agency (the “CPPA”) held a stakeholder session to provide information and gather stakeholder input on the CPPA’s mandate to build an accessible deletion mechanism known as the Delete Request and Opt-Out Platform (“DROP”) as required by the California Delete Act. DROP will allow consumers to request the deletion of their personal information held by data brokers through a single request. Generally, the public comments addressed concerns regarding potential administrative and technical burdens on data brokers, clarifying and confirming the scope of deletion requests, and verifying deletion requests.
Key takeaways from the public comments included:
- Excessive and Fraudulent Deletion Requests. Stakeholders expressed concern that data brokers could receive excessive or fraudulent requests from bad actors and requested that the CPPA review and filter deletion requests prior to making them available on DROP.
- Overly Burdensome Technical Requirements. Stakeholders identified that certain data brokers, including small businesses, may not have the technical capabilities to comply with DROP requests and requested that CPPA provide technological support to enable compliance.
- Scope of Deletion Requests. Stakeholders stated that determining the scope of deletion requests may be difficult if consumers do not accurately explain the scope of their request. Stakeholders encouraged the CPPA to detail procedures for clarifying and confirming the scope of deletion requests, including processes for communicating with consumers.
- Accurate Verification Thresholds. Stakeholders explained that a high verification threshold (e.g., requiring that consumers provide more information to enable data brokers to verify a request) would allow data brokers to ensure they are deleting the correct data, but could discourage consumers from exercising their rights. A low verification threshold could make it difficult for data brokers to accurately identify and delete data within the scope of a deletion request and lead to the deletion of incorrect data.
The CPPA has not provided a date by which it intends to issue draft DROP regulations. However, the Delete Act requires the CPPA to make DROP available to consumers by January 1, 2026.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor the CPPA’s rulemaking process and provide updates as they become available.
