On October 11 2023, the ‘Delete Act’ became law. In attempting to reinforce users’ control over their personal information, it installs a one-stop deletion mechanism that requires data brokers to delete stored personal information on users’ request. MOW unreservedly submits that the Delete Act is a disguised trade restriction. The excessively onerous requirements prescribed in the Act place data brokers at a severe competitive disadvantage, whilst allowing Google to encroach even more of the AdTech market.
The Delete Act: Key Provisions
The Delete Act regulates “data brokers” as defined by the California Consumer Privacy Act (CCPA)[1] – as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”. This definition is subject to exceptions where a data broker is regulated by other data protection laws, or where a data broker has a legal obligation to retain personal information.
The Act grants authority to the California Privacy Protection Agency (CPPA) to create a one-stop data deletion mechanism. By January 1 2026, the CPPA will have developed a system which enables a consumer to issue a single verifiable data deletion request, applicable to all data brokers registered in California[2]. On such request, data brokers and associated service providers must delete the consumer’s personal information stored on their database. From August 2026, data brokers will be required to review the accessibility of the deletion mechanism, at least once every 45 days.
In addition, data brokers must submit to periodic audit obligations to assess compliance with their obligations under the Delete Act. Audits will be conducted by an independent third party once every three years.
The CPPA also has the power, under the Delete Act, to impose administrative penalties for noncompliance. Where data brokers fail to comply with their obligations under the Act, they may be subject to fines, fees, expenses and costs – including a $200 fine for each day a data broker fails to register where required[3].
Impact on AdTech Stakeholders
The Delete Act will decimate data brokers’ ability to trade and operate freely. It profoundly impacts the way in which data brokers handle personal information, and has knock-on effects for businesses that partner with data brokers for targeted advertising[4]. In the event that California consumers extensively use the deletion mechanism, only data brokers will face a significant reduction in the size of their databases, creating a ripple effect for the smaller businesses that rely on their aggregation services.[5] Larger vertically-integrated rivals are immune from this signal, setting up a disproportionate trade subsidy that distorts competition.
The requirement to delete consumers’ personal information on request and maintain an accessible deletion mechanism also creates serious operational challenges. The obligation on data brokers to review and continue to delete consumers’ personal information, at least once every 45 days, will prove unfeasible for many smaller businesses – who simply do not have the operational resources to survive this level of compliance.
Meanwhile, the Delete Act provides ample opportunity for Google and Apple to exploit their first-party exemption and consolidate the market. We are already shifting to a paradigm where first-party tracking dominates the AdTech sector[6], with Apple’s introduction of its App Tracking Transparency program, and Google’s introduction of the Attribution APIs as part of Privacy Sandbox. The Delete Act gives Apple and Google free-rein over the AdTech market, by imposing trade barriers and effectively eliminating competitors who rely on interoperable match keys to run their businesses.
Impact on Interstate Commerce
This is not only anti-competitive, but also arguably unconstitutional, as it affects interstate commerce. The ‘Commerce Clause’ is enshrined in the United States Constitution (Art I Section 8), granting Congress the power to regulate trade across state boundaries[7]. Following the judicial decision in ‘NRLB v Jones & Laughlin Steel Corp’ [1937], the Court has recognized the broader grounds to apply the Commercial Clause – including, where the activity in question had a “substantial economic effect” on interstate commerce, or if the “cumulative effect” of one act could have an effect on commerce[8].
MOW contends that the requirement on data brokers to delete personal information on request will have a substantial economic effect on interstate commerce. Businesses outside of California that rely on the trading of personal information will suffer from a decline in their ability to provide well-targeted advertisements. The Delete Act, whilst targeted at data brokers in California, will have a far-reaching impact, with ripple effects throughout America.
Proposal for Supporting Open Markets
MOW recommends that legislatures ought to defend and support technical interoperability that depends on deidentified match keys (e.g., Mobile Advertising IDs or random identifiers stored in cookies, where appropriate organizational measures are in place to keep these distinct from specific individual’s personal data). If business interoperability were protected in the United States, as it is under Europe’s Digital Markets Act, then there would be no need for using identity-linked information as a common match key for digital advertising.
[1] Codes Display Text (ca.gov)
[2] California’s Delete Act: 5 Things to Know (orrick.com)
[3] Ibid.
[4] United States: Senate Bill 362 to amend California Data Broker Law – Baker McKenzie InsightPlus
[5] Ibid.
[6] Why Google is immune to Apple’s Privacy Protections | iMore
[7] U.S. Constitution | Constitution Annotated | Congress.gov | Library of Congress
[8] Commerce Clause | Wex | US Law | LII / Legal Information Institute (cornell.edu)
Header image courtesy of Michael Dziedzic on Unsplash (licensed for free via Unsplash Licence)