Issue 26: Data brokers will now have to delete, with receipts

Oh hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

I'm so happy, y'all. It's fall. It's time for decorative gourds and mustard-orange colored sweaters. I've got my window open as I write to you, and even the honking of angry DC drivers can't bring me down. I've got an apple pie candle lit and my "Fall writing in DC" Spotify playlist going. It was going really well until Annie Lennox's "No more I love yous" filled my AirPods. That one really takes you somewhere, you know?

"The language is leaving me in silence." Haunting, Annie! Haunting.

Anyway, there's plenty to discuss this week. On to the news.

Delete Act is now set in concrete

California Governor Gavin Newsom signed the “Delete Act,” or SB 362, which extends the CCPA’s reach on opt-out requests by creating, effectively, a “do not sell” list for data brokers targeting the state’s residents. The law allows Californians to visit a website and click once to indicate their deletion or opt-out requests for all data brokers, as well as their associated service providers and contractors.

Under the law, data brokers are defined as a business that “knowingly collects and sells to third parties the personal information of a consumer with hom the business does not have a direct relationship.”

As 9to5Mac reports, the California Privacy Protection Agency is responsible for building the site, which will take some time to build, so the law comes into effect on August 1, 2026. At that time, data brokers will be required to continuously delete the consumers’ personal data at least once every 31 days.

Currently, there are about 500 data brokers registered in the state. Under the Delete Act, fines for failure to register as a data broker stand at $200 per day, and an additional $200 per day for each deletion request failure.

In addition to registering and honoring deletion requests, data brokers will also be required to disclose to the CPPA whether they collect sensitive information, submit metrics on how they process consumer requests, and – unfortunately for brokers – submit an audit every three years, done by an independent and external party – to certify compliance with the Delete Act.

'Start spreading the news'

New York will be the latest state to consider legislation aimed at protecting children online from the mental health risks documented as a result of excessive use of social media, CNN reports. The state’s governor and attorney general announced this week that they’ll introduce the “Stop Addictive Feeds Exploitation (SAFE) for Kids Act.” It would allow users 18 and under, or their parents, to opt out of algorithmically-driven feeds on sites like Facebook, Instagam, and YouTube, and instead see chronologically-sorted posts. Do you remember that that’s how it was in the old days? I almost don’t?! But CNN says that’s how it was.

If I’m being honest with you and myself, I didn’t *always* spend 60 contiguous minutes on reddit’s “made me smile” page. That’s a modern development.

Anyway, the New York bill would also allow users and parents to block access social media platforms from 12 a.m. to 6 a.m.

New York isn’t acting in a vacuum, of course. U.S. states passed about 10 children’s privacy laws this year. But there’s been an interruption in pace recently and some uncertainty about similar laws’ longtime viability. Natasha Singer has a solid piece in the NYT about this, but here’s the gist: In September, a judge blocked California’s state’s Age-Appropriate Design Code. In August, a judge in Arkansas blocked a similar law, and a judge in Texas blocked an anti-pornography law that would require age verification. Those battles are being waged based on First Amendment challenges, and it’s unclear whether those laws will come back to life.

For now, the transcripts of all that talking we did about how swiftly children’s privacy laws pass through state legislatures (especially in election years) may need some asterisks. They pass, yes. But the question now is whether they survive.

That challenge to the DPF isn’t a game-changer

If you read this September newsletter of mine, you’ll recall that French lawmaker Philippe Latombe filed a challenge to the EU/U.S. Data Privacy Framework. He wanted the DPF suspended immediately, citing that it violated the EU Charter of Human Rights and would cause harm to EU citizens.

While it was a bit of a surprise to see someone beat Max Schrems to the punch, Latombe’s challenge has taken its first blow. The EU General Court has refused to pause implementation based on Latomb’s argument, citing the lawmaker hasn’t proved individual or collective harms as a result of the DPF.

I haven’t found a media source that’s reported on the details here, yet, but when I saw Digiphile’s Phil Lee posting on LinkedIn that “before anyone gets too excited, this is just an interim ruling,” I asked him if the court’s rejection indicated Latombe’s challenge was dead in the water. Here’s what he told me:

“It doesn’t determine the way the ultimate decision could go. The test here was basically whether there was an urgent need to suspend the DPF now, pending a final decision, eg due to risk of serious harm being caused. The court decided that threshold wasn’t met — and it would have been a surprise if it had. That said, they also commented that Latombe’s arguments were not well-presented, and if similarly poor arguments are presented for the full judgment, that may well result in his application being shot down. As others have noted, this will be a very tough case for him to win, even with well-made arguments.”

Have you heard the latest podcast on the DPF? I chat with Hogan Lovells' Julian Flamant on how to approach complying with the agreement and the risks of doing so given any future challenges.