CA: AFC Comment Letter on CPPA's Accessible Deletion Mechanism Regulation

California Privacy Protection Agency
Attn: Legal Division – Regulations Public Comment
400 R Street, Suite 350
Sacramento, CA 95811

Re: American Fintech Council Public Comment on Accessible Deletion Mechanism

To whom it may concern,

On behalf of The American Fintech Council (AFC),  I am submitting this comment letter in response to the California Privacy Protection Agency’s (CPPA or Agency) Notice of Proposed Rulemaking on the Accessible Deletion Mechanism Regulations (Proposed Rule).

AFC is the premier trade association representing the largest financial technology (Fintech) companies. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. Our members are also improving access to financial services and increasing overall competition in the financial services industry by lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable financial products.

AFC respects the CPPA’s efforts to implement important consumer data rights by developing the accessible deletion mechanism—referred to as the Delete Request and Opt-Out Platform (DROP). However, as written, we believe that the Proposed Rule contains provisions that contradict existing California laws and may actually harm consumers. To that end, we respectfully request that the CPPA carefully considers the analysis and recommendations detailed below.

AFC consistently advocates for pragmatic regulation that recognizes the nuances of the financial products and services, as well as the existing requirements providers must adhere to under federal and state law. We also consistently work to ensure that regulations do not inadvertently create consumer harm. As written, the Proposed Rule establishes new requirements for covered entities that are incongruent or contradict existing California State laws, as well as their underlying legislative intent, and leaves out crucial requirements that could ensure consumers are served in a safe and sound manner.

Specifically, the Proposed Rule establishes a definition of “direct relationship” that would categorize entities that sell personal information about consumers with whom they have a direct, first-party relationship with the consumers as “data brokers”. Within the Proposed Rule’s text, it states that “[a] business does not have a “direct relationship” with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business”.  The Proposed Rule further clarifies that businesses are still data brokers and does not have a direct relationship with the consumer “as to the personal information it sells about the consumer that it collected outside of a “first party” interaction with the consumer”.  

This expansion of what constitutes a direct relationship, and therefore which entities are considered data brokers, far exceeds the legislative intent of the California State Assembly for the statute underlying the Proposed Rule.  Based on the text of the statute, it is clear that the California State Assembly intended to limit registration and other attendant requirements to businesses that do not directly interface with consumers, not categorize those entities that have existing relationships with consumers as data brokers in a wholesale manner predicated upon certain activities. Therefore, AFC respectfully requests that the CPPA review its definition of direct relationship to ensure that it does not inadvertently expand which entities constitute “data brokers” in a manner that was not intended by existing statute and remains faithful to the California State Assembly’s legislative intent on the issue.

AFC believes that, as written, the Proposed Rule lacks important verification guardrails needed to ensure that consumers are not inadvertently harmed by the execution of deletion requests for consumers who did not actually submit the requests. Unfortunately, as written, the Proposed Rule is largely devoid of requirements for verifying authorized agents and consumer requests. As noted above, the lack of provisions related to verification processes directly conflicts with existing requirements under the CCPA.  

The lack of provisions associated with the important verification processes may have been intended to allow consumers requesting deletion a more streamlined process. However, without these verification safeguards, covered entities will not have the much-needed processes in place to ensure that only the consumers actually requesting deletion of their data are actually deleted from their systems. In turn, responsible covered entities may delete information of individuals who did not make the deletion request in order to comply with the Proposed Rule’s requirements, causing significant consumer harm.

Specifically, the Proposed Rule requires data brokers to execute deletion requests through the DROP if more than 50 percent of the unique identifiers in a consumer deletion list match with the same consumer record maintained by the data broker.  This provision in the Proposed Rule are incongruent with existing requirements under the CCPA—promulgated in the Agency’s regulations—which state “[a] business’s compliance with a request to delete or a request to correct may require that the business verify the identity of the consumer to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion or correction” [emphasis added].  

Simply put, the 50 percent requirement within the Proposed Regulation does not meet the threshold of a “reasonably high degree of certainty” needed to warrant the deletion of all personal information associated with that consumer. Operationally, relying on the 50 percent requirement within the Proposed Regulation will result in required deletion practices that are overly inclusive and will lead to deletion requests being actioned for consumers who did not submit requests. It is important to note that mistakenly deleting all consumer information creates significant harms to consumers who rely on their data flowing through the covered entities in order to access products and services that they need. Also, mistakenly deleting consumers’ data could result in significant legal and regulatory harm to covered entities by potentially leaving them open to consumer complaints and lawsuits related to Unfair, Deceptive, Acts or Practices (UDAP) claims.

To avoid the significant consumer and business harms associated with mistakenly deleting consumers’ information who did not make the deletion request, CPPA should ensure that it increases its deletion requirement in a manner that is commensurate with the impacts discussed above and develops prudent verification processes within the Proposed Rule.

Lastly, the Proposed Rule would require covered entities to reformat their data in a standardized manner that removes all capital letters, extraneous, and special characters.  While likely intended to streamline operations for covered entities and improve operational efficiencies, this requirement could create data security issues by mandating all databases to use certain standardization methods and may also run afoul of the First Amendment. In addition, names and spellings can hold significant cultural importance. By requiring that covered entities remove all special characters, the Agency is essentially dismissing the cultural importance of the individual consumer in a manner that is improper given the historical context associated with naming and immigration in the United States. Thus, AFC respectfully recommends that the CPPA avoids pursuing provisions related to the reformatting of covered entities’ data in a standardized manner that removes all capital letters, extraneous, and special characters.

We appreciate the opportunity provide comment on CPPA’s Notice of Proposed Rulemaking on the Accessible Deletion Mechanism Regulations and we thank you for your consideration of our views on the Proposed Rule. We look forward to continuing to find opportunities to collaborate on the pragmatic regulation of responsible innovations in a manner that ultimately serves consumers best.

Sincerely,

Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council

‍

[1]American Fintech Council’s (AFC) membership spans EWA providers, lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] California Privacy Protection Agency, “California Privacy Protection Agency Proposed Text (Express Terms): Title 11. Law Division 6. California Privacy Protection Agency Chapter 3. Data Broker Registration and Accessible Deletion Mechanism”, (Apr. 25, 2025), available at https://cppa.ca.gov/regulations/pdf/ccpa_updates_accessible_deletion_mechanism_text.pdf
[3] Ibid, § 7601(d).
[4] Ibid.
[5] California General Assembly, SenateBill 362, available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB362.
[6] Cal. Code Regs, Tit. 11, Div. 6, Art. 5.Particularly, § 7060 and § 7063.
[7] Proposed Rule, § 7613(a)(2).
[8] Cal. Code Regs, Tit. 11, Div. 6, Art.5 § 7062(d).
[9] Proposed Rule, § 7613(a)(1)(A).

‍

‍

‍