On October 10, 2023, California Gov. Gavin Newsom signed SB 362 into law. The “Delete Act” is a key piece of privacy legislation designed to further protect consumer online privacy rights and place further obligations on data brokers.
The Delete Act heavily amends California’s existing data broker law and seeks to establish a one-stop shop for consumers to make a singular request that all data brokers delete their personal information. Until the Delete Act, California residents could still request deletion of their personal information under the California Consumer Privacy Act (CCPA), but they had to make individual requests to each business.
The California Privacy Protection Agency (CPPA) is now tasked with establishing an online deletion mechanism by January 1, 2026, to ensure consumers can safely and securely effectuate their deletion rights. All businesses meeting the definition of “data broker” would have to comply starting August 1, 2026.
We highlight the notable provisions of the Delete Act below:
Who Must Comply?
Data Brokers – The Delete Act applies to all California businesses regulated under CCPA that knowingly collect and sell to third parties the personal information of California residents with whom the consumer does not have a direct relationship. The Delete Act specifically exempts businesses that are regulated by certain federal laws, including the Fair Credit Reporting Act, the Gramm‑Leach‑Bliley Act, and the Insurance Information and Privacy Protection Act. Like CCPA, HIPAA-regulated entities are exempt to the extent the personal information is regulated under HIPAA or another applicable health law referenced under CCPA.
All data brokers must register with the CPPA and disclose a significant amount of information, such as:
- Whether they collect any personal information from minors, precise geolocation data, or reproductive health data.
- The number of consumer requests submitted to the data broker, including the number of times the data broker responded to and denied each request from the previous calendar year.
- The average time it took for the data broker to respond to consumer requests from the previous calendar year.
Service Providers and Contractors – All service providers and contractors must comply with a consumer’s deletion request. The data broker is mandated to direct all of its applicable vendors to delete the consumer’s personal information. This is similar to a business’s obligation under CCPA to forward all deletion requests to its vendors.
The Deletion Mechanism
As mentioned above, the CPPA must create a deletion “mechanism” by January 1, 2026, that allows any consumer to submit a verified consumer request, instructing every data broker to delete the personal information of the consumer in its possession.
There are specific requirements in the creation of this mechanism, including that: (1) it must be available online, (2) there be no charge for the consumer to use, (3) there is a process to submit a deletion request, (4) it must allow for a consumer’s authorized agent to aid the consumer in submitting the request, similar to CCPA, and (5) it must give consumers the option to “selectively exclude” certain data brokers from deleting their personal information.
Data Broker Responsibilities
Aside from the registration requirements, data brokers have additional obligations under the Delete Act:
- Compliance with deletion requests – Data brokers must comply with a deletion request within 45 days.
- Opting-out of selling/sharing – If the data broker cannot verify a deletion request, the data broker must treat the request as a request to opt-out of selling or sharing under CCPA.
- Continuing obligations – Every 45 days, data brokers must access the deletion mechanism and delete, or opt-out of selling or sharing, the personal information of all consumers who have previously made requests. This is a continuing obligation until the consumer says otherwise or an exemption under the law applies.
- Audits – Beginning January 1, 2028, and every three years thereafter, data brokers must undergo an audit by an “independent third party” to determine compliance with the Delete Act. The data broker must disclose the results of the audit to the CPPA within five business days upon written request. The report must be maintained for six years. Beginning January 1, 2029, data brokers must disclose to the CPPA the last year they underwent an audit, if applicable.
- Public disclosures – Data brokers must disclose in their consumer‑facing privacy policies (1) the same metrics on the consumer requests received, as discussed above; (2) the specific reasons why the data broker denied consumer requests; and (3) the number of consumers requests that did not require any responses and the associated reasons for not responding (e.g., statutory exemptions).
Investigations and Penalties
The CPPA may initiate investigations and actions, as well as administer penalties and fines. Data brokers are susceptible to fines of $200 per day for failing to register with the CPPA and fines of $200 per day for each unfulfilled deletion request.