California Governor Newsom recently signed SB 362, known as the Delete Act, which creates a one-time mechanism for consumers to request that data brokers delete all personal data associated with the consumer. The legislation, which does not go into effect until January 2026, differs from California’s other privacy laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), although these older laws have set the ground work for the Delete Act.
The Delete Act and the previous California privacy laws define a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” To be a broker regulated by the Delete Act, brokers must meet a threshold of $25 million in annual gross revenue, buy, sell, or share the personal information of 100,000 or more consumers, or derive fifty percent or more of its annual revenues from sharing or selling consumer data. Entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, or covered entities under HIPAA are not considered data brokers. While the Delete Act does not give a definition for a direct relationship with consumers, other states with similar laws give the examples of consumers who use the business’s goods or services, a business’s investors or donors, or the agents, employees, and contractors of a business.
The CPRA established the California Privacy Protection Agency (CPPA) and required data brokers to register with the Attorney General and pay a registration fee on a yearly basis. The Delete Act amends the CPRA by requiring registration with the CPPA instead. Additional amendments include a requirement that data brokers inform the CPPA if the broker collects the personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health care data, and increases the fine for non-registration, and other requirements described below.
While consumers in California and certain other states already have the right to demand that data brokers (as well as the brokers’ service providers and contractors) delete their data, the Delete Act alters the mechanism through which it is done in California. Under current law, consumers need to separately request that each individual data broker delete their data. Since consumers may interact with numerous data brokers in a single day, this could be an onerous process. The Delete Act therefore creates a single platform for consumers to request that any personal information held by any in-scope data broker be deleted, barring some exemptions. Consumers also have the choice to exclude specific brokers from their deletion requests. The new mechanism is more akin to the Do Not Call Registry rather than the old model of individual consumer submissions.
Starting in August of 2026, data brokers (as well as their service providers and contractors) will have forty-five days to process the deletion requests, and must delete any new data regarding the consumer every forty-five days thereafter. In addition, they must not sell or share any new personal information they obtain regarding the consumer. On January 1, 2028 and every three years thereafter, an independent audit will be run on data brokers to determine whether they are in compliance with the Delete Act. Failure to delete the verified requests will result in a $200 fine per deletion request for every day the broker is out of compliance, as well as the agency’s fees, expenses and costs. Failure to register with the CPPA, will also result in a fine of $200 for each day of non-registration, along with the agency’s fees, costs and expenses.
While the Delete Act will be the most comprehensive data broker registration law, three other states currently have passed legislation similar to the existing data broker requirements under the CCPA. Vermont implemented their data broker law in 2018, which requires brokers to register with the state, maintain adequate cybersecurity measures, and destroy data no longer in use by the broker. Texas recently passed a law which went into effect September of 2023 that implemented a data broker registry and data protection obligations. Oregon’s data broker law, which goes into effect in January of 2024, requires data brokers to register and pay a fee, as well as let consumers know whether they can opt out of their data collection. The data brokers must also describe how consumers can opt out if they choose to do so.
See the full text of the Delete Act at Bill Text - SB-362 Data broker registration: accessible deletion mechanism. (ca.gov). If you have any further questions regarding the Delete Act, please contact Dorsey’s data privacy team.