How Data Brokers Can Navigate California's DELETE Act

• Signed by Gov. Gavin Newsom and passed by both houses of the California legislature, the Delete Act (SB 362) represents a significant amendment to the state's existing data broker law. 

• Introducing fresh registration and disclosure requirements for data brokers, this law also establishes a one-stop-shop for consumers looking to delete personal data held by data brokers and/or request a freeze on future data collection.

• The Delete Act is currently in effect, meaning data brokers must act quickly to comply with the bill's requirements.

• Who does the Delete Act apply to?

• Delete Act requirements

The Delete Act maintains the current definition of a data broker, as defined by the California Consumer Privacy Act (CCPA) i.e.:

a business that knowingly collects and sells third-party consumers' personal information without having a direct relationship with them

The Delete Act also mirrors the CCPA in its definitions of business, collect, third party, consumer, sell, and personal information.

Like many privacy laws, the Delete Act does outline a few exceptions, including entities covered by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or the Insurance Information and Privacy Protection Act (IIPPA).

Once signed into law, the Delete Act will impose new requirements on data brokers and create novel enforcement obligations for the California Privacy Protection Agency (CPPA). Data brokers will need to register with the CPPA, be more transparent about what types of data they collect and how that data is used, provide metrics on consumer privacy request fulfillment, and submit to regular compliance audits.

Because the Delete Act moves the regulation of data brokers to the CPPA, the agency will be expected to ensure compliance with the law's requirements, create a one-stop-shop deletion mechanism for consumers looking to delete their data, and potentially engage in rulemaking around some of the the Delete Act's under-developed provisions.

The Delete Act transfers oversight of data brokers from the California Attorney General’s Office to the CPPA. Once the act is in force, organizations that meet the definition of data brokers (defined by the CCPA) will need to register with the CPPA each year for a yet undetermined fee.

Starting in 2029, data brokers must also include compliance audit results when registering with the CPPA each year.

When registering with the CPPA, data brokers will need to disclose more information about their data collection practices. This includes disclosures on whether they collect consumers’ precise geolocation, minors’ personal information, or reproductive health data. They will also need to disclose whether they are regulated by data protection laws like HIPAA, GLBA, and more. 

Data brokers must also provide, in their company privacy policies, metrics on their processing of consumer access or deletion requests—including number of requests received and denied, as well as average response times.

Under the Delete Act, the CPPA would need to create a public facing “deletion mechanism” by January 1, 2026. This mechanism must be free to use and easily accessible online. 

Similar to the FTC’s national Do Not Call registry, this mechanism would allow consumers or authorized agents to, through a single action, request that every data broker in California delete their personal information. 

Starting August 1, 2026, giving a six month adjustment period, data brokers must begin accessing the CPPA’s deletion mechanism once every 45 days. They are then required to fulfill a consumer deletion request within 45 days of receipt. 

If a consumer’s identity can’t be verified and the data broker is unable to fulfill the request, they must still treat it as an opt-out of the sale or sharing of personal data, as defined by the CCPA.

After complying with a consumer’s initial deletion request, data brokers must continue to delete personal information collected from that consumer at least once every 45 days—unless the consumer requests otherwise. This duty is ongoing once the Delete Act is in effect.

Beginning January 1, 2028, data brokers must undergo an audit by an independent third party every three years. Records of any compliance audits must be retained for a least six years, and must be made available to the CPPA upon request.

The California Delete Act will impose significant new requirements on data brokers who fall under the law's purview. Those that do should focus on two main pieces: getting their ducks in a row when it comes to disclosures, and preparing to fulfill the likely influx of new consumer data requests.

Though there's some prep time when it comes to consumer data requests (as the CPPA isn't expected to publish the delete mechanism until 2026), the new disclosure requirements will begin immediately once the bill is signed.

Transcend Privacy Requests is the easiest and most comprehensive way to delete, deidentify, return, or modify a user's data or preferences across your tech stack.

Decrease costs, increase program efficiency, and comply with privacy request requirements with a single platform that handles every step — all without human intervention.

No matter the data system, request type, regulation, or requirement, Transcend has you covered, with customization as easy as checking a box.