Gov. Gavin Newsom signed the Delete Act (the Act) on Oct. 11, making it easier for California consumers to instruct data brokers to delete their personal information or refrain from selling or sharing it. Consumers already have the right to make such requests under the California Consumer Privacy Act (CCPA), but they must do so individually for each of the state's 500 registered data brokers. The Act would consolidate this right into a single request that consumers may submit online, effective for all data brokers registered in California.

Whom does the Act cover?

The Act defines a data broker as any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship" but excludes businesses covered by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Insurance Information and Privacy Protection Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Act shifts responsibility for maintaining a state registry of data brokers from the attorney general to the California Privacy Protection Agency (CPPA). The CPPA must also maintain a Data Brokers' Registry Fund, consisting of registration fees and fines, to be available for expenditure by the California Department of Justice.

What does the Act require?

By Jan. 31 following each year in which a business meets the definition of data broker, the broker must register with the CPPA, pay registration fees and disclose certain information about its data processing activities. The disclosure requirements include:

  • The broker's contact information
  • A link to its required online privacy notices
  • Metrics on how it processes data, including whether it processes geolocation data, reproductive health care data or the personal data of minors
  • Metrics on how it has responded to consumer requests to delete or opt out of the sale or sharing of personal data
  • Whether and to what extent it is covered by any exceptions to the definition of a data broker (e.g., FCRA, GLBA, HIPAA)

By Jan. 1, 2026, the CPPA must make a website available to consumers for submitting delete or opt-out requests. Among other requirements, the submission mechanism must be free of charge, be readily accessible, allow the consumer to verify their identity and give consumers the choice to apply any request only to certain data brokers.

By Aug. 1, 2026, data brokers must check for new consumer requests every 45 days and must comply with any new requests within 45 days of discovery. A data broker's duty to delete is ongoing and applies to any new information received about a consumer who has previously submitted a request, unless that consumer has since withdrawn the request.

By Jan. 1, 2028, and every three years thereafter, data brokers will be required to undergo a compliance audit by an independent third party. Data brokers are required to maintain records of these audits for six years and must submit those records to the CPPA upon request, within five business days. By Jan. 1, 2029, data brokers must also submit the results of the audits as part of their annual registrations.

What are the penalties for noncompliance?

Failing to register with the CPPA or to comply with consumer requests may lead to fines of $200 per day, as well as costs and fees incurred by the CPPA to investigate and enforce the Act. The Act imposes a five-year statute of limitations from the date of violation for any noncompliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.