California Delete Act
The California Delete Act lets consumers direct all registered data brokers to delete their personal information through one state-run mechanism, administered by the CPPA. Brokers must register, honor deletion requests, and undergo audits, with fines for non-compliance.
Overview
The California Delete Act, Senate Bill 362, was signed into law in 2023, with registration obligations beginning in 2024. It strengthens California's regulation of data brokers and builds on the earlier data broker registration law and the California Consumer Privacy Act. Its central innovation is a single, state-run deletion mechanism that lets consumers ask all registered data brokers to delete their personal information with one request, rather than contacting each broker individually.
The Act is administered by the California Privacy Protection Agency (CPPA), which is directed to build and operate the accessible deletion platform.
Who It Applies To
The Act applies to data brokers, defined as businesses that knowingly collect and sell the personal information of consumers with whom they do not have a direct relationship. These brokers must register with the CPPA. The deletion mechanism benefits California consumers, and the broader privacy ecosystem of vendors and service providers must support brokers' compliance.
Key Requirements
Data brokers must register annually with the CPPA, pay fees, and disclose specified information about their data practices. Once the state deletion mechanism is operational, brokers must regularly check it and process deletion requests submitted through it, deleting the consumer's personal information and directing service providers to do the same, and thereafter not selling or sharing new personal information about that consumer unless the consumer requests otherwise. Brokers must also undergo periodic independent audits of their compliance.
Penalties for Non-Compliance
The CPPA can impose administrative fines for failures such as not registering, missing deletion-processing obligations, or failing to comply with audit requirements. Penalties include daily fines for failure to register and per-deletion fines for failing to honor deletion requests, plus recovery of enforcement costs.
How to Comply
Data brokers should register with the CPPA on schedule, maintain accurate disclosures, and build systems to query the deletion mechanism and process requests across their own systems and service providers. Implement recurring deletion checks, retain records, and prepare for independent audits. Align processes with CCPA/CPRA obligations to avoid duplication.