Ctrl-Alt-Delete: California Legislature Passes Delete Act

This post was updated Oct. 10 after the Delete Act was signed into law.

The wave of data privacy legislation in California continues as lawmakers passed a bill that will impose new obligations on data brokers. Senate Bill 362, also known as the Delete Act, will amend California's existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a "one-stop" mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.

The Delete Act was signed into law by Governor Newsom on October 10, 2023.

Below is an overview of notable provisions and regulatory requirements.

Data Broker Defined

The Delete Act applies to data brokers, defined as any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." It excludes entities covered by the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), Insurance Information and Privacy Protection Act (IIPPA), as well as entities, or business associates of covered entities, to the extent their processing of personal information is exempt under California Civil Code § 1798.146 (i.e., HIPAA-covered entities). The sponsors of the Delete Act sought to "patch" apparent loopholes in the CPPA that allow consumers to request individual data brokers to delete information obtained directly from consumers, but did not require data brokers to delete personal information obtained from other sources.

"One-Stop" Deletion Mechanism

One of the most significant aspects of the Delete Act is the requirement that the CPPA create a "one-stop deletion mechanism" by January 1, 2026. This mechanism must be accessible online without charge to consumers and must allow a consumer, or a consumer's authorized agent, to submit a single verifiable deletion request that registered data brokers can access via the mechanism. In addition, consumers will have the option to "selectively exclude" data brokers when submitting a deletion request in the mechanism.

Some have compared the one-stop deletion mechanism to the National Do Not Call Registry.

Data Brokers Must Monitor Deletion Mechanism

Beginning August 1, 2026, data brokers will be obligated to access the deletion mechanism at least once every 45 days to review and process deletion requests. Within 45 days of receiving a request from a consumer (or authorized agent), data brokers must delete the consumer's personal information. Data brokers therefore must establish and implement monitoring protocols to ensure they can comply with this requirement. The CPPA will also have the option to charge a fee for data brokers to access the deletion mechanism "that does not exceed the reasonable costs of providing that access."

Deletion at Best, Opt-Out at Worst

If a data broker denies a consumer's request on the grounds that it is unverifiable, the data broker must process it as a request to opt out of the sale or sharing of the consumer's personal information under the CCPA. In addition, data brokers will be required to direct all associated service providers or contractors to take similar steps, whether it be to delete the personal information of the requesting consumer or to opt the consumer out of sales and sharing of their personal information.

CPPA Empowered with Oversight Authority

Under current law, data brokers must register with the California Attorney General's Office and pay an annual fee. Under the Delete Act, oversight authority of data brokers will transfer to the CPPA and data brokers will be required to register with and pay an undetermined fine to the CPPA by January 31 of each year.

New Disclosure Requirements

In addition to requiring data brokers to comply with deletion requests and monitor the CPPA's deletion mechanism on a regular basis, data brokers will be required to disclose a significant amount of information when registering with the CPPA, including:

• Metrics on their processing of consumer privacy requests; and
• Whether the data broker collects the personal information of minors, consumers' precise geolocation information, or information about consumers' reproductive healthcare.

In addition, each data broker will be required to provide a link to a page on their website describing how consumers may exercise their privacy rights under the CCPA and confirming they do "not make use of dark patterns."[1] Data brokers must also affirmatively disclose whether, and to what extent, they are regulated by the FCRA, GLBA, IIPPA, HIPAA or California's Confidentiality of Medical Information Act.[2]

New Reporting and Audit Obligations

The Delete Act also imposes new reporting obligations. For example, on or before July 1, data brokers will need to compile and disclose in their privacy policies metrics regarding the number of CCPA requests (including deletion requests pursuant to the "one-stop" mechanism) they received and responded to for the prior calendar year. The metrics must contain the following data:

• The number of CCPA requests received;
• The median and mean number of days the data broker took to substantively respond to CCPA requests; and
• The number of CCPA requests a data broker denied, including the specific bases for the denials.

In addition to annual reporting requirements, beginning January 1, 2028, and every three years thereafter, data brokers will be required to undergo an audit by an independent third party to ensure compliance with the Delete Act.

Data brokers will need to maintain records of any compliance audit for at least six years and submit audit results to the CPPA within five business days after receiving a request. Data brokers also will need to disclose their audit results while registering annually with the CPPA, beginning January 1, 2029.

The audit and compliance obligations in the Delete Act would be in addition to the required risk assessments and cybersecurity audits imposed by the CCPA regulations.

Continuing Duty to Delete

A data broker's obligation to delete would be ongoing. In other words, after a data broker receives and complies with a consumer's deletion request, it must continue to delete any personal information collected from that consumer at least once every 45 days unless the consumer requests otherwise.

Penalties for Non-Compliance

Data brokers that fail to affirmatively register with the CPPA or comply with a deletion request submitted via the one-stop deletion mechanism could be liable for administrative fines of $200 per day, reimbursement to the CPPA for unpaid registration fees, and expenses incurred in connection with the investigation and agency enforcement action. However, the Act imposes a statute of limitations of five years on those actions.

The Delete Act does not provide for a private right of action.

Looking Ahead

The Delete Act goes further than any U.S. law, to date, in overseeing and regulating data brokers. The Act's regulatory obligations, particularly in conjunction with existing consumer opt-out rights contained in the CCPA, will require covered organizations to be proactive and further enhance or expand existing consumer privacy compliance programs.

DWT's Privacy and Security team regularly advises clients on policy issues involving data privacy, along with the CPPA's various regulatory and rulemaking initiatives.