California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.
California residents already have the right to request that businesses subject to the CCPA delete personal information the business has collected from the resident, but they must do so individually with each business that holds their data, and the CCPA deletion right does not extend to personal information about the resident that the business collected from other sources. While compliance with the one-stop mechanism (which must still be created by the California Privacy Protection Agency, or CPPA) will not go into effect until August 1, 2026, “data broker[s]” covered under the CCPA should begin to think about how they can come into compliance, as the cost and monitoring protocols necessary to comply with the Delete Act could be significant. Most importantly, the Delete Act:
- transfers oversight authority of California’s data broker registry from the state’s Attorney General’s Office to the CPPA;
- requires the CPPA to create, by January 1, 2026, a one-stop mechanism where state residents can request to have their data deleted from some or all registered data brokers using a “single verifiable consumer request”;
- starting on August 1, 2026, requires data brokers to check the one-stop mechanism at least once every 45 days to monitor and honor deletion requests. Additionally, data brokers must delete the resident’s personal information within 45 days of receiving a deletion request and must continue to delete that resident’s personal information at least once every 45 days (unless the consumer requests otherwise or the deletion is not required under the CCPA’s exceptions);
- starting on January 1, 2028, and every three years thereafter, requires data brokers to undergo an audit by an independent third party to determine compliance with the law’s requirements; and
- imposes administrative fines of $200 for each deletion request for each day the data broker fails to honor a deletion request made through the one-stop mechanism, plus any reasonable expenses incurred by the CPPA. With a population of nearly 40 million residents, if just 1 percent register with the one-stop mechanism, the law would potentially impose fines of $80 million per day on a data broker that possessed personal information about each of those residents and failed to delete it as required.
More detail about these requirements is provided below.
- Similar Definition, Change in Regulator, and Higher Fees: The definition of “data broker” remains largely unchanged from current law, but adds a new exception for covered entities and business associates under the federal Health Insurance Portability and Accountability Act (HIPAA), to the extent the personal information they process is covered by HIPAA. Note that, as with the current law, the definition of data broker has no threshold, meaning that a business covered by the CCPA that knowingly collects and sells the personal information of a single resident with whom it does not have a direct relationship is required to register as a data broker and comply with the Delete Act’s requirements. The statute also transfers administrative and enforcement authority from the state’s Attorney General to the CPPA. Notably, the statute authorizes but does not require the CPPA to adopt regulations to administer this law. In addition, applicable data brokers must register and renew their registration with the CPPA by January 31st following each year they meet the data broker definition and pay a to-be-determined fee intended to cover the costs incurred by the CPPA in establishing and maintaining the registration website and deletion mechanism. While current annual registration fees are $400, these will likely increase substantially as they do not incorporate the anticipated complexity of managing the one-stop deletion mechanism. For comparison, the current annual fees for accessing all area codes on the Federal Trade Commission’s National Do Not Call Registry are $21,402.
- A One-Stop Mechanism: The law requires the CPPA to create, by January 1, 2026, an “accessible deletion mechanism” where consumers (or their authorized agent) can submit a “single verifiable consumer request” to delete their personal information from some or all data brokers in the state (including data brokers’ associated service providers and contractors). The concept is somewhat similar to the National Do Not Call registry. What is more, the new deletion mechanism must be publicly accessible through the CPPA’s website; the process must be secure (as determined by the CPPA); it must be available in any language spoken by any consumer for whom personal information has been collected by data brokers; it must be accessible for consumers with disabilities; it must allow consumers (or their authorized agents) to verify deletion; and consumers must be able to make deletion requests free of charge. It will inevitably take some time for the CPPA to craft a workable mechanism that complies with these rigorous requirements.
- Ongoing Duty to Monitor and to Delete: Beginning August 1, 2026, data brokers must 1) access the one-stop mechanism at least once every 45 days and 2) delete a consumer’s personal information within 45 days of receiving the request (unless one of the CCPA deletion exceptions applies). The CPPA may charge data brokers a fee every time they access the mechanism in addition to the registration fees detailed above. Furthermore, after the data broker has deleted the consumer’s data pursuant to above, it must continue to delete that consumer’s newly collected personal information at least once every 45 days and cannot sell or share new personal information of that consumer (unless that consumer requests otherwise). To operationalize compliance at scale, data brokers will likely need to implement a monitoring system to routinely poll the mechanism for updates.
- An Opt-Out Minimum: If a data broker denies a consumer deletion request because the request cannot be verified, it must still process the request as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA. This effectively erects a “do not sell or share” minimum for data brokers who receive a consumer deletion request. Importantly, data brokers must also direct all associated service providers and contractors to delete all personal information in their possession related to the consumers making the deletion request (or to process the request as an opt-out if it cannot be verified).
- Audits: Beginning January 1, 2028, and every three years after, data brokers must undergo an audit by an independent third party to determine compliance with the law’s requirements. Data brokers must maintain records of a compliance audit for at least six years and, upon the CPPA’s written request, hand over audit results within five business days. Starting on January 1, 2029, data brokers must disclose in their annual registration whether they have undergone an audit, and if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the CPPA.
- Penalties: Failure to comply with a proper deletion request can result in an administrative fine of $200 for each deletion request for each day that the data broker failed to delete information as required, plus any reasonable expenses incurred by the CPPA for enforcement actions. While the law does not provide for a private right of action to consumers, as noted above, a per-request-per-day fine could quickly balloon to astronomical amounts if a data broker fails to judiciously monitor and comply with deletion requests. The law provides a five-year statute of limitations for violations.
The Delete Act is a forceful volley to data brokers that do business in California, going further than any other existing U.S. state privacy law in regulating the data broker industry. When the new one-stop deletion mechanism comes into effect in 2026, organizations that rely on third-party consumer data to enhance their operations are most likely to be impacted. For example, ad tech companies that compile data from multiple sources, including from third-party brokers, could have less data to develop their products dashboards and customer marketing tools. The ability of organizations that purchase data from data brokers and use it to protect consumers from fraud and identity theft could similarly be impacted, especially if the one-stop mechanism is used by fraudsters to skirt detection. Publishers may find it more difficult to monetize their online properties and advertisers may find it more difficult or expensive to reach relevant audiences in California with less third-party data available. Overall, the long-term impact of the law depends on whether or not, and to what extent, the one-stop mechanism is embraced by consumers and is able to withstand potential legal challenges.
The CPPA has yet to specify what a potential single deletion mechanism would look like. For now, the statute only specifies that the mechanism must be “accessible to the public” through the CPPA’s website. The CPPA has until January 1, 2026, to create the deletion mechanism. While this is a relatively long runway, the law’s potentially extraordinary penalties and new rigorous disclosure, monitoring, and audit requirements will require all CCPA-covered organizations to carefully evaluate whether they may be a data broker under the law’s broad definition and to assess their privacy compliance programs.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, please contact Tracy Shapiro, Eddie Holman, or any member of the firm’s privacy and cybersecurity practice.
Doo Lee contributed to the preparation of this post.