Governor Newsom Signs California Delete Act into Law
The California Delete Act enables state residents to request that data brokers delete all personal data maintained about them via a centralized database maintained on the CPPA website rather than having to make a request to each data broker in California. The Act also requires data brokers to visit the database at least once every 45 days to review and process new deletion requests.
On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (Senate Bill 362) into law. The bill was introduced in April 2023 by Senator Josh Becker to give California residents greater control over their personal information and how it is used by data brokers. Data brokers sell millions of consumers’ data points to the highest bidder. That information includes purchasing data, which can be accessed by retailers and used to serve targeted ads. More sensitive information may also be collected and sold, such as geolocation information and even reproductive health information.
The new law will allow state residents to request that data brokers delete their personal data and/or forbid them from selling or sharing their personal data. Since 2018, Californians have had similar rights, but in order to exercise them they were required to make requests to each individual data broker. Since there are almost 500 data brokers operating in California, exercising those rights would be a time-consuming process.
The Delete Act simplifies that process, as it calls for the California Privacy Protection Agency (CPPA) to develop a mechanism for allowing California residents to exercise their rights, which should be made available on a single page on its website. Consumers will be able to submit a single request for all data brokers to delete their personal information and prohibit them from selling or sharing that information. The CPPA has been given until January 1, 2026, to implement the feature on its website.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
By August 1, 2026, data brokers will be required to check for any new requests at least once every 45 days and process those requests. The bill will not prohibit a data broker from continuing to collect the personal data of consumers who have exercised their rights, but once a request has been made via the CPPA, the data broker will be required to delete any new data that is collected at least once every 45 days. The data broker would not be permitted to sell or share a consumer’s data once a request has been made.
The Delete Act takes the definition of data broker from the California Consumer Privacy Act of 2018, which classes data brokers as companies with gross revenues of more than $25 million in the previous year, that buy, sell, or share the personal information of 100,000 or more consumers or households each year, provided that at least 50% of the company’s annual revenue comes from the sale of personal information.
From January 1, 2028, and every 3 years thereafter, data brokers would be required to undergo an independent third-party audit to determine whether they are compliant with the Delete Act and submit the audit report to the CPPA on request. Any data broker found not to be compliant with the Delete Act would be liable for administrative fines, fees, expenses, and costs.
While the Delete Act will provide consumers with greater control over their personal data, the Delete Act has significant exemptions. The definitions used for data broker means some companies that collect and sell considerable amounts of consumer data would be exempt and not subject to any deletion requests. Data brokers are likely to have to overcome technological challenges to comply and critics say it will place an undue burden on data brokers and could even undermine California’s digital economy. If large numbers of California residents exercise their rights, it will make it hard for small businesses to find new customers as they will no longer be able to rely on data-driven advertising.
The signing of the bill has been welcomed by the CPPA. “We applaud Governor Newsom for signing SB 362, the California Delete Act, which the CPPA Board unanimously voted to support in July. SB 362 is consistent with CPPA’s mission to further Californians’ privacy by making it easier for consumers to exercise their rights,” said Ashkan Soltani, Executive Director of the CPPA. “Similar to the California Consumer Privacy Act’s existing requirement for businesses to honor opt-out preference signals, the ‘accessible deletion mechanism’ is another privacy innovation that further cements California’s leadership in technology policy and consumer protection.”
