California expands data privacy protections, enacts the Delete Act
California continues to provide consumers with some of the strongest data privacy protections in the country, with Gov. Gavin Newsom having signed the Delete Act (formerly Senate Bill 362) into law on October 10, 2023.
The Delete Act expands upon the California Consumer Privacy Act of 2018 and subsequent amendments made by the California Privacy Rights Act of 2020, further regulating the data broker industry. The Delete Act will require any business that meets the definition of data broker to provide detailed, obligatory disclosures, register with the California Privacy Protection Agency (Agency), and opt-in to the Agency’s “one-stop-shop” mechanism, whereby consumers can request brokers to delete their personal information.
“Data broker” defined
The Delete Act applies to “data brokers,” which is defined as any “business that knowingly collects and sells to third-parties the personal information of a consumer with whom the business does not have a direct relationship.” The Delete Act excludes entities covered by the Federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, and entities, or business associates of covered entities, to the extent their processing of personal information is exempt under Cal. Civ. Code § 1798.146. (The California Privacy Rights Act defines what qualifies as a “business.” Cal. Civ. Code § 1798.140(d).) Notably, however, the Delete Act does not define “direct relationship.”
“Accessible deletion mechanism” explained
By January 1, 2026, the Delete Act mandates the Agency establish an “accessible deletion mechanism” that will allow a consumer, through a free, single verifiable consumer request, to request that any data broker that maintains any personal information about the consumer delete their personal information.
The foregoing diverges from the California Consumer Privacy Act and California Privacy Rights Act. Prior to the Delete Act, consumers could request that organizations delete their personal information, but the process required consumers to contact each business individually regarding their data. Under the Delete Act, every data broker must now delete consumers’ personal information upon a single request. In essence, the Delete Act creates a simplified mechanism for Californians to delete their personal information held by data brokers in a single step.
Beginning August 1, 2026, data brokers must access the “deletion mechanism” at least once every 45 days to process all deletion requests, direct all associated service providers or contractors to delete the consumer’s data, and, in cases where a broker denies a deletion request because it cannot be verified, process the request as an “opt-out” of sharing the consumer’s data and direct all associated service providers or contractors to do the same.
Thereafter, data brokers are prohibited from retaining, selling, or sharing the consumer’s data and must delete any new consumer data at least once every 45 days.
Disclosure and compliance requirements
The Delete Act shifts regulatory oversight from the California Attorney General’s Office to the Agency. All data brokers are now required to register with and disclose specified information to the Agency, including, but not limited to, all of the information below:
- The data broker’s name and its primary physical, email, and internet website addresses.
- The metrics compiled.
- What type of data the broker collects (e.g., minors, geolocation, health care data).
- The number of requests received, as well as the median and mean number of days within which the data broker substantively responded to deletion requests.
In addition to annual reporting requirements, as of January 1, 2028, and every 3 years thereafter, data brokers must submit to an audit by an independent third party to ensure compliance. Data brokers must submit the audit report and related materials to the Agency and maintain the report and materials for at least six years.
Fees and penalties
Any data broker that fails to comply with the Delete Act’s specifications is subject to administrative fines, fees, expenses, and costs imposed by the Agency. The Delete Act does not provide for a private right of action.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. And, if you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkin’s national data privacy and cybersecurity team.