Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Articles

California’s Delete Act: Background Brief

A new California privacy law – the Delete Act – will give Californians the simplest method in the world to opt out from having their personal information traded by data brokers.

California Privacy Rights Act (the CPRA)

Backed by digital rights advocacy groups the new law streamlines and strengthens Californians’ existing ‘right to delete’ (a consumer privacy right to request businesses delete records of personal information), which is comprehensively covered by the California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA).

The new Delete Act will be enforced by the California Privacy Protection Agency (CPPA).

What initiated the new California personal delete laws?

California’s evolving privacy laws are now widely known for being much more consumer-centric than they used to be.

Much has changed in the decade since we published a blog titled: Forrester Predicts a New World of Data Sharing, which noted the view to “advocating for companies to treat data as a product”.

Similarly, seven years later, Gartner Research published a Market Guide for Identity Resolution on November 2, 2020, which advised: “Identity resolution is becoming a critical requirement for marketers facing growing privacy restrictions … Digital marketing leaders must understand the options and commit to a plan before current practices become obsolete.”

Reports like these don’t shy away from the fact most of the data sold by brokers skews towards what’s useful for commercial interests (marketing, advertising), rather than consumer interests. Commercially valuable data includes:

  • Demographic data (e.g. age, gender, relationship status and other connections to other people)
  • Locations (e.g. geolocation, home and work addresses, other visited addresses, such as healthcare providers)
  • Online activities (e.g. interactions with websites, apps, games and businesses)
  • Consumer habits (e.g. product interests, purchase histories).

California delete laws are explicitly aimed at data brokers

When modern analytics tools are applied to these data sets on consumers they have large commercial value, but they also pose huge potential privacy risks.

Therefore, privacy advocacy organizations such as the Electronic Frontier Foundation (EFF) and several consumer-facing publications have been highly active in educating consumers about privacy risks associated with the commodification and brokering of personal information.

Vice Magazine article published on July 14, 2021, titled “Inside the Industry That Unmasks People at Scale”, explained to consumers: “Unique IDs linked to phones are supposed to be anonymous. But there’s an entire industry that links them to real people and their address.” 

The authors of a July 23, 2021, report published by EFF and titled “Data Brokers Are the Problem”, delivered a similarly ominous message: “Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name. In particular, there’s no such thing as ‘anonymous’ location data.”

These concerns about data brokers potentially (or actively) encroaching on people’s privacy were raised by California State Senator Josh Becker when he proposed a California Delete Act in early 2023, aiming to give Californian consumers a broad reaching right to stop their personal information from being commodified and traded.

California privacy laws and the Delete Act: key dates

  • February 8, 2023 – California State Senator Josh Becker introduces California Senate Bill 362 (SB 362, widely known as the Delete Act) to California State Assembly Committee on Rules, aiming to strengthen Californians’ personal data privacy rights. Senator Becker makes some amendments to the Bill in April.
  • April 25, 2023 – California Assembly Appropriations Committee votes 9–2 in favor of passing the Bill.
  • May 31, 2023 – Senator Becker’s Delete Act advances off the California Senate floor and in a press release he declares“Data brokers spend their days and nights building dossiers with millions of people’s reproductive healthcare, geolocation, and purchasing data so they can sell it to the highest bidder. The Delete Act is based on a very simple premise: Every Californian should be able to control who has access to their personal information and what they can do with it.”
  • September 14, 2023 – Senate votes 31–9 in favor of making the Delete Act law, and it is enrolled and presented to the Governor a week later.
  • October 10, 2023 – California Governor Gavin Newsom signs Senate Bill 362/Delete Act into law and establishes several compliance deadlines. In a press statement Senator Becker notes: “Governor Newsom’s signature of the Delete Act enshrines California as a leader in consumer privacy and we are determined to restore consumer control over their own personal data. Data brokers possess thousands of data points on each and every one of us, and they currently sell reproductive healthcare, geolocation, and purchasing data to the highest bidder. The Delete Act protects our most sensitive information.”
  • January 1, 2024 – Deadline for all data brokers in California to be registered with the California Privacy Protection Agency.
  • January 1, 2026 – Deadline for the California Privacy Protection Agency to provide an accessible deletion mechanism, creating a one-stop place for consumers to lodge delete requests to all data brokers holding their personal information.
  • August 1, 2026 – Start date from which all data brokers in California must access the CPPA delete mechanism at least every 45 days and process all applicable delete requests.
  • January 1, 2028 – Start date from which all data brokers in California must undergo a Delete Act compliance audit by an independent third party (and every three years after).

CPPA to establish a one-click mechanism for delete requests

The California Privacy Protection Agency has been directed to establish a one-click deletion mechanism by January 1, 2026, that supports Californian consumers’ right to delete.

It will allow individuals to send a single verifiable personal information delete request to the agency which will be simultaneously distributed to all data brokers in California – saving them the hassle of filing individual data privacy right requests with each data broker.

The delete request mechanism will include an option for consumers to select specific data brokers they wish to be excluded from the request. Consumers will also be allowed to request a change to their delete request 45 days or more after their last request.

CPPA delete request mechanism functions

Under the Delete Act, the CPPA’s deletion mechanism must allow a consumer to:

  • Request the deletion of all personal information (held by data brokers) via a single request through an internet service operated by the agency – with no fee charged for the request.
  • Submit a request in any language they speak; and the mechanism must also be accessible by consumers with disabilities.
  • Securely submit information in one or more privacy-protecting ways determined by the CPPA; protecting a consumer if additional information is needed to complete the request; and via a mechanism to determine if an individual has made a verifiable request.
  • Get help from an authorized representative to complete the request.
  • Verify the status of the consumer’s deletion request (or allow their authorized representative to verify the status).

By January 1, 2024: Data brokers In California must register with CPPA

The Delete Act requires all data brokers in the state to have registered with the California Privacy Protection Agency by January 1, 2024 – with the threat of fines for non-compliance.

Data brokers must meet the following data governance obligations:

  • Pay a registration fee (at an amount to be determined by the CPPA), which will be deposited in the Data Brokers’ Registry Fund.
  • Register with CPPA again every year before January 31 with the name of the data broker; primary physical address, email address and website address; and provide reports on commercial activities related to personal information.
  • Report details of the categories and types of information in data sets collected from consumers, and report whether these data sets include: personal information of minors; consumer’s precise geolocation; or consumer’s reproductive health care data.
  • [From January 1, 2029, onwards] Report whether the data broker has undergone a compliance audit and if so, report the most recent year an audit report was submitted to the CPPA.

Compulsory notices on data brokers’ websites

Data brokers must also publish information on their websites clearly explaining to consumers how they may exercise personal information privacy rights including:

  • Rights to access, correct, delete and/or opt out of the sale and/or sharing of their personal information
  • Rights to limit a data broker’s use of sensitive personal information
  • Right to know the types and categories of personal information being sold to third parties.

A link to this information must be provided to the CPPA every year along with notices on the data broker’s website about whether and to what extent the broker or any of its subsidiaries is regulated by applicable laws, such as the federal Fair Credit Reporting Act.

From August 1, 2026: Data brokers must access the CPPA’s delete mechanism

Data brokers will be required to access the deletion mechanism provided by the California Privacy Protection Agency beginning August 1, 2026.

When data brokers receive any delete requests, they must:

  • Process all deletion requests – and delete personal information in all required cases – within 45 days of receiving the requests.
  • Delete any new personal information of any consumer who made a deletion request at least once every 45 days – and not sell/share these consumers’ personal information (unless a change in request is subsequently received from a consumer).
  • Notify and direct all data processors (such as contractors) and other third parties to delete all personal information in their possession of consumers who have submitted a delete request.
  • Respond to denied requests by alternatively processing the request as an opt out of the sale or sharing of a consumer’s personal information – and direct processors to do the same.

Record Keeping of Delete Requests

Data brokers will be required to organize, record, and disclose the following information:

  • Average time taken to respond to delete requests each reporting period.
  • Number of requests in the previous calendar organized to show the number of requests complied with or denied.
  • Number of requests denied (either in whole or part) due to requests not being verifiable; not made by a consumer; called for information exempt from deletion; or denied for another reason (supported by explanation of the reason).

From January 1, 2028: data brokers must undergo three-yearly audits

Every three years from January 1, 2028, all data brokers handling the personal information of Californian consumers must undergo an audit of their activities to demonstrate compliance with the California Delete Act.

The results of each audit must be: 

  • Submitted to the California Privacy Protection Agency within five business days of the completion of the audit (to ensure relevancy)
  • Kept for at least six years and be made available to the CPPA on request.

Penalties for failing to comply with California’s new Delete Act laws

The California Privacy Protection Agency will enforce compliance with the Delete Act. The Agency has the power to issue the following orders for fines and other expenses for the non-compliance:

  • $200 fine for each day a data broker failed to register with the CPPA
  • An amount equal to all registration fees due during the period a data broker failed to register
  • Expenses incurred by the CPPA while investigating and administrating an action
  • $200 for each day a data broker failed to comply with deletion requests by not deleting personal information after receiving valid deletion requests.

Similarly, seven years later, Gartner Research published a Market Guide for Identity Resolution on November 2, 2020, which advised: “Identity resolution is becoming a critical requirement for marketers facing growing privacy restrictions … Digital marketing leaders must understand the options and commit to a plan before current practices become obsolete.”

Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top