Gov. Gavin Newsom signed the Delete Act (the Act) on Oct. 11, making it easier for California consumers to instruct data brokers to delete their personal information or refrain from selling or sharing it. Consumers already have the right to make such requests under the California Consumer Privacy Act (CCPA), but they must do so individually for each of the state’s 500 registered data brokers. The Act would consolidate this right into a single request that consumers may submit online, effective for all data brokers registered in California.
The Act defines a data broker as any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” but excludes businesses covered by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Insurance Information and Privacy Protection Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Act shifts responsibility for maintaining a state registry of data brokers from the attorney general to the California Privacy Protection Agency (CPPA). The CPPA must also maintain a Data Brokers’ Registry Fund, consisting of registration fees and fines, to be available for expenditure by the California Department of Justice.
By Jan. 31 following each year in which a business meets the definition of data broker, the broker must register with the CPPA, pay registration fees and disclose certain information about its data processing activities. The disclosure requirements include:
By Jan. 1, 2026, the CPPA must make a website available to consumers for submitting delete or opt-out requests. Among other requirements, the submission mechanism must be free of charge, be readily accessible, allow the consumer to verify their identity and give consumers the choice to apply any request only to certain data brokers.
By Aug. 1, 2026, data brokers must check for new consumer requests every 45 days and must comply with any new requests within 45 days of discovery. A data broker’s duty to delete is ongoing and applies to any new information received about a consumer who has previously submitted a request, unless that consumer has since withdrawn the request.
By Jan. 1, 2028, and every three years thereafter, data brokers will be required to undergo a compliance audit by an independent third party. Data brokers are required to maintain records of these audits for six years and must submit those records to the CPPA upon request, within five business days. By Jan. 1, 2029, data brokers must also submit the results of the audits as part of their annual registrations.
Failing to register with the CPPA or to comply with consumer requests may lead to fines of $200 per day, as well as costs and fees incurred by the CPPA to investigate and enforce the Act. The Act imposes a five-year statute of limitations from the date of violation for any noncompliance.
We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance.