California added another legal arrow to its quiver of privacy laws on Tuesday after Governor Gavin Newsom, D-California, signed Senate Bill 362, colloquially known as the Delete Act. The move comes just days before the 14 October deadline for Newsom to sign the bill into law.
The Delete Act follows on from the California Consumer Privacy Act and amendments to the landmark California Privacy Rights Act. The new law requires data brokers to register with the California Privacy Protection Agency, which will enforce the law.
Significantly, the CPPA will also be tasked with developing a one-stop-shop mechanism by 1 January 2026 for securely-verified consumers to request the deletion and tracking of their personal information. From 1 August 2026, brokers will also be required to process new deletion requests within 45 days of receiving a verified request.
Under the current rules, consumers can request that data brokers delete their data by making an individual request to each company. There are about 500 so-called data brokers operating in the state.
State Senator Josh Becker, D-California, who authored SB 362, said Newsom’s signature “cements California as a leader in consumer privacy”. He added: “Data brokers hold thousands of data points on each and every one of us, and they currently sell reproductive health, geolocation, and purchase data to the highest bidder. The Delete Act protects our most sensitive information.
Prior to Newsom signing the bill, CPPA Executive Director Ashkan Soltani said during the IAPP Privacy. Risk. Security. 2023 in San Diego that the agency was “very pleased” that the state legislature had passed SB 362, calling the global deletion mechanism innovative.
Soltani said the single request for deletion mechanism “follows through on the fact that if consumers are interested in exercising their rights, it should be easy to do so”. He noted that the CPPA is “uniquely suited to start building this system and developing all the pieces for it in a practical way”. However, he also said that developing such a mechanism “will be no small task”.
The new law shifts the registration of data brokers in the state from the California Department of Justice to the CPPA. Companies considered data brokers under the law’s definition are essentially those that collect, use and sell personal information without a consumer’s knowledge. The law also creates a “do not track” list that prohibits data brokers from collecting users’ data in the future.
The law also includes a number of transparency requirements for data brokers, including whether a company collects precise geolocation data, reproductive health data and personal data about minors. Reproductive health data and its collection by data brokers in particular became a major issue following the US Supreme Court’s Dobbs decision, which overturned Roe v. Wade.
Author and Au Kemp Ventures principal Tom Kemp, who advised lawmakers on the Delete Act, applauded the bill, saying it “will lead to a meaningful reduction in (consumers’) personal data footprint,” adding that “other states will want this as well.
Consumer Reports called SB 362 “a historic, pro-consumer bill”. Privacy and technology policy analyst Matt Schwartz said, “Data brokers have built a multi-billion dollar industry by collecting and selling personal information about individuals, usually without our knowledge or consent. This law will empower individuals to take back control of their data and personal information.”
Concerns for data brokers
Jason Sarfati, Chief Privacy Officer and Vice President Legal at Gravy Analytics, raised concerns about the legislation during a panel discussion on the Delete Act at P.S.R. and in a recent LinkedIn Live hosted by IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US.
Looking at the definitions in the California law, Greenberg Traurig shareholder Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, said “business” is defined, but the Delete Act brings into scope businesses that collect data about consumers without a direct relationship. “‘Direct relationship’ is not defined in the law,” he said. “So that should trigger some conversations internally about what is the nature of your relationship with the consumers’ personal information that you collect. How did you come across that? Those are all things that I think are relevant.”
Regarding the transparency requirements, Abernathy said that this requirement “may necessitate reviewing or updating data inventories, privacy policies or other public-facing materials. Also note,” he said, “that in-scope brokers who fail to register with the CPPA may be subject to a fine of $200 for each day the broker fails to register, which is double the current fine.”
As reported last month, Chris Oswald, executive vice president for law, ethics and government relations at the Association of National Advertisers, said the Delete Act “will encourage the mass deletion of data that is the lifeblood of California’s digital economy”. He said the cost of the deletion request mechanism will cost the CPPA about 20 times its projected budget.
“Without a robust data marketplace, Californians will fall victim to more fraud and identity theft because their identities can’t be verified. Small businesses will struggle to find customers without data-driven advertising,” said Oswald. “Nonprofits will lose access to the tools they need to find new donors and volunteers. Government agencies won’t be able to use data to effectively allocate resources and reduce waste.”
Sarfati said, “I’m going to be very honest with you: Some data brokers are going to go out of business, first of all, because a lot of them are six- or seven-figure companies that are small and not built to handle the compliance obligations. There’s actually going to be a massive consolidation of the data broker industry over the next couple of years.
Abernethy highlighted the 45-day provision for brokers to delete data, which he said would be difficult for companies to manage operationally. A consumer could make a deletion request, which could take days to process, “but what if you’re collecting data in the meantime?” Abernethy said: “I think you’re going to have to keep some sort of record that the consumer has made a request.”
Although the Delete Act is a state law, California has 45 million residents, prompting Sarfati to say, “In practice, this is a federal law. I just don’t see how it’s not.”
Complexity of the removal mechanism
Creating a single form deletion mechanism will be no easy task for the CPPA.
Felicity Slater, policy fellow at the Future of Privacy Forum, pointed out that the CPPA “will need to address some difficult operational issues, including the details of what personal information it will need to collect at the deletion request stage in order to allow different companies to authenticate a request and link it to a specific consumer profile, and how it will securely collect and store that information.”
Sarfati said it’s unclear to him who is doing the deletion verification, which is particularly important if an adversary is conducting a social engineering attack. “Who is actually doing the verification?”
There will be time to work out the details, but for those in scope, there is a new law on the books that requires attention.