New California Delete Act Tightens Rules for Data Brokers

Now that California Gov. Gavin Newsom has signed a bill defining the legal obligations of data brokers into law, businesses that serve people in the Golden State will have to meet a new set of processes to safeguard consumers' personal privacy. The new law consolidates California-specific processes under a state agency established by prior privacy legislation.

The California Delete Act, formally called "Data Broker Registration: Accessible Deletion Mechanism" (SB362), updates the state civil code to add and modify sections that pertain to data brokers to clarify such entities' responsibilities and processes. The new law also moves enforcement of data broker obligations from the California District Attorney's office to the California Privacy Protection Agency.

The California Privacy Protection Agency is tasked with maintaining a website that informs consumers of their rights and how to exercise them, as well as establishing a mechanism by Jan. 1, 2026, that allows consumers to request any and all data brokers to delete their personal data. The data brokers will have to start accessing the agency's mechanism and process all consumer deletion requests at least every 45 days as of Aug. 1, 2026. Once the broker has deleted a consumer's data, it further has to delete any personal information it has regarding that consumer during that same 45-day period. The Delete Act also requires data brokers to "register with, pay a registration fee to, and provide information to" the California Privacy Protection Agency starting July 1, 2027.

Business Concerns

The new law defines a data broker as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The California Privacy Rights Act of 2020's definition of "business" — a company that meets at least one of these conditions: gross annual revenues of more than $25 million; collects personal information of at least 50,000 people, households, or devices; and/or makes at least half its annual revenue from selling consumer data — still stands.

Data brokers will have to register with the California Privacy Protection Agency, providing information such as business contact information, data deletion links, audit reports, and whether the company collects information about minors, geolocation data, or reproductive health care — a hot-button issue for consumer rights advocates since the striking down of federal abortion rights protections.

Neither the CCPA, the CPRA, nor the Delete Act defines "direct relationship" with consumers, however, as industry group International Association of Privacy Professionals (IAPP) pointed out in its coverage of the new law. Another concern data brokers have, according to the IAPP, includes a provision that doubles fines for brokers that fail to register with the California Privacy Protection Agency to $200 a day. Meanwhile, the Consumer Data Industry Association asserted that deleting consumer data will open the door to fraud.

Joey Stanford, vice president of data privacy and compliance at Platform.sh, said in a statement that the Act will close some loopholes, which will benefit consumers.

"Regulation comes with implementation costs for businesses and usually a negative hit to the bottom line of companies that are affected, which can cause pushback from corporations," he added.

Fodder for Wider Regulation

Interestingly, the Delete Act was signed into law just two days before the UK-US Data Bridge takes effect on Oct. 12. That agreement sets out conditions for transferring personal data between the US and the UK. A similar agreement already exists between the US and the European Union, but because the UK left the EU as of 2020, after the 2016 Brexit referendum, a separate agreement was required. Now that Britain is out of the EU, it has privacy laws separate from Europe's stringent GDPR — as do many other countries, presenting compliance complexity. But the US has yet to create a truly unified piece of federal privacy regulation. Federal data privacy legislation seems like a natural progression, once lawmakers can agree on the right balance.

"As we see more attempts at regulating data privacy at the state level, perhaps with the right combination of CCPA+CPRA+Delete Act rolled up together, it could be a blueprint for a federal law. Although there would be no effect on data brokers in other geographies (e.g. India), creating nationwide policy for the US would help tremendously," Stanford said.