California’s Delete Act: 5 Things to Know

6 minute read | October.19.2023

California Gov. Gavin Newsom has signed a bill into law aimed at letting consumers delete their personal information in the hands of data brokers in California.

Supporters say the Delete Act will patch a loophole in the California Consumer Privacy Act (CCPA) that requires data brokers to only delete personal information obtained directly from consumers, but not personal information collected indirectly or aggregated from other sources.

Here are five key things to know about the Delete Act, including considerations for your privacy compliance program:

The Delete Act regulates “data brokers” as defined by the CCPA.
The Delete Act defines “data broker” the same as the CCPA does – as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” subject to certain exemptions.
The Delete Act requires the California Privacy Protection Agency (CPPA) to create a one-stop data deletion mechanism.
The Delete Act grants the CPPA authority to develop a system that, by January 1, 2026, will enable a consumer (or a consumer’s authorized agent) to issue, without charge, a single verifiable data deletion request applicable to all data brokers registered in California. Any such request will require a data broker or associated service provider or contractor to delete the consumer’s personal information. The Delete Act allows the CPPA to charge data brokers an access fee for accessing the deletion mechanism. The CPPA has not yet determined the amount of any such fee.
The Delete Act imposes periodic audit obligations on data brokers.
Beginning January 1, 2028, the Delete Act requires data brokers to submit to an audit conducted by an independent third party once every three years to assess the data broker’s compliance. The Delete Act would also require a data broker to submit an audit report to the CPPA within five days of its written request. Data brokers would need to maintain audit records for at least six years.
The CPPA can impose administrative penalties for noncompliance.
The CPPA will help enforce data brokers’ registration and data deletion requirements. The agency could adopt regulations to implement and administer the Delete Act.

Failure to comply with the Delete Act requirements may subject data brokers to administrative fines, fees, expenses and costs, including $200 for each day a data broker fails to register where required. The CPPA will use those funds to cover costs it and state courts incur to enforce the Delete Act and to establish and maintain the accessible deletion mechanism. An administrative action under the Delete Act cannot be brought against a data broker more than five years after a suspected violation.
The law establishes key deadlines for data brokers.
- On or before January 31 following each year in which a business meets the definition of data broker (with the next cycle being January 31, 2024), data brokers must register with the CPPA. A data brokers must pay a registration fee and provide the CPPA with detailed information about its data processing practices, including whether it processes sensitive information (i.e., information of minors, precise geolocation or reproductive health care data). In addition, data brokers must also update their privacy notices to comply with any new transparency requirements (e.g., description of consumer rights and detailed explanation of data processing activities) and provide a link to the updated website privacy notice at the time of registration. This information will be accessible to the public through a CPPA webpage.
- On or before July 1 following each calendar year in which a business meets the definition of a data broker (with the next cycle being July 1, 2024), data brokers must update their privacy notices to include metrics on consumer requests received and fulfilled as part of the CCPA and the Delete Act, including the number of requests denied in whole or in part, and the reasons for denials.
- By January 1, 2026, the CPPA must establish an accessible deletion mechanism that allows consumers to make a single verifiable request asking data brokers and associated service providers or contractors to delete their personal information.
- Beginning August 1, 2026, data brokers must begin checking the accessible deletion mechanism at least once every 45 days. Subject to certain exceptions, data brokers must delete consumers’ personal information at the time the verified request is made and direct associated service providers or contractors to delete all personal information in their possession related to the consumer making the requests. In cases where the request cannot be verified, the data broker and associated service providers or contractors must process the request as an opt-out of the sale or sharing of the consumer’s personal information.
  - Notably, once a consumer has submitted a deletion request and the data broker has deleted the consumer’s data, the data broker must continue to delete such information at least once every 45 days and not “sell” or “share” (as such terms are defined under the CCPA) new personal information – unless the consumer requests otherwise or an exception applies.
- Beginning January 1, 2028, data brokers must undergo an audit conducted by an independent third party once every three years to assess the data broker’s compliance with the law. The Delete Act would also require a data broker to submit the audit report and related materials to the CPPA within five days of a written request from the CPPA. Data brokers would need to maintain audit records for at least six years.

What Should Companies Do Now?

The Delete Act will impose significant compliance obligations on data brokers. Companies should consider whether they fall within the scope of the Delete Act. If they do, they should consider building a compliance program to comply with the broader data deletion requests and enhanced transparency requirements – keeping in mind key dates, including the January 31, 2024, deadline to update online privacy notices.

A data broker compliance program should include written internal processes and procedures to access the deletion mechanism at regular intervals and fulfill the underlying deletion requests. Companies should also review agreements with service providers and contractors to ensure they will be able to meet downstream obligations under the Delete Act. Lastly, companies should look out for further guidance from the CPPA.

Want to learn more about the developing privacy landscape for data brokers? Ask one of the authors.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Bianca Ponziani Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5361
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Bianca Ponziani Managing Associate

New York

She has partnered with start-ups and Fortune 500 companies to develop comprehensive privacy and cybersecurity policies and procedures that comply with U.S., EU and UK law and self-regulatory frameworks, including U.S. state privacy laws; the EU and UK General Data Protection Regulation (GDPR); the CAN-SPAM Act; the Telephone Consumer Protection Act (TCPA); the Federal Trade Commission Act (FTC Act); and the Health Insurance Portability and Accountability Act (HIPAA).

Bianca helps clients prepare for and respond to crisis security incidents, including by advising on personal data breach notification obligations, working closely with cyber forensics experts, engaging with law enforcement, and responding to regulatory inquiries.

She also provides clients with practical guidance in complex and multijurisdictional corporate transactions to help navigate attendant privacy and cybersecurity risks.