California’s Delete Act Focuses the Lens on Data Brokers
Table Of Contents:
From 2026, life will get much harder for data brokers doing business in California. From August 1 of that year, they must comply with a new law forcing them to delete a consumer’s data based on a single request.
SB 362, signed into law by Governor Gavin Newsom on October 10, is also known as the Delete Act. The new law toughens up rules originally imposed on data brokers by the California Consumer Privacy Act (CCPA) in 2019.
The CCPA already protected state residents by forcing data brokers to delete an individual’s personal information on request. However, people had to make those requests individually.
The Delete Act, introduced to the legislature in April this year, replaced an initial legislative attempt to solve that problem (SB 1059). It seeks to simplify data deletion for consumers by offering a single access point, enabling citizens to request mass deletion of their information across all data brokers registered under the Act.
The California Privacy Protection Agency, the independent regulator established by the state to implement the California Privacy Rights Act of 2020, must build that mass deletion system by January 1, 2026. All data brokers must begin complying with the deletion requirements by no later than August 1, 2026.
What Is A Data Broker?
The Delete Act describes a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
There are some significant exclusions for companies covered by other regulations, though. These include consumer reporting agencies like credit bureaus, financial institutions, insurance companies and their agents, and healthcare providers or other businesses covered by HIPAA.
Data Broker Requirements
Pure data brokers covered by the Act will pay for the regulator’s registry via a registration fee that goes into a dedicated fund. Alongside their contact details, they must also disclose other information during registration, including whether they collect information on minors, geolocation data, or reproductive health data.
The Act requires data brokers to delete data on individuals within 45 days of a request. This requirement is recurring; they must continue to delete data every 45 days thereafter to ensure that they do not rebuild a repository of personal data on an individual after the fact. They must also direct any of their service providers and contractors to delete the individual’s data after a request.
If the data broker cannot verify a request, they must treat it as though the consumer has opted out of selling or sharing any data in the future. The status of any request remains in place until the consumer says otherwise.
Providing Proof Of Compliance
The Act also carries some significant reporting requirements from data brokers. By July 1 of each year, they must report the number of deletion requests they received, along with the actions they took. They must also report the mean average response time for the requests, the number of requests they denied, and why. All of this information must be posted on their website.
2026 isn’t the only milestone year for data brokers under the Delete Act. Every three years from January 1, 2028, they must also undergo an audit from an independent third party to prove their compliance with the Act’s requirements.
Penalties For Violating The Act
Data brokers who fail to enter themselves into the government’s new registry face a fine of up to $200 per day. The law also threatens them with additional fines of up to $200 for each deletion request they do not honour. However, there are worries that California has done little to chase and fine brokers who failed to log themselves in the current registry and that this might embolden brokers to dodge this registry, too, hoping to fly under the radar. The counterargument is that the new law removes control of the registry from the state justice department to the privacy regulator. Perhaps the latter will have more focus?
The stakes are high, as the US federal government’s lack of data broker regulation makes it difficult to determine how many there are nationally. The current California registry established under the CCPA legislation has over 500 data brokers, including big-name IT industry players like Oracle, which does a healthy business in personal data sales. The state is waiting on dozens of others who have applied for registration but have yet to pay.
Brokers can collect an alarming amount of data, including not just contact details but information on everything from their income and political preferences to the real estate they own and their online behaviour. This has led to some stunning privacy violations. In 2021, an online news outlet bought location data from a data broker that showed when and where people used the gay hookup app Grindr. This led to the outing of a Catholic priest and his subsequent resignation.
Other State Measures
In the last Congress, members proposed three bills designed to reign in data brokers’ practices – the American Data Privacy and Protection Act, the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act, which is unrelated to the California law. Another, the Health and Location Data Privacy Act, sought to prevent the sale of health and location data by brokers. None made it to the president’s desk.
With the Hill seemingly hamstrung by political infighting and a federal election less than a year away, it seems unlikely that the federal government will immediately step up with any national laws to reign in data brokers. In the meantime, states are taking the matter into their own hands with local data broker laws. Delaware has House Bill 262, while Vermont has 9 VSA § 2430. Texas Governor Greg Abbott signed SB 2015 in May.
There are others in the works. Massachusetts is still mulling its Information Privacy and Security Act (Bill S.2687), while Oregon is considering House Bill 4017. While each state-level measure has its strengths and weaknesses, they should all send a clear signal to data brokers: prepare for greater scrutiny and regulatory guardrails.
