California Delete Act Signed Into Law

On 10 October 2023 California enacted the Delete Act (SB 362), helping consumers to submit a single deletion request that data brokers must honor across their holdings. The law requires the California Privacy Protection Agency to build a centralized deletion mechanism by 2026 and requires data brokers register annually, attest to compliance, and undergo third-party audits every three years.

Data brokers face penalties for noncompliance and must disclose metrics on requests received and fulfilled. Consumer privacy teams and data governance leads should prepare for heightened deletion workflows, broker vetting, and contractual updates tied to CPPA oversight.

Data Broker Definition and Scope

The Delete Act applies to data brokers as defined under existing California law—businesses that collect and sell consumer personal information without direct relationships with consumers. This includes companies aggregating data from public records, online activity, retail transactions, and other sources for sale to third parties.

Organizations must assess whether their data collection and sharing practices trigger data broker classification. Companies receiving data from multiple sources and licensing it to others may qualify regardless of whether they view themselves as brokers. The definition includes traditional credit bureaus, marketing data companies, and emerging alternative data providers.

Centralized Deletion Mechanism

The California Privacy Protection Agency must establish an accessible mechanism enabling consumers to request deletion from all registered data brokers through a single interface. The system eliminates the burden of identifying individual brokers and submitting separate requests to each company.

Upon receiving requests through the centralized system, all registered data brokers must delete or disable consumer data within specified timeframes. The mechanism creates efficiency for consumers while imposing operational demands on brokers maintaining diverse data systems and retention practices.

Registration and Reporting Obligations

Data brokers must register annually with the CPPA, providing information about data collection practices, categories of personal information held, and third-party recipients. Registration fees fund program administration and enforcement activities.

Annual reports must include deletion request metrics, processing timeframes, and compliance certifications. Brokers disclose volumes of consumer data maintained, sources of information, and commercial uses. This transparency enables regulatory oversight and consumer awareness of broker activities.

Audit Requirements

Every three years, data brokers must complete independent third-party audits assessing compliance with Delete Act requirements. Auditors evaluate deletion processes, data retention practices, registration accuracy, and consumer rights fulfillment. Audit reports must be submitted to the CPPA.

Audit scope includes technical systems supporting deletion requests, employee training programs, vendor management practices, and documentation procedures. If you are affected, select auditors with privacy regulation experience and begin preparation before compliance deadlines.

Enforcement and Penalties

The CPPA holds enforcement authority with significant penalty provisions for noncompliance. Penalties escalate for repeated violations, willful disregard of requirements, or systemic failures to honor deletion requests. The Attorney General retains concurrent enforcement authority.

Enforcement actions may result from audit findings, consumer complaints, or agency investigations. If you are affected, maintain compliance documentation, implement monitoring programs, and establish remediation procedures for identified deficiencies.

Implementation Planning

If you are affected, conduct data broker classification assessments evaluating business models against statutory definitions. Technical infrastructure requires modification to support centralized deletion request processing and compliance reporting.

Contracts with data suppliers and customers need review for Delete Act implications. Vendor management programs should verify supplier compliance and establish flow-down requirements protecting against supply chain exposure.

• SB 362 bill text provides statutory requirements and timelines.
• California data broker registry lists entities subject to the new deletion and reporting obligations.