California Delete Act

California Senate Bill 362 (Delete Act) requires the California Privacy Protection Agency (CPPA) launch a centralized deletion system by January 1, 2026. Registered data brokers must connect to the platform, honor verified deletion requests within 45 days, and certify compliance annually starting in 2026. Teams that sell or license personal data should complete technical integrations, evidence identity verification procedures, and prepare for expanded enforcement powers that include monetary penalties for non-compliance.

Key data strategy checkpoints

• Broker inventory. catalog all business units engaging in data brokerage under California Civil Code Section 1798.99.80 and ensure 2025 registrations reflect the CPPA-administered registry.
• Deletion orchestration. Build workflows to propagate Delete Act requests across internal systems and downstream partners, documenting completion evidence.
• Identity proofing. Implement strong verification to prevent fraudulent deletion requests while respecting the Act’s limits on additional consumer data collection.

Focus areas

• API integration. Align engineering teams with CPPA technical specifications for the deletion mechanism and rehearse sandbox testing once available.
• Certification preparation. Draft annual compliance attestations covering process controls, third-party oversight, and record retention to submit beginning in 2026.
• Cross-jurisdiction alignment. harmonize Delete Act responses with CCPA/CPRA, Virginia, and Colorado deletion obligations to avoid conflicting suppression lists.

Further reading

• California SB 362 — Delete Act
• CPPA: Data broker registration and Delete Act setup
• Perkins Coie: California enacts Delete Act

Unifying global deletion operations, integrating California’s centralized mechanism with identity proofing and suppression governance across marketing ecosystems.

Data Broker Registration Requirements

California Delete Act establishes registration requirements for data brokers operating in the state. Organizations meeting data broker definitions must complete registration procedures and provide required disclosures about data collection and sharing practices.

Registration timing and renewal requirements create ongoing compliance obligations. Compliance calendars should track registration deadlines and document submission requirements.

Deletion Request Processing Infrastructure

Delete Act's centralized deletion mechanism requires data brokers to honor consumer deletion requests submitted through the designated system. Technical infrastructure must support request receipt, identity verification, and deletion execution across applicable data stores.

Response time requirements mandate efficient request processing. Automated workflows can help meet deletion timelines while maintaining accurate compliance documentation.

Scope and Applicability Analysis

Data broker definitions under the Delete Act require careful analysis of business activities to determine registration and compliance obligations. If you are affected, assess whether data collection, aggregation, or resale activities trigger data broker classification.

Exemption provisions may apply to certain activities or entity types. Legal counsel should evaluate potential exemptions and document applicability analysis supporting compliance positions.

Consumer Communication and Transparency

Delete Act improves consumer awareness of data broker activities through public registration and disclosure requirements. If you are affected, prepare for increased consumer inquiries and potential reputation implications of public data broker identification.

Transparency about data practices can build consumer trust and differentiate organizations committed to responsible data handling. early communication addresses consumer concerns before they become complaints.

Enforcement and Penalty Exposure

Delete Act enforcement provisions create accountability for non-compliance. Understanding penalty structures, enforcement mechanisms, and cure period provisions informs compliance investment prioritization and risk management.

Compliance program maturity and good faith efforts may influence enforcement outcomes. Documentation of compliance activities shows organizational commitment to regulatory requirements.

Data Broker Registration Requirements

Deletion Request Processing Infrastructure

Scope and Applicability Analysis

Consumer Communication and Transparency

Enforcement and Penalty Exposure

Technical Infrastructure Updates

Delete Act compliance may require updates to data management systems, retention policies, and deletion capabilities. Technical investments should support both centralized mechanism integration and independent deletion request handling.

Data discovery and inventory capabilities ensure deletion requests reach all applicable data stores. Testing validates that deletion procedures effectively remove consumer data as required.

Vendor and Third-Party Coordination

Data broker activities often involve third-party data sources and downstream recipients. Deletion request handling may require coordination with data sources and notification to recipients about deleted records.

Contractual provisions should address deletion request cooperation requirements with data trading partners. Clear responsibility allocation supports efficient compliance across data relationships.

Strategic compliance preparation shows organizational commitment to consumer privacy rights while managing operational and regulatory risk exposure effectively.

Continuous monitoring and adaptation maintains compliance effectiveness as requirements and enforcement approaches evolve. early engagement builds positive regulatory relationships.

Compliance investment shows organizational responsibility and builds trust.

Early preparation yields dividends across compliance and reputation objectives.

early compliance positions organizations favorably as the regulatory environment evolves.

Data Broker Obligations

California Delete Act requires data brokers to honor consumer deletion requests through a centralized mechanism. Registration requirements provide regulatory visibility into data broker operations. Compliance verification ensures brokers implement deletion capabilities.

Technical Implementation

Deletion request processing must occur within statutory timeframes. Verification mechanisms confirm request authenticity while minimizing friction. Audit trails demonstrate compliance with deletion obligations.

Consumer Benefits

Streamlined deletion process simplifies consumer privacy management. Centralized mechanism reduces burden of contacting multiple data brokers individually. Transparency about data broker registrations enables informed privacy decisions.

Enforcement Mechanisms

California Privacy Protection Agency oversees Delete Act compliance. Penalties for non-compliance create enforcement incentives. Documentation demonstrates good faith compliance efforts.

Similar analysis

Additional analysis covering similar themes.

Data Strategy · Credibility 91/100 · August 22, 2025

Data Strategy — Data portability

The EU Data Act goes live September 12, 2025. You have got weeks to finalize data portability for users, set up fair compensation models, and get your B2B contracts in order. The clock is ticking.

Data Strategy · Credibility 86/100 · August 26, 2025

Data Strategy — Sustainability reporting

Large EU groups under CSRD must digitally tag FY2025 sustainability statements using the European Single Electronic Format. The EU's 2025 simplification proposals do not change this requirement. Use 2025 to map ESRS…

Data Strategy · Credibility 91/100 · September 12, 2025

Data sharing governance — Data Act public-sector access obligations

From 12 September 2025, data holders must respond to EU public-sector requests made under the Data Act’s exceptional-need provisions, requiring legal, security, and engineering teams to codify intake and extraction…

Data Strategy · Credibility 91/100 · September 20, 2025

Kentucky Consumer Data Protection Act

Kentucky’s Consumer Data Protection Act takes effect on January 1, 2026, giving privacy teams one quarter to finalize data inventories, universal opt-out handling, and assessments for high-risk processing.

Data Strategy · Credibility 91/100 · September 24, 2025

EU Dga Data Intermediation Compliance

Data intermediation services that were operating when the Data Governance Act was adopted must be fully compliant with Chapter III obligations by 24 September 2025, so data leaders need to close registration, neutrality…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

August 20, 2025

Coverage pillar

Data Strategy

Source credibility

91/100 — high confidence

Topics

California Delete Act · Data broker compliance · Deletion requests · Data governance

Sources cited

3 sources (leginfo.legislature.ca.gov, cppa.ca.gov, nist.gov)

Reading time

5 min

Further reading

1. California Delete Act — leginfo.legislature.ca.gov
2. CPPA Regulations — cppa.ca.gov
3. NIST Privacy Framework — nist.gov