Policy Briefing — California Delete Act universal deletion system activates

Executive briefing: California Civil Code § 1798.99.86, enacted by SB 362 (2023), directs the California Privacy Protection Agency (CPPA) to launch a universal deletion mechanism for consumers on 1 January 2026. Registered data brokers must integrate with the CPPA interface, ingest authenticated deletion requests, and update their Do Not Sell/Share pipelines to respect the new statewide signal.

Mandatory deliverables

• Broker registration data. Maintain up-to-date registration, point-of-contact, and process documentation with the CPPA to avoid suspension from the public broker registry.
• Deletion fulfilment. Cal. Civ. Code § 1798.99.86(f) requires brokers to honour universal deletion requests within 45 days, including downstream processors handling the same data.
• Audit evidence. Capture API acknowledgements, suppression proofs, and exception handling logs to support CPPA inspections and annual attestation requirements.

Program actions

• Signal integration. Build or adapt consent management tooling to authenticate CPPA-issued tokens, deduplicate against existing Global Privacy Control (GPC) inputs, and trigger deletion playbooks.
• Vendor coordination. Flow universal deletion tickets to processors and service providers under written instructions, tracking confirmations to ensure the 45-day SLA is met across the supply chain.
• Compliance monitoring. Establish dashboards for request volumes, exception rates, and remediation backlogs to brief privacy officers and maintain evidence for CPPA audits.

Enablement moves

• Reconcile Delete Act operations with existing CCPA/CPRA opt-out logs, verifying that legacy suppression lists and new API signals stay synchronised.
• Document identity verification decision trees to demonstrate how fraudulent or excessive requests are handled under Cal. Civ. Code § 1798.99.86(g).

Sources

• California SB 362 (2023) — Delete Act
• California Privacy Protection Agency — Delete Act overview