CIPAWorld has been buzzing lately with a spate of new bills, enforcement actions, and judgements with critical ramifications on privacy compliance and data protection obligations. But amidst all the new action, an older deadline is creeping up on California businesses.

On October 10, 2023, California Gov. Gavin Newsom signed into law Senate Bill 362, also known as the “Delete Act”. The Delete Act applies to all California “data brokers”, defined to include any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. See California Civil Code § 1798.99.80(c).

The Delete Act transfers administration and enforcement authority over California’s data broker registry from the Attorney General to the California Privacy Protection Agency (“CPPA”).

The CPPA is now tasked with creating a “one-stop deletion mechanism” by January 1, 2026, that allows a consumer, through a single verifiable request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The new deletion mechanism must be accessible online without charge to consumers, and like the California Consumer Privacy Act (“CCPA”), must allow for a consumer’s authorized agent to submit a deletion request. Additionally, the mechanism must give consumers the option to “selectively exclude” certain data brokers from deleting their personal information. All businesses meeting the definition of “data broker” will have to honor this mechanism starting August 1, 2026.

For some background, California residents can currently request deletion of their personal information under the CCPA, but they must make individual requests to each business.

Data brokers have additional obligations under the Delete Act:

Periodic Access to and Compliance with Deletion Mechanism (Effective August 1, 2026)

• Data brokers must access the designated deletion mechanism at least once every 45 days.

• During each access, brokers are required to process all deletion requests submitted through the mechanism and delete all personal information related to the consumers making the requests.

• The data broker must also direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests.

• If a data broker denies a consumer deletion request because the request cannot be verified, the data broker must process the request as an opt-out of the sale or sharing of the consumer’s personal information, and direct all service providers or contractors associated with the data broker to do the same.

Ongoing Deletion Obligations (Effective August 1, 2026)

• After a consumer submits a deletion request and the data broker deletes their information, brokers must continue to delete all personal information of that consumer at least every 45 days.

• Brokers are prohibited from selling or sharing any new personal information of that consumer, unless an exception applies.

Third-Party Audit Requirements (Effective January 1, 2028)

• Brokers must undergo an independent third-party audit every three years to evaluate compliance with these provisions.

• Audit reports must be submitted to the CPPA within 5 business days upon written request.

Fees for Using the Deletion Mechanism

• The agency may charge data brokers a fee for accessing and using the deletion mechanism.

Enforcement and Penalties

• Noncompliance with the deletion mechanism requirements can result in administrative fines of $200 for each deletion request for each day the data broker fails to delete information and recovery of reasonable expenses incurred by CPPA in the investigation and administration of the action.

• Funds collected under these provisions will go into the Data Brokers’ Registry Fund, which will cover enforcement-related costs and expenses tied to the creation and maintenance of the deletion mechanism.

Exemptions

• A data broker will not be required to delete personal information if it is reasonably necessary to fulfill a purpose under § 1798.105(d) or if the data broker is otherwise exempted under the CCPA. However, such personal information shall not be used or disclosed for any other purpose, including marketing purposes.

• The Delete Act specifically exempts businesses that are regulated by certain federal laws, including the Fair Credit Reporting Act, the Gramm‑Leach‑Bliley Act, and the Insurance Information and Privacy Protection Act. Like the CCPA, “covered entities” under HIPAA and their business associates are exempt to the extent that their processing of personal information is regulated by HIPAA.

• The Delete Act also creates a 5-year statute of limitations.