California added another legal arrow to its quiver of privacy laws Tuesday after Gov. Gavin Newsom, D-Calif., signed Senate Bill 362, colloquially referred to as the Delete Act, into law. The move comes just days before the 14 Oct. deadline for Newsom to sign the bill.
The Delete Act follows on the heels of the California Consumer Privacy Act and amendments to the landmark legislation made by California Privacy Rights Act. The new law requires data brokers to register with the California Privacy Protection Agency, which will enforce the law.
Significantly, the CPPA will also be charged with developing a one-stop-shop mechanism by 1 Jan. 2026 for consumers who are securely verified to request the deletion and tracking of their personal data. Starting 1 Aug. 2026, brokers will also be required to process new deletion requests within 45 days of receiving a verified request.
Under current provisions, consumers can opt to have data brokers delete their data with an individual request to each company. There are roughly 500 so-called data brokers doing business in the state.
State Sen. Josh Becker, D-Calif., who wrote SB 362, said Newsom's signature "enshrines California as a leader in consumer privacy." He added, "Data brokers possess thousands of data points on each and everyone of us, and they currently sell reproductive healthcare, geolocation and purchasing data to the highest bidder. The Delete Act protects our most sensitive information."
Prior to Newsom signing of the bill, CPPA Executive Director Ashkan Soltani said during the IAPP Privacy. Risk. Security. 2023 in San Diego that the agency was "really pleased" the state legislature passed SB 362 and characterized the global deletion mechanism as innovative.
Soltani said the single deletion request mechanism "follows through in the fact that if consumers are interested in exercising their rights, it should be easy to do so." He noted the CPPA "is uniquely suited to start standing up this system and developing all the pieces for it in a practical way." Though he also said development of such a mechanism "will be no small task."
The new law shifts data broker registration in the state from the California Department of Justice to the CPPA. Companies considered data brokers under the Delete Act's definition are essentially companies that collect, use and sell personal data without a consumer's knowledge. The statute also creates a "do not track" list that prohibits data brokers from collecting users' data down the line.
A number of transparency requirements for data brokers are also included in the law, including whether a company collects precise geolocation data, reproductive health care data and personal data about minors. Reproductive health care data and its collection by data brokers specifically became a significant issue in the wake of the U.S. Supreme Court's decision on Dobbs, which overturned Roe v. Wade.
Author and director of Au Kemp Ventures, Tom Kemp, who advised lawmakers in drafting the Delete Act, applauded the bill, saying it "will lead to a meaningful reduction of (consumers') personal data footprint," while adding that "other states will want this as well."
Consumer Reports characterized SB 362 as an "historic, pro-consumer bill." Policy Analyst for Privacy and Technology Policy Matt Schwartz said, "Data brokers have built a multi-billion dollar industry by collecting and selling personal information about individuals, typically without our knowledge or consent. This law will empower individuals to take back control of their data and personal information."
Concerns for data brokers
Gravy Analytics Chief Privacy Officer and Vice President Legal Jason Sarfati expressed concerns with the legislation during a panel session on the Delete Act at P.S.R. and in a recent LinkedIn Live hosted by IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US.
In looking at definitions in California law, Greenberg Traurig Shareholder Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, said "business" is defined, but the Delete Act brings businesses that collect data about consumers without having a direct relationship into scope. "'Direct relationship' is not defined in the law," he said. "So that should trigger some conversations internally as to what is the nature of your relationship with the consumers' personal information you collect. How did you come across it? These are all things I think are relevant."
Regarding the transparency requirements, Abernathy said this requirement "may necessitate review or updating data inventories, privacy policies or other public-facing materials. Note, too," he said, "that in-scope brokers that fail to register with the CPPA may be liable for a fine of $200 for each day the broker failed to register, which is double the current fine."
As reported by IAPP Staff Writer Alex LaCasse last month, Association of National Advertisers Executive Vice President for Law, Ethics, and Government Relations Chris Oswald said the Delete Act "will encourage the mass deletion of data that is the lifeblood of California's digital economy." He said the cost of the deletion request mechanism will cost the CPPA roughly 20 times its projected budget.
"Without a robust data marketplace, Californians will fall victim to more fraud and identity theft as their identities can't be verified. Small businesses will struggle to find customers without data-driven advertising," Oswald said. "Nonprofits will lose access to those tools to find new donors and volunteers. Government agencies will be unable to use data to effectively allocate resources and reduce waste."
Sarfati said, "I'm going to be very honest with you: Some data brokers are going to go out of business, for starters, because a lot of them are six- or seven-figure companies that are small and are not designed to handle the compliance obligations. There's going to be a massive consolidation, actually, of the data broker industry in the next couple years."
Abernethy highlighted the 45-day provision in which brokers must delete data, saying this will be difficult for companies to manage operationally. A consumer could make a deletion request, which may take days to process, "but what if you collect data in the interim?" Abernethy said, "I think you're going to need to maintain some sort of squib entry that the consumer did make a request."
Though the Delete Act is a state law, California has 45 million residents, prompting Sarfati to say that, "in practice, this is a federal law. I just don't see how it isn't."
Deletion mechanism's complexity
Building a single form deletion mechanism will be no easy task for the CPPA.
Future of Privacy Forum Policy Fellow Felicity Slater pointed out the CPPA "will need to address some difficult operational questions, including the details of what personal data it will need to collect at the deletion request stage in order to enable a diverse range of companies to authenticate a request and associate it with a particular consumer profile, and how it will safely collect and store this information."
Sarfati said it's unclear to him who will do the deletion verification, which is especially significant if an adversary is conducting a social engineering attack. "Who is actually doing the verification?"
There will be time to suss out the details, but for those in scope, there is a new law on the books that requires attention.