[email protected]

California Delete Act allows consumers to easily delete data from all data brokers in California

Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."
Source: https://upload.wikimedia.org/wikipedia/commons/0/01/Flag_of_California.svg.

On October 10, 2023, California Governor Gavin Newsom announced that he had signed into law Senate Bill 362, which is otherwise known as the Delete Act.[1] The full text of the Delete Act can be found here.

The Delete Act is a landmark law seeking to provide consumers with a one-stop-shop mechanism for deleting the consumer’s personal information from all data brokers covered by the law.[2] Under current provisions, consumers must submit individual deletion requests to each data broker, but the Delete Act intends to provide a universal opt-out mechanism that allows consumers to send a single deletion request to all data brokers.

To do this, the law charges the California Privacy Protection Agency with developing the one-stop-shop mechanism by January 1, 2026. While the technical and operational specifics of the mechanism are unknown, the law provides broad guidelines for what the mechanism must achieve, which expressly includes allowing consumers to make a single request that “every data broker that maintains any personal information delete any personal information related to the consumer held by the data broker or associated service provider or contractor.”[3]

In addition, the law shifts data broker registration in California from the California Department of Justice to the California Privacy Protection Agency – presumably to provide the Agency with a database for the purposes of facilitating the consumer’s deletion request.[4] Previously, failure to register as a data broker amounted to $100 penalty for each day the data broker failed to register; however, the Delete Act doubles the fine to $200 per day.

The law also imposes new disclosure obligations on covered data brokers, requiring them to disclose to consumers whether the data broker collects consumers’ precise geolocation, reproductive health care data, or information of minors. Starting in 2029, the data broker must disclose whether it has undergone an audit pursuant to the law.

At this time, it remains unclear how the Agency will satisfy the creation of a one-stop-shop deletion mechanism, but data brokers in California should be prepared to adapt to a new government-imposed deletion mechanism.

We will continue monitoring the Agency’s progress as the deadline approaches.

[1] https://www.gov.ca.gov/2023/10/10/governor-newsom-signs-legislation-10-10-23/

[2] Sec. 1798.99.86(a).

[3] Sec. 1798.99.86(a)(2).

[4] Section 1798.99.82 of the Civil Code is amended to read: 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.