The California Delete Act is a new law with significant implications for consumers and data brokers in the Golden State. Most notably, this law allows Californians to delete their personal information with all data brokers through a single request. The Delete Act updates California's existing data broker law and works alongside its privacy law to further empower consumers when it comes to their personal information.

The California Delete Act law will take effect in stages starting January 1, 2024. This guide unpacks California's Delete Act, looking at what it does, who it affects, how you can comply, and the potential penalties if you don't.

Let's get into it.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the California Delete Act?

The California Delete Act (Senate Bill 362) is a law that makes it easy for Californians to bulk delete their personal information with registered data brokers in the state.

It was signed into law by Governor Gavin Newsom on October 10, 2023, and will take effect in stages starting January 1, 2024.

Before the Delete Act, consumers could exercise their right to delete under the California Consumer Privacy Act (CCPA) and its amendment, the CPRA. However, they would have to submit deletion requests to each business separately.

Plus, they could only delete the data a business collects from them directly - not those gathered from other sources.

The Delete Act removes these restrictions through a central, one-time deletion mechanism. This mechanism will be set up by the California Privacy Protection Agency (CPPA) before January 1, 2026.

Ultimately, the Delete Act reflects California's consistent efforts to strengthen consumer privacy rights by nurturing a privacy-focused business environment.

Who Does the California Delete Act Apply to?

The California Delete Act applies to data brokers who sell the personal information of California consumers. And while this may seem pretty straightforward, it's more nuanced than it appears.

To fully understand the scope of the Delete Act, let's examine how California's laws define specific terms.

Who is a Consumer Under the California Delete Act?

Under California's law, a consumer is a "resident," as defined by California's Revenue and Taxation Code. It states that a resident is a person living in California on a fairly permanent basis, even if they're temporarily outside the state.

California Legislative Information: Revenue and Taxation Code: Definition of Resident

What is Personal Information Under the California Delete Act?

The California Delete Act draws its definition of personal information from the CCPA (CPRA):

"any information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household"

Quite a mouthful, but it essentially means any information that can identify a person or household. Cited examples under the law include but aren't limited to the following:

  • Names and aliases
  • Postal addresses
  • Email and IP addresses
  • Geolocation data
  • Social security numbers
  • Driver's license numbers
  • Biometric information (fingerprints, face scans, etc.)
  • Browsing and purchase histories

Who is a Data Broker Under the California Delete Act?

The California Delete Act maintains the same data broker definition as the existing data broker law. It defines a data broker as:

"a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

Note that the terms "business" and "sell" here aren't used in the general sense. Instead, the law references the CCPA (CPRA) definitions of these terms (explained in the next section).

The bottom line is that if your 'business' collects and 'sells' the personal information of a consumer you're not directly connected to, you're considered a data broker.

What is a "Business" Under the California Delete Act?

A business is a for-profit entity that:

  • Operates in California (with or without a physical presence in the state)
  • Decides how and why to process personal information, and
  • Satisfies at least one of the following criteria:

    • Annual gross revenue exceeds $25 million
    • Annually buy, sell, receive, or share (for commercial purposes) the personal information of over 100,000 consumers, households, or devices
    • Derive over 50% of annual revenue from selling or sharing consumers' personal information

If your business doesn't meet these criteria but controls or is controlled by a CCPA-covered entity and shares common branding with the entity, you're considered a "business" under the CCPA (CPRA).

For a more comprehensive explanation of this definition, check out our article: CCPA (CPRA): Businesses Definition/Guide.

What is a "Sale" Under the California Delete Act?

A sale refers to all actions (renting, leasing, transferring, etc.) that translate to disclosing a consumer's personal information to a third party for money or other "valuable consideration."

The law proceeds to outline several exemptions to what is considered a sale, as well as what does not count as a sale:

California Legislative Information: CCPA - Definition of Sale with examples of not a sale

There's a bit more to unpack with this definition. Check out our article for an in-depth breakdown: CCPA (CPRA): What Constitutes a "Sale" of Personal Information?

What are the Exemptions Under the California Delete Act?

Like many other laws, the Delete Act highlights business groups that may fall under its scope but are exempt due to their connection with other laws.

Specifically, data brokers do not include an entity "to the extent that it is covered by" any of the following laws:

  • The Fair Credit Reporting Act (FCRA)
  • The Gramm-Leach-Bliley Act (GLBA)
  • The Insurance Information and Privacy Protection Act (IIPPA)
  • The Confidentiality of Medical Information Act (CMIA)
  • The Health Insurance Portability and Accountability Act (HIPAA)

Note: The CCPA (CPRA) deletion exemptions also apply to the California Delete Act. Here are the nine exemptions under the CCPA (CPRA):

California Legislative Information: CCPA (CPRA) - Exemptions to the right to delete

How Does the California Delete Act Affect Consumers?

By expanding the CCPA (CPRA) deletion rights, the Delete Act allows consumers to easily erase their personal information - free of charge - from California's network of data brokers.

A statement by Senator Josh Becker (the brains behind the Delete Act) best summarizes the law's effect on consumers:

"The Delete Act is based on a very simple premise: Every Californian should be able to control who has access to their personal information and what they can do with it."

How Does the California Delete Act Affect Businesses?

Thanks to the Delete Act, all businesses that fit the definition of a "data broker" must register with the CPPA and comply with new deletion and transparency obligations.

Specifically, the Delete Act imposes the following requirements on businesses:

  • Paying an annual registration fee
  • Responding to deletion requests in a timely manner
  • Publishing key information and metrics (via a Privacy Policy)
  • Treating unverifiable requests as a CCPA (CPRA) opt-out of sale or sharing
  • Undergoing independent third-party audits and presenting results
  • Monitoring deletion practices continuously

How Do You Comply with the California Delete Act?

As mentioned, being a data broker under the Delete Act means satisfying a number of requirements to stay on the right side of the law. It's worth noting that these requirements will take effect at different times between January 2024 and January 2028.

Without further ado, here's a breakdown of what you'll need to do.

Annually Register with the CPPA

To comply with the Delete Act, the first step is to register with the CPPA as a data broker. Doing this inducts your business into the California Data Broker Registry.

You must renew this registration yearly on or before January 31 if you meet the definition of a "data broker" in the previous year.

Here's how the Data Broker Registry explains this:

California Data Broker Registry: Complete Registration Search page excerpt

In light of new requirements introduced by the Delete Act, the registration process involves the following steps:

  • Pay a registration fee ($400 at the time of this writing)
  • Provide the following contact details:

    • Your name
    • Primary physical address
    • Primary email address
    • Internet website address
  • Disclose to the CPPA whether you collect:

    • The personal information of minors
    • Consumers' precise geolocations
    • Consumers' reproductive healthcare data
  • Starting January 1, 2029, disclose whether you've gone through an audit and, if so, the last year you submitted the audit reports and related materials to the CPPA.
  • Provide a link to a page on your website (free of dark patterns) that explains how consumers may exercise their CCPA (CPRA) privacy rights.
  • DIsclose whether (and to what extent) you or your subsidiaries are regulated by any of the federal laws in the data broker exemptions.
  • Offer any additional information or explanation you wish to provide about your data collection practices.

At the time of this writing, there are 545 identified data brokers registered with the California Data Broker Registry.

Update Your Privacy Policy

Next, your Privacy Policy (assuming you already have one) will need to be updated with a number of disclosures to comply with the California Delete Act.

If you don't have a Privacy Policy, get one post-haste because it's required not only by the Delete Act but also by the CCPA (CPRA) and other global privacy laws.

Starting July 1, 2024, the Delete Act requires you to compile and publish the following metrics within your website's Privacy Policy (including through a link in your Privacy Policy):

  • The number of CCPA (CPRA) requests you received in the previous year
  • How many of those requests you complied with fully or partially
  • How many requests you denied fully or partially, and the reasons, including whether:

    • The request was not verifiable
    • The request was not made by a "consumer"
    • The request involved information exempt from deletion
    • Other reasons caused the denial
  • The median and mean number of days within which you substantively responded to deletion requests in the previous year
  • The number of requests where deletion wasn't required

Here's how the Delete Act sets out these terms:

California Legislative Information: The Delete Act - Disclosure requirements

Honor Deletion Requests Promptly

As mentioned, the Delete Act requires the CPPA to establish an online "deletion mechanism" before January 1, 2026.

Starting August 1, 2026, all data brokers must begin accessing the deletion mechanism to honor consumers' deletion requests.

Once a consumer (or their 'authorized agent') submits a deletion request, you have 45 days to verify and process their request - same as standard CCPA (CPRA) requests.

But that's not all.

You must check the deletion portal at least once every 45 days and continue to delete all personal information associated with that consumer indefinitely (unless the consumer says otherwise or an exception applies).

This includes data collected directly from the consumer and those gathered from other sources.

Like with the CCPA (CPRA), you must also direct your service providers and contractors to follow suit and delete the consumer's information.

Here's how the Delete Act explains this:

California Legislative Information: The Delete Act - Deletion Requirements

Treat Unverifiable Requests as CCPA (CPRA) Opt-Out of Sale or Sharing

If verifying a deletion request proves impossible, the Delete Act requires you to treat the request as an "opt-out of selling or sharing personal information" under the CCPA (CPRA).

Also known as the "Do Not Sell or Share My Personal Information" right, this right involves a three-step process:

  1. Create a page on your website that provides simple instructions about your opt-out of sale or sharing process
  2. Provide a prominent link to that page in your Privacy Policy and your website's homepage (typically the footer section)
  3. Make sure the link reads: "Do Not Sell or Share My Personal Information"

Here's an example of how a "Do Not Sell or Share" page can look from AGCO:

AGCO Right to Opt Out of the Sale or Sharing of Personal Information page

And here's how the link to this page is displayed on AGCO's website footer:

AGCO website footer with Do Not Sell My Personal Information link highlighted

Naturally, you must direct your service providers and contractors to also treat unverifiable requests as CCPA (CPRA) opt-out of sale or sharing.

Through the opt-out alternative, the Delete Act ensures that consumers' CCPA (CPRA) rights remain protected even with unverifiable requests.

Undergo Independent Third-Party Audits

Starting January 1, 2028, the Delete Act requires you to undergo an audit by an independent third party every three years to assess your compliance with the law.

Once you receive a written request from the CPPA, you have five business days to send them the audit report and materials. You must also maintain all relevant reports and materials for at least six years.

Here's how the Delete Act presents these terms:

California Legislative Information: The Delete Act - Independent third-party audit requirement

Remember: Starting January 1, 2029, you'll need to mention whether you've undergone an audit during your annual registration and the last year you submitted the audit reports to the CPPA.

These audits work to ensure all data brokers maintain the highest standards of privacy and data protection in California.

How is the California Delete Act Enforced?

Like the CCPA (CPRA), enforcement of the California Delete Act rests in the hands of the California Privacy Protection Agency (CPPA). Their key duties when it comes to this law are as follows:

  • Setting up an accessible online deletion mechanism (before 2026)
  • Overseeing data brokers' compliance with the Delete Act
  • Managing the "Data Broker's Registry Fund"
  • Investigating potential violations of the law
  • Imposing penalties on violators

What are the Penalties for Non-Compliance with the California Delete Act?

Non-compliance with the California Delete Act exposes your business to investigations, legal action, and fines from the CPPA.

Specifically, the agency imposes civil penalties of $200 per day for failing to register with the CPPA and $200 per day for each unfulfilled deletion request.

Violators may also bear administrative expenses incurred by the CPPA during investigations and enforcement.

Summary

The California Delete Act is a new legislation that works to put consumers in the driver's seat when it comes to their personal information.

Whether consumers are concerned about targeted advertising or simply want to limit their online presence, the Delete Act allows them to erase their data with unprecedented ease.

To achieve this feat, the law requires data brokers to observe new registration, deletion, and transparency requirements. In particular, they must:

    Register with the CPPA and pay an annual fee
  • Honor consumers' deletion requests within 45 days
  • Access the deletion mechanism and process requests every 45 days
  • Treat consumers' information as CCPA (CPRA) opt-out of sale or sharing when requests are unverifiable
  • Undergo independent third-party audits every three years (starting 2028)

Like many new laws, California's Delete Act receives both praise and criticism. Some industry players label it "Bold" and "Aggressive," while others (including the CPPA) applaud its assertive nature.

In any case, the Delete Act further cements California's standing as a privacy leader, given its proactive approach to data protection.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy