Blog
picture

🖋️ Governor of California signs the Delete Act creating a one-stop-shop opt out mechanism and greater accountability for data brokers 📜

Senate Bill 362, commonly referred to as the California Delete Act, has been signed by Governor Newsom. The Delete Act adds to California’s existing privacy laws, including the California Consumer Privacy Act (#CCPA) and the California Privacy Rights Act (#CPRA). The Delete Act has significant implications for data brokers (companies that collect, use and sell consumer personal data) including enhanced registration requirements and greater transparency and audit provisions. It also moves oversight of the law to the recently created California Privacy Protection Agency (CPPA).

The Delete Act creates:

🔄 One-stop-shop deletion requests: where previously consumers were required to submit a deletion request to each relevant data broker, the CPPA is tasked with establishing a mechanism by 1 Jan 2026 to allow residents of California to submit a single deletion request to all covered brokers. From 1 Aug 2026 brokers will have 45 days to action such requests and direct their service providers to do the same.

📋 Enhanced registration requirements: data brokers will now have to register with the CPPA (previous registration was with the California AG) and will be required to provide significantly more information to the CPPA than previously required, including the type of data collected, whether they collect data from minors, precise geolocation information, and/or reproductive health data.

🕵️‍♂️ Greater transparency obligations: data brokers must also provide consumers with information on how to exercise their privacy rights, including deletion requests and how to opt out of sharing or sale of their data.

📊 Additional audit capabilities: data brokers are obliged to report annually on the volume of deletion requests received, complied with, or rejected (with their reasons for not complying).

💸 Higher penalties: data brokers that fail to register with the CPPA or fail to act on a deletion request may be liable for a fine of $200 for each day of such failure - double the current fine.

While the law in California is still operating an “opt out” model, the Delete Act creates significant changes for those businesses caught by it, as well as a challenge for the CPPA in devising a central mechanism to handle one-stop-shop deletion requests by the start of 2026.