Articles
State guides
Everything you need to know about the California Delete Act
State guides
new

Everything you need to know about the California Delete Act

Published  

3/12/2025

by 

Patrick Austin

7
min read

Published  

March 12, 2025

by 

Patrick Austin

10 min read
Summary

The California Delete Act was signed into law on October 10, 2023 and imposes an array of compliance obligations on businesses categorized as data brokers who conduct business in the Golden State. 

The Act specifically amends California's existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA). It also imposes new disclosure obligations on data brokers and requires them to process data deletion requests submitted by consumers in a "one-stop" mechanism. This deletion mechanism, which is referred to as the Delete Request and Opt-out Platform (DROP), will be managed by the CPPA and is expected to be established by January 1, 2026. 

Assuming the CPPA successfully launches the deletion mechanism by January 1, 2026, data brokers will be expected to start accessing the mechanism and processing data deletion requests by August 1, 2026.

Definition of “Data Broker” under the Delete Act

When assessing your compliance obligations, a key preliminary question to answer is - is my company even subject to the law? This is where the definition of “data broker” is highly relevant.  

Under the Delete Act, a data broker is defined as any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Delete Act incorporates many definitions from the California Consumer Privacy Act (CCPA). For example, “consumer” under the Delete Act is defined as a California resident. The term “sell” under the Delete Act is defined as an exchange of personal information for monetary or any valuable consideration. 

It is important to note that even though the Delete Act was signed into law in October 2023, new data broker regulations went into effect on December 27, 2024, effectively expanding the law's scope and reach. 

For example, the CPPA’s data broker regulations would lead to a significant expansion of the Delete Act by defining the term “direct relationship” to include a consumer who “intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.”  The data broker regulations go on to specify that a business is considered to be a data broker “if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.” 

In effect, these definitions would broaden the scope of which entities are considered to be “data brokers” to include businesses that (i) maintain information about consumers who have not interacted with the business in more than three years and (ii) have direct relationships with consumers, but also sell personal information about the consumer that was not collected directly from the consumer.

CPPA’s data deletion mechanism: DROP

As mentioned, the Delete Act calls for the CPPA to establish an “accessible” deletion mechanism by January 1, 2026. 

The CPPA is actively working to build DROP, which will serve as the state’s data deletion system, and make it easier for consumers to request the deletion of their personal data via a single request platform.

It is important to note that the deletion mechanism must include strong security protocols designed to protect consumers' personal data. Ideally, DROP would allow a California consumer to submit a single verifiable request that would be reviewed and processed by a relevant data broker. Consumers are expected to have the option to request the deletion of any of their personal data maintained by a data broker, and its service providers. In addition, DROP will be expected to enable consumers to exclude specific data brokers from the deletion request and modify a prior request, provided that at least 45 days have passed since the consumer made the last deletion request.

Moreover, DROP must adhere to several key requirements, such as: 

  • Enabling consumers to request the deletion of all their collected data in a single request,
  • Providing secure data submission
  • Allowing data brokers to verify and access necessary request information
  • Offering internet-based access
  • Being readily accessible and free of charge
  • Supporting the use of languages spoken by the consumer
  • Ensuring accessibility for people with disabilities
  • Permitting requests through authorized agents
  • Enabling request status checks
  • Providing descriptions of permissible deletions, the data deletion process, and types of personal data that may be deleted.

Considering the scope of the Delete Act’s obligations on data brokers, some analysts have compared the anticipated deletion mechanism to the National Do Not Call Registry. Use the following visual for future reference:

Data brokers must monitor deletion mechanism

Starting on August 1, 2026, data brokers will be obligated to access the deletion mechanism at least once every 45 days to review and process data deletion requests. 

Within 45 days of receiving a data deletion request from a consumer - or an authorized agent - the data broker must take steps to delete the consumer's personal data. This means they will need to be prepared to implement routine monitoring procedures to ensure they are in compliance with the Delete Act. 

A data broker's obligation to delete would be ongoing. In other words, after receiving and complying with a consumer's deletion request, it must continue to delete any personal information collected from that consumer at least once every 45 days unless the consumer requests otherwise.

Improper deletion request must be treated as an opt-out request

Along with actively monitoring the CPPA’s deletion mechanism, data brokers must have specific processing protocols in place to achieve compliance. 

For example, if a data broker denies a consumer's data deletion request on the basis that the request is unverifiable, it will still be obligated to process the request, but as an opt out request for the sale or sharing of the consumer’s personal data. 

In addition, data brokers will be obligated to ensure any associated service providers or contractors implement similar measures to delete a consumer’s personal data or opt the consumer out of sales and sharing of their personal data.

Data broker disclosure obligations under the Delete Act

As of January 31, 2024, the Delete Act imposed new disclosure obligations on data brokers. Specifically, data brokers must disclose the following information to the CPPA on an annual basis:

  • The formal name of the data broker
  • The data broker’s primary physical address, email address and website addresses
  • Whether the data broker maintains an active link to a webpage on its website that explains how consumers may exercise their rights under the CCPA.
  • Metrics related to the number of CCPA data subject requests and Delete Act deletion requests the data broker received in the prior calendar year. The metrics must also indicate the number of processed requests, the number of denied requests, and the average number of days it took for the data broker to substantively respond to a CCPA data subject request and/or a data deletion request under the Delete Act.
  • Whether the data broker engages in the collection of children’s personal data, the precise geolocation of consumers, and/or reproductive healthcare data of consumers.
  • Whether, and to what extent, they are regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, California’s Insurance Information and Privacy Protection Act, and/or California’s Confidentiality of Medical Information Act.
  • Starting January 1, 2028, whether the data broker has conducted an audit, in collaboration with a third-party auditor, to assess their compliance with the Delete Act. If such an audit has taken place, the data broker must disclose the most recent year that they submitted an audit report and related materials to the CPPA.

Use the following visual as a useful support for future reference:

Data broker disclosure obligations under the Delete Act in alifornia

Ongoing audit obligations under the Delete Act

In addition to the above-described annual disclosure requirements, starting on January 1, 2028, data brokers will be obligated to undergo an audit by an independent third party to ensure they are in compliance with the Delete Act. Data brokers will need to conduct such an every three years thereafter.

They will also need to maintain records of their compliance audit(s) for at least six years. Upon request by the CPPA, a data broker will need to produce its audit results within five business days after receiving the request.

Lastly, starting in January 2029, data brokers will be required to disclose the results of their third-party audit while completing its annual registration with the CPPA.

Penalties for failing to comply with the Delete Act 

Data brokers that do not proactively register with the CPPA or fail to comply with a deletion request submitted through the CPPA’s one-stop deletion mechanism could be subject to administrative fines of $200 per day for each day the data broker failed to register. 

Non-compliant data brokers would also be required to pay unpaid registration fees ($400) to the CPPA and reimburse the agency for any expenses incurred in pursuing the enforcement action.

In addition to penalties for failing to timely register with the CPPA, data brokers could get hit with a $200 per day penalty for failing to timely process a data deletion request.

As you can see, the more time it takes for a data broker to comply with the Delete Act, the larger the penalties. This is why taking proactive steps now to strengthen your compliance posture is so important. 

How Didomi can help your company comply with California’s Delete Act

One of the overarching policy objectives of the Delete Act is to give consumers greater control over their personal data and allow them to request deletion of their data, if it is being shared or sold by registered data brokers.

We offer two complementary solutions to help organizations manage their deletion obligations effectively:

  1. Our Consent Management Platform (CMP) allows businesses to collect consent in full compliance with local regulations, and manage it across multiple channels, devices, frameworks and touch points. The CMP enables organizations to provide clear opt-out options for the sale of personal data or targeted advertising, potentially reducing the need for deletion requests.
  2. Our Privacy Requests solution helps organizations efficiently process and track deletion requests, comply with deletion requirement and maintain proper documentation of all requests.

These solutions work together to provide a comprehensive approach to data privacy management, preventing unwanted data sharing through proper consent mechanisms while efficiently handling deletion requests when they occur.

Get in touch with our team to discuss your privacy compliance challenges, or learn more about our Privacy Requests feature in our explainer video:

Frequently Asked Questions (FAQ)

Are consumers allowed to sue organizations for violations of the California Delete Act?

No, the Delete Act does not provide a private right of action for California residents to sue companies for alleged violations. Enforcement authority is vested in the California Privacy Protection Agency. 

When will data brokers be required to respond to data deletion requests by California consumers? 

Data brokers will need to start accessing the CPPA’s deletion mechanism on August 1, 2026. In addition, data brokers will need to regularly access the deletion mechanism, specifically at least once every 45 days to review and assess data deletion requests.

How long do data brokers have to process a data deletion request? 

Under the Delete Act, data brokers are required to process verifiable deletion requests within 45 days of submission.

Does the Delete Act apply to all data brokers?

Not necessarily. The Delete Act contains specific entity-level exemptions that exclude certain entities from falling within the definition of “data broker.” For example, entities regulated by the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and Insurance Information and Privacy Protection Act (IIPA) are generally exempt from the Delete Act.

Is the CPPA’s data deletion mechanism going to be free?

The CPPA is expected to make the data deletion mechanism (DROP) free for consumers, but will retain the option to charge a fee for data brokers to access the deletion mechanism. However, any potential access fee is expected not to exceed the “reasonable costs” of providing access to data brokers.

The author
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile

Related Articles

State guides
Understanding sensitive personal information (SPI) in U.S. data privacy laws
December 20, 2024
Read article
State guides
Tennessee privacy law: Understanding the Tennessee Information Protection Act (TIPA)
December 13, 2024
Read article
State guides
Delaware Personal Data Privacy Act (DPDPA): Exploring the Delaware privacy law
November 20, 2024
Read article
State guides
New Hampshire Privacy Act (NHPA): Everything you need to know
November 13, 2024
Read article
State guides
Montana Consumer Data Privacy Act (MTCDPA): What to know and how to comply
November 7, 2024
Read article
State guides
Oregon Consumer Privacy Act (OCPA): Everything you need to know
July 1, 2024
Read article