With the recent passage of the Delete Act, California is continuing to raise the bar when it comes to data privacy in the United States. As the first state to pass a comprehensive privacy law, and the only one with an agency dedicated exclusively to privacy enforcement, the state has moved aggressively to fill the vacuum left by the lack of federal regulation.

While the Delete Act works alongside the California Consumer Privacy Act (CCPA), and in some ways supplements it, most CCPA-compliant businesses will not need to concern themselves with the new law’s requirements. That’s because the Delete Act has its sights set squarely on one particular type of business: data brokers.

Here is a quick summary of the California Delete Act and what it means for both businesses and consumers.

What Does the Delete Act Do?

The Delete Act is a relatively short bill (especially when compared to its cousin, the CCPA), but still manages to pack a lot in. Here are its five main components.

1. It grants the California Privacy Protection Agency (CPPA) regulatory and enforcement authority over data brokers, including taking over responsibility for the existing Data Broker Registry. The result is a significant expansion of the CPPA’s mandate.
2. The CPPA must create a web page that gives consumers access to data brokers’ registration information as well as a universal deletion mechanism that allows consumers to request deletion of the personal information from all data brokers at once.
3. The Delete Act requires data brokers to connect to this deletion mechanism at least once every 45 days and then erase the data of all those who have requested it. This helps address a loophole in the CCPA that only requires the deletion of data acquired directly from a consumer, thus leaving data brokers essentially untouched.
4. On top of the disclosures already required by the CCPA, data brokers will also be required to compile and publish annual statistics on their responses to these deletion requests, such as how long they took to respond and how many requests were denied.
5. Starting in 2028, data brokers must undergo an independent audit every three years to check their compliance with the Delete Act.

What Is a Data Broker?

The Delete Act only applies to data brokers, so it’s important to know what that means. A data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

The Delete Act shares common defined terminology with the CCPA, so terms like “business,” “sell,” and “third parties” all have the same meaning as they do in the CCPA. While a lot of businesses may “sell” personal information according to the CCPA, the vast majority of them have a direct relationship with those consumers (e.g., as customers or website visitors), so they won’t need to worry about the Delete Act’s new requirements.

Penalties

Businesses that fail to comply with the California Delete act are liable for administrative fines:

• $200 per day for failure to register as a data broker
• $200 per day per request for failing to delete data as requested

For larger businesses, the first fine may not be much of a deterrent (maxing out at $73,000 a year), but the second set of fines could add up very quickly. For example, if a data broker fails to delete the data of 10,000 consumers who have filed a request online, the resulting fine would be $2 million per day.

Interestingly, the amounts don’t appear to be discretionary. In other words, the statute doesn’t say the fine may be up to $200 per day, but rather that the fine is $200 per day.

Important Dates

Here are the Delete Act’s important dates:

• January 1, 2026 - The CPPA has to have the deletion mechanism up and running
• August 1, 2026 - Data brokers have to start responding to requests received via the deletion mechanism
• January 1, 2028 - Data brokers have to start undergoing independent audits every 3 years

‍