The California Delete Act: What it is and and How to Comply

The California Delete Act helps boost consumer rights and privacy in the state of California through a number of requirements. The Delete Act has implications for data brokers, or businesses that collect and sell data to third parties, and requires action for compliance.

This article will explain what the act is, who it applies to, and what you must do to comply.

What is the California Delete Act?

The California Delete Act, enacted October 2023, requires all data brokers in California to delete data they have collected about any person in California if that person submits a data deletion request. It also requires data brokers to register with the CPPA (California Privacy Protection Agency).

Furthermore, it will provide people with a single deletion request mechanism through which they can request all data brokers in California to delete their data.

Who Does the California Delete Act Apply to?

The California Delete Act applies to data brokers. According to the Delete Act, a data broker is a company that collects the personal information of consumers with whom it does not have a direct relationship and sells it to a third party.

This data is not collected from consumers directly. Rather, it could be collected through observation or scraped from publicly available sources on the internet.

An example could be a company that collects data from public records to generate profiles of individuals and sell those profiles as part of a background check service.

Another example would be a company that buys personal information from online tracking agencies or social media sites and then sells it to advertising companies.

Who Does the California Delete Act Apply to?

A business must meet at least one of the following three criteria to be included under the law:

1. Earned more than $25 million in revenue in the preceding calendar year
2. Buys, sells, or shares the personal information of at least 100,000 consumers or households
3. Earns at least 50 percent of its revenue from selling or sharing personal information

Let's say you own a small business that buys and sells data of around 10,000 people, and you only earned $100,000 the previous year. Since that's the sole nature of your business, though, more than 50 percent of your revenue comes from buying and selling personal information.

While you don't meet the first two criteria, you do meet the third, which qualifies you as a business under the California Delete Act.

Collecting data means obtaining or accessing personal information by any means.This includes buying it, renting it, gathering it through bots that scrape the web, or even by observing consumers.

However, the California Delete Act specifies that to be a data broker, you must also not have a direct relationship with the consumer. So, if the consumer is your own customer, you would not be a data broker.

However, if you buy the data from another business or website where the consumer shops, you would be a data broker, since you do not have a direct relationship with the consumer.

Which Businesses are Exempt From the California Delete Act?

If a company is covered by one of the following acts, it is exempt from the California Delete Act:

• The Fair Credit Reporting Act
• The Gramm-Leach-Bliley Act
• The Insurance Information and Privacy Protection Act
• The Confidentiality of Medical Information Act and other acts specified in Section 1798.146

In simpler words, businesses that collect personal data in one of the following sectors are exempt from the California Delete Act:

• Consumer reporting agencies such as credit bureaus and tenant screening services
• Companies that offer financial services such as loans and investment advice
• Insurance companies, agents, and brokers
• Health care providers and their business associates

In addition, even if you are not exempt from the California Delete Act overall, you may be exempt from complying with specific deletion requests if:

• You can't verify the request (the portal will include a verification process so that data brokers can verify each request)
• The request is not made by (or on behalf of) a consumer but rather by a business asking you to delete its data, for example
• The request asked that "exempt information" be deleted

If you deny a request because you couldn't verify it through the provided verification process, you must still treat it as an opt-out. In other words, you can no longer sell or share that consumer's information.

What Information is Exempt From the California Delete Act?

The following information is exempt:

• Information you need to process the transaction for which you collected the data, such as provide requested goods or services, or fulfill a warranty
• Information needed to exercise your free speech or another right
• Information needed for public or peer-reviewed scientific research that complies with ethics and privacy laws
• Information used to debug, identify or repair errors of functionality
• Information needed to comply with a law or cooperate with law enforcement
• Information you didn't collect about the consumer while they were in California, and you sold the information outside California

How Does the California Delete Act Affect Consumers?

By 2026, consumers will be able to submit a request that their personal information be deleted by all data brokers. Consumers will only have to make a single deletion request, which will apply to all data brokers in California.

The central request mechanism will be available on the website of the CPPA (California Privacy Protection Agency).

It will be entirely free to submit such a request, and it will be accessible in all languages and to people with disabilities. Consumers will also be able to exclude specific data brokers. In addition, consumers can revise deletion requests after 45 days of the initial request.

Finally, you will be able to check the status of your deletion request after submitting it.

The deletion request form/button is not yet available, but it will be available on January 1, 2026, or sooner.

One important thing to note is that the act allows authorized third-parties to access the deletion mechanism on behalf of consumers. In other words, private companies could offer deletion services for you at a cost, so you don't have to submit the request yourself.

How Does the California Delete Act Affect Businesses?

Businesses must do the following if the California Delete Act applies to them:

• Register with the California Privacy Protection Agency as a data broker.
• Once the deletion request portal is active (from 2026), respond to deletion requests within 45 days.
• Comply with deletion requests unless they are not verifiable or any other exemption applies.
• If a request is denied, disclose it to the CPPA and provide the reasoning for the denial.
• After a deletion request is made, do not collect any further information about the consumer.

How Do You Comply with the California Delete Act?

Here is what you need to do to comply with the California Delete Act.

Register as a Data Broker

The first step is to register as a data broker with the California Privacy Protection Agency every year. Fines start incurring from January 31, 2024, for not registering. It's critical to do this immediately.

Here is how to register as a data broker with the CPPA:

1. Email [email protected] and request to be added to the mailing list and receive a registration form.
2. Once you receive the registration form, fill it out.
3. On the confirmation page, click on the invoice link, complete the invoice online, and print it out.

4. Mail the completed invoice, along with a check or money order for $400 made out to "2024 California Privacy Protection Agency -- SB 362," to the following address:

   • California Privacy Protection Agency
   • Attn: Data Broker Registry Unit
   • 2101 Arena Blvd
   • Sacramento, CA 95834

Update your Website and Privacy Policy

The next step, which must be done by July 1, 2024, is to add information on your website about data deletion requests you received the previous year, and link to the information within your Privacy Policy.

Create a "Do Not Sell My Personal Information" page on your website that leads to a form or page where users can easily request you do not sell their information. Link this page within your website footer and within your Privacy Policy.

Here's an example of a page like this:

Include the following information in your Privacy Policy:

• How many CCPA/CPRA requests were received in the previous year
• How many of these requests were honored, fully or partially

• How many requests were denied, fully or partially, as well as the reasons for the denial. Reasons can include:

  • The request was not able to be verified
  • The request was not made by a consumer
  • The request involved information that is legally exempt from having to be deleted
  • Any other reasons that led to the request being denied
• The median and mean number of days it took you to respond to deletion requests in the previous year
• The total number of requests received where deletion wasn't required

Watch for and Respond to Deletion Requests

From August 1, 2026, you must monitor the deletion request mechanism at least once every 45 days and check for deletion requests. All deletion requests must be processed within 45 days of the request.

If you deny a request, you must report your denial to the CPPA and explain the reason for your denial.

Undergo an Audit Once Every Three Years

Starting January 1, 2028, you will have to undergo an audit by an independent third party to determine your compliance with the law. This audit must take place every three years.

If the CPPA requests the audit report in writing, you must submit it to the CPPA within five business days.

If the CPPA doesn't request the report, you don't have to submit it. However, starting January 1, 2029, when you register with the CPPA, you must disclose whether you have undergone this audit and whether you submitted an audit report to the CPPA.

How is the California Delete Act Enforced?

The California Privacy Protection Agency (CPPA) will enforce the California Delete Act by doing the following:

• Before 2026, will set up an accessible online deletion mechanism
• Will oversee general compliance
• Will manage the Data Broker's Registry Fund
• Will investigate any perceived or potential violations
• Will impose appropriate fines and penalties when violations are found

What are the Penalties for Not Complying With the California Delete Act?

The penalties for non-compliance include a fine of $200 a day for each day that the data broker has not registered with the CPPA past the given deadline.

Also, if a data broker fails to honor a deletion request within 45 days, a fee of $200 will be applied for each day the data broker fails to honor the request.

For example, if a data broker only deletes someone's data 55 days after the request was made, they will incur a fine of $2,000 for non-compliance.

In addition, the data broker may be asked to cover the costs of the investigation by the CPPA into their non-compliance.

Summary

Here are the most important takeaways about the California Delete Act:

• The California Delete Act requires data brokers to register with the California Privacy Protection Agency. A data broker is any business that collects data of a consumer with whom it has no direct relationship with and sells that data to a third party.
• Starting from 2026, data brokers will also have to monitor a special deletion mechanism portal for deletion requests made by consumers.
• If a consumer deletion request was made, the data broker must delete all data about that consumer within 45 days of the request.
• Starting from 2028, data brokers must undergo an independent audit once every three years to verify their compliance with the law.
• Starting from 2029, data brokers must disclose to the California Privacy Protection Agency whether they have undergone such an audit.