California’s Delete Act: 5 Things to Know

6 minute read | October.19.2023

California Gov. Gavin Newsom has signed a bill into law aimed at letting consumers delete their personal information in the hands of data brokers in California.

Supporters say the Delete Act will patch a loophole in the California Consumer Privacy Act (CCPA) that requires data brokers to only delete personal information obtained directly from consumers, but not personal information collected indirectly or aggregated from other sources.

Here are five key things to know about the Delete Act, including considerations for your privacy compliance program:

The Delete Act regulates “data brokers” as defined by the CCPA.
The Delete Act defines “data broker” the same as the CCPA does – as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” subject to certain exemptions.
The Delete Act requires the California Privacy Protection Agency (CPPA) to create a one-stop data deletion mechanism.
The Delete Act grants the CPPA authority to develop a system that, by January 1, 2026, will enable a consumer (or a consumer’s authorized agent) to issue, without charge, a single verifiable data deletion request applicable to all data brokers registered in California. Any such request will require a data broker or associated service provider or contractor to delete the consumer’s personal information. The Delete Act allows the CPPA to charge data brokers an access fee for accessing the deletion mechanism. The CPPA has not yet determined the amount of any such fee.
The Delete Act imposes periodic audit obligations on data brokers.
Beginning January 1, 2028, the Delete Act requires data brokers to submit to an audit conducted by an independent third party once every three years to assess the data broker’s compliance. The Delete Act would also require a data broker to submit an audit report to the CPPA within five days of its written request. Data brokers would need to maintain audit records for at least six years.
The CPPA can impose administrative penalties for noncompliance.
The CPPA will help enforce data brokers’ registration and data deletion requirements. The agency could adopt regulations to implement and administer the Delete Act.

Failure to comply with the Delete Act requirements may subject data brokers to administrative fines, fees, expenses and costs, including $200 for each day a data broker fails to register where required. The CPPA will use those funds to cover costs it and state courts incur to enforce the Delete Act and to establish and maintain the accessible deletion mechanism. An administrative action under the Delete Act cannot be brought against a data broker more than five years after a suspected violation.
The law establishes key deadlines for data brokers.
- On or before January 31 following each year in which a business meets the definition of data broker (with the next cycle being January 31, 2024), data brokers must register with the CPPA. A data brokers must pay a registration fee and provide the CPPA with detailed information about its data processing practices, including whether it processes sensitive information (i.e., information of minors, precise geolocation or reproductive health care data). In addition, data brokers must also update their privacy notices to comply with any new transparency requirements (e.g., description of consumer rights and detailed explanation of data processing activities) and provide a link to the updated website privacy notice at the time of registration. This information will be accessible to the public through a CPPA webpage.
- On or before July 1 following each calendar year in which a business meets the definition of a data broker (with the next cycle being July 1, 2024), data brokers must update their privacy notices to include metrics on consumer requests received and fulfilled as part of the CCPA and the Delete Act, including the number of requests denied in whole or in part, and the reasons for denials.
- By January 1, 2026, the CPPA must establish an accessible deletion mechanism that allows consumers to make a single verifiable request asking data brokers and associated service providers or contractors to delete their personal information.
- Beginning August 1, 2026, data brokers must begin checking the accessible deletion mechanism at least once every 45 days. Subject to certain exceptions, data brokers must delete consumers’ personal information at the time the verified request is made and direct associated service providers or contractors to delete all personal information in their possession related to the consumer making the requests. In cases where the request cannot be verified, the data broker and associated service providers or contractors must process the request as an opt-out of the sale or sharing of the consumer’s personal information.
  - Notably, once a consumer has submitted a deletion request and the data broker has deleted the consumer’s data, the data broker must continue to delete such information at least once every 45 days and not “sell” or “share” (as such terms are defined under the CCPA) new personal information – unless the consumer requests otherwise or an exception applies.
- Beginning January 1, 2028, data brokers must undergo an audit conducted by an independent third party once every three years to assess the data broker’s compliance with the law. The Delete Act would also require a data broker to submit the audit report and related materials to the CPPA within five days of a written request from the CPPA. Data brokers would need to maintain audit records for at least six years.

What Should Companies Do Now?

The Delete Act will impose significant compliance obligations on data brokers. Companies should consider whether they fall within the scope of the Delete Act. If they do, they should consider building a compliance program to comply with the broader data deletion requests and enhanced transparency requirements – keeping in mind key dates, including the January 31, 2024, deadline to update online privacy notices.

A data broker compliance program should include written internal processes and procedures to access the deletion mechanism at regular intervals and fulfill the underlying deletion requests. Companies should also review agreements with service providers and contractors to ensure they will be able to meet downstream obligations under the Delete Act. Lastly, companies should look out for further guidance from the CPPA.

Want to learn more about the developing privacy landscape for data brokers? Ask one of the authors.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Kyle Kessler Senior Associate, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Los Angeles

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler Senior Associate

Los Angeles

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.

Bianca Ponziani Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5361
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Bianca Ponziani Managing Associate

New York

She has partnered with start-ups and Fortune 500 companies to develop comprehensive privacy and cybersecurity policies and procedures that comply with U.S., EU and UK law and self-regulatory frameworks, including, but not limited to, the California Consumer Privacy Act (CCPA) and other U.S. state privacy laws; the EU and UK General Data Protection Regulation (GDPR); the CAN-SPAM Act; the Telephone Consumer Protection Act (TCPA); the Federal Trade Commission Act (FTC Act); and the Health Insurance Portability and Accountability Act (HIPAA).

Bianca helps clients prepare for and respond to crisis security incidents, including by advising on personal data breach notification obligations, working closely with cyber forensics experts, engaging with law enforcement, and responding to regulatory inquiries.

She also provides clients with practical guidance in complex and multijurisdictional corporate transactions to help navigate attendant privacy and cybersecurity risks.

California’s Delete Act: 5 Things to Know

What Should Companies Do Now?

Also of Interest

U.S. State Consumer Privacy Guide

Draft Revised CCPA Regulations: The Top 5 Takeaways

5 Things to Know About Germany’s Draft Law Implementing the NIS2 Directive