Delete Act (SB 362)
What is the Delete Act (SB 362)?
The Delete Act (SB 362) is a California law that strengthens oversight of data brokers and creates a unified process for consumers to request deletion of their personal information across every registered broker. The Act introduces annual registration requirements, recordkeeping duties, audit obligations, and participation in a statewide deletion system managed by the California Privacy Protection Agency (CPPA). It builds on California’s existing privacy framework by giving consumers broader control over information collected by entities they never interact with directly.
Why does the Delete Act (SB 362) matter?
Data brokers often collect and share information without direct communication with the consumer, making it difficult to identify which companies hold specific data. The Delete Act addresses this gap by giving consumers one place to manage deletion requests and by imposing accountability requirements that make data flows more transparent. The law helps limit the spread of personal information among companies that aggregate, analyze, and distribute consumer profiles.
FAQs about California's Delete Act
It expands California’s privacy system by creating a statewide deletion mechanism that works across all data brokers. CCPA deletion rights apply to individual businesses, while the Delete Act targets brokers specifically.
A business that collects, sells, or licenses personal information about consumers without maintaining a direct relationship with them. This includes companies that buy data, enrich profiles, or supply data to marketers, risk engines, and identity services.
They must register annually, keep detailed records of their data practices, comply with audits, participate in the deletion system, and respond to requests submitted through the DROP Platform.
Any personal information a registered broker maintains, including contact details, behavioral data, demographic data, inferences, and third-party-sourced information.
The CPPA may issue fines for failure to register, inaccurate disclosures, or failure to process deletion requests. Noncompliance may also expose the business to enforcement actions.
If a broker collects information about California residents and meets the definition of a data broker, the law may apply regardless of where the company is based.
Yes. Verification helps brokers confirm the requester’s identity before deleting data.
The CPPA is responsible for building it, with rollout timelines defined through regulatory updates.