US
California Delete Act
Overview
California Senate Bill 362 (SB 362), commonly known as the Delete Act, is a California law signed into law in October 2023 to amend the California Privacy Rights Act (CPRA). It is designed to give consumers sweeping control over the personal information collected, bought, and sold by data brokers. The legislation establishes the accessible deletion mechanism, often referred to as the Delete Request and Opt-Out Platform (DROP), managed by the California Privacy Protection Agency (CPPA), allowing consumers to request the deletion of their data across all registered brokers with a single verifiable consumer request.
Regulation Summary
- October 10, 2023 – Law enacted.
- January 1, 2026 – Compliance deadline for the CPPA to establish the accessible deletion mechanism for consumer use.
- August 1, 2026 – Compliance deadline for data brokers to begin accessing the mechanism and processing consumer requests, unless exceptions apply.
- January 1, 2028 – Deadline for data brokers to undergo their first independent compliance audit and submit an audit report, if requested by the CPPA.
- Data brokers operating within the state of California
- Businesses that knowingly collect and sell the personal information of consumers with whom they do not have a direct relationship.
- Businesses that have a direct relationship with the consumer.
- Entities regulated by the federal Fair Credit Reporting Act (FCRA).
- Entities regulated by the Gramm-Leach-Bliley Act (GLBA).
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA).
- Entities covered by the Insurance Information and Privacy Protection Act.
- Register annually with the CPPA and pay the registration fee.
- Check the accessible deletion mechanism for consumer requests at least once every 45 days.
- Delete the consumer's personal information within 45 days of receiving a request.
- Continuously delete any newly acquired personal information about a consumer who submitted a request at least once every 45 days.
- Process denied deletion requests automatically as an opt-out of the sale or sharing of the consumer's personal information.
- Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to consumers.
- Undergo an independent third-party audit every three years to determine compliance and submit it to the CCPA within five business days, if requested The audit report shall be maintained for six years by data brokers.
- If operating as a data broker, explicitly provide your primary internet website addresses during registration in DROP.
- Provide a link and details about how consumers may exercise their privacy rights that must not make use of any dark patterns.
- Check that the accessible deletion mechanism is accessible to the public via the internet.
- Compile and post compliance metrics regarding consumer requests on or before July 1 following each calendar year.
- Disclose these metrics within a detailed, accessible privacy policy posted on the website.
- Provide the data broker’s specific identifying details on the website.
- Compile compliance metrics on or before July 1 following each calendar year.
- Disclose sensitive data practices to the CPPA, such as the collection of data on minors, consumers' precise geolocation, or reproductive health care data.
- Direct all service providers or contractors to also comply with deletion requests or opt-outs passed down from the broker.
- Right to request that every data broker delete personal information through a single verifiable consumer request.
- Right to selectively exclude specific data brokers from the general deletion request.
- Right to automatic, ongoing deletion of newly gathered personal information.
- Right to automatically opt-out of the sale or sharing of data if a deletion request cannot be verified.
- Enforcing Authority: California Privacy Protection Agency (CPPA).
- Fines: $200 per day for failing to register with the CPPA.
- Fines: $200 per deletion request, per day, for failing to delete a consumer's information as required.