California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.
California residents already have the right to request that businesses subject to the CCPA delete personal information the business has collected from the resident, but they must do so individually with each business that holds their data, and the CCPA deletion right does not extend to personal information about the resident that the business collected from other sources. While compliance with the one-stop mechanism (which must still be created by the California Privacy Protection Agency, or CPPA) will not go into effect until August 1, 2026, “data broker[s]” covered under the CCPA should begin to think about how they can come into compliance, as the cost and monitoring protocols necessary to comply with the Delete Act could be significant. Most importantly, the Delete Act:
More detail about these requirements is provided below.
Next Steps
The Delete Act is a forceful volley to data brokers that do business in California, going further than any other existing U.S. state privacy law in regulating the data broker industry. When the new one-stop deletion mechanism comes into effect in 2026, organizations that rely on third-party consumer data to enhance their operations are most likely to be impacted. For example, ad tech companies that compile data from multiple sources, including from third-party brokers, could have less data to develop their products dashboards and customer marketing tools. The ability of organizations that purchase data from data brokers and use it to protect consumers from fraud and identity theft could similarly be impacted, especially if the one-stop mechanism is used by fraudsters to skirt detection. Publishers may find it more difficult to monetize their online properties and advertisers may find it more difficult or expensive to reach relevant audiences in California with less third-party data available. Overall, the long-term impact of the law depends on whether or not, and to what extent, the one-stop mechanism is embraced by consumers and is able to withstand potential legal challenges.
The CPPA has yet to specify what a potential single deletion mechanism would look like. For now, the statute only specifies that the mechanism must be “accessible to the public” through the CPPA’s website. The CPPA has until January 1, 2026, to create the deletion mechanism. While this is a relatively long runway, the law’s potentially extraordinary penalties and new rigorous disclosure, monitoring, and audit requirements will require all CCPA-covered organizations to carefully evaluate whether they may be a data broker under the law’s broad definition and to assess their privacy compliance programs.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, please contact Tracy Shapiro, Eddie Holman, or any member of the firm’s privacy and cybersecurity practice.
Doo Lee contributed to the preparation of this alert.