What is the background of the DELETE Act?

The DELETE Act builds on the protections in the California Consumer Privacy Act and the California Privacy Rights Act (CPRA). Currently, under the CPRA, Californians can request that a business (including a potential data broker) delete their personal information. They can also request that a business opt them out of the sale or sharing of their personal information. If exercised, both of these provisions limit how a data broker could potentially use a California resident's personal information as part of their business offerings.

In addition, under California's current data broker registration law, data brokers are required to register annually with the California Attorney General (AG). This registration is publicized and must include contact information, as well as provide a mechanism for consumers to opt out of the sale of their personal information. The DELETE Act will build upon these current obligations for data brokers under California law.  

What is the applicability of the DELETE Act?

The DELETE Act applies to data brokers. A data broker is defined as 'a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.' There are exceptions for entities covered by :

• the Fair Credit Reporting Act (FCRA);

• the Gramm-Leach-Bliley Act (GLBA);

• California's Insurance Information and Privacy Protection Act; and

• the Health Insurance Portability and Accountability Act (HIPAA) (both covered entities and business associates).

Note that the above exceptions only apply 'to the extent' that an entity is covered by one of the aforementioned laws. This language suggests that these exceptions are intended to be construed as information-level exceptions and not entity-wide exceptions, i.e., a company that is a business associate under HIPAA for some parts of its business can only fall outside of the definition of a data broker for that part of its business; it cannot rely on this exception to claim that other parts of its business (that fall outside of the scope of HIPAA) are also not subject to the DELETE Act. 

CPPA obligations

The DELETE Act shifts the obligations that the AG's office previously had under California's current data broker law to the CPPA It also creates new obligations for the CPPA.

Data broker registration

Instead of the AG's office, the CPPA will now maintain the webpage where data brokers are required to register under California law. The CPPA will also determine the new fee for data brokers associated with this updated registration requirement (the fee is $400 under California's current data broker registration law).

Establishment of a universal deletion mechanism

By January 1, 2026, the CPPA is required to establish an accessible (universal) deletion mechanism that:

• implements and maintains reasonable security procedures and practices, including administrative, physical, and technical safeguards appropriate for the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification;
• allows a consumer, through a single verifiable request, to request that every data broker that maintains any personal information delete any information related to that consumer held by the data broker or associated service provider or contractor;
• allows a consumer to selectively exclude specific data brokers from their deletion request; and
• allows a consumer to request to alter a previous request after at least 45 days have passed since the consumer's last request.

The deletion mechanism will enable consumers to securely submit information to aid in the deletion request in a manner that protects their privacy and will provide examples of the types of information that may be deleted. The mechanism also may not allow the disclosure of other personal information to data brokers when they access the mechanism to address consumer requests.

Data broker obligations

Registration with CPPA

The DELETE Act will build upon the registration obligations that data brokers currently have under California law. Beginning in 2026, on or before January 31 each year in which a business meets the definition of a data broker as provided in this title, the business will need to register with the CPPA (instead of with the AG). To register, businesses must provide the following information:

• the name of the data broker and its primary physical, email, and internet website addresses;
• whether the data broker collects the personal information of minors;
• whether the data broker collects consumers' precise geolocation;
• whether the data broker collects consumers' reproductive healthcare data; and
• beginning January 1, 2029, whether the data broker has undergone an audit and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the CPPA.

Data brokers will also need to provide as part of their registration a link to a page on their website that details how consumers can exercise their privacy rights. This page cannot make use of any dark patterns and must disclose to consumers how they can:

• delete their personal information;
• correct inaccurate personal information;
• learn what personal information is being collected and how to access it;
• learn what personal information is being sold or shared and to whom;
• learn how to opt out of the sale or sharing of personal information; and
• learn how to limit the use and disclosure of sensitive personal information.

Additionally, on or before July 1 following each calendar year in which a business meets the definition of a data broker under the DELETE Act, the business must:

• collect the number of requests that the data broker received, complied with in whole or part, and denied during the previous calendar year;
• compile the median and mean number of days within which the data broker substantively responded to deletion requests; and
• disclose the compiled metrics above in an accessible link within its privacy policy on its webpage. 

These new requirements go significantly beyond the information that data brokers are currently required to provide under California's current data broker registration law (though they mirror some of the substantive compliance obligations that businesses have under the CCPA and that data brokers are required to comply with).

Deletion mechanism

Beginning August 1, 2026, data brokers will be required to access the deletion mechanism at least once every 45 days. Within 45 days of receiving a request, data brokers will be required to process all deletion requests and delete consumer information as required by the DELETE Act. Once a consumer has submitted a request, the data broker must delete all personal information of the consumer at least once every 45 days unless the consumer requests otherwise. Data brokers must also not sell or share new personal information of the consumer unless the consumer requests otherwise. Additionally, data brokers must direct service providers and contractors associated with the broker to delete all personal information in their possession related to consumers making deletion requests. When a data broker cannot verify a consumer request, the data broker must process the request as an opt-out of the sale or sharing of the consumer's personal information and direct their service providers and contractors to do the same.

Data brokers will not be required to delete a consumer's personal information if the information is reasonably necessary for the business to maintain the consumer's personal information for various exempted reasons under §1798.105 of the California Civil Code. These reasons include to complete a transaction for which the personal information was collected and to enable solely internal uses reasonably aligned with the consumer's expectations with regard to the consumer's relationship with the business. If deletion is not required, data brokers may only use the personal information for the exempted purpose and not for any other purpose, such as marketing.

For some companies, this new requirement to comply with a universal deletion mechanism may significantly increase the number of deletion requests that they have to comply with under California law. California residents will no longer be required to go to each individual data broker's website to submit a deletion request; they will be able to submit deletion requests to all data brokers through a single mechanism. As a result, many data brokers that previously 'fell through the cracks' as it pertained to receiving numerous consumer requests may now need to invest in the technical and operational means to process such requests.  

Audit

Beginning January 1, 2028, and every three years thereafter, data brokers will undergo an independent audit to determine compliance with the DELETE Act. Data brokers will need to submit an audit report to the CPPA within five business days of a written request from the agency.

Penalties for non-compliance

Data brokers who do not properly register with the CPPA will be liable for administrative fines and costs in an administrative action brought by the CPPA. The administrative fine is $200 for each day the data broker fails to register. Data brokers may also be liable for costs equal to the fees that were due during the period when the data broker failed to register and for expenses incurred by the CPPA in the investigation and administration of the action.

Data brokers that do not establish a deletion mechanism by January 1, 2026, will be liable for administrative fees of $200 for each deletion request for each day the data broker fails to delete information and for reasonable expenses incurred by the CPPA in the investigation and administration of the action.

Kirk Nahra Partner
[email protected]
Ali Jessani Senior Associate
[email protected]
Wilmer Cutler Pickering Hale and Dorr LLP, Washington, D.C.