The New California Delete Act: Data Broker Regulations Reinforced

Data Broker Regulation Bill Signed into Law in California

Introduction

In a significant move to protect consumer privacy, California Governor Gavin Newsom recently signed the California Delete Act into law. The new legislation defines the legal obligations of data brokers and consolidates California-specific processes under a state agency established by prior privacy legislation. The California Privacy Protection Agency will now oversee the enforcement of data broker obligations, moving the responsibility from the California District Attorney’s office. This move aims to safeguard consumers’ personal privacy by establishing a transparent mechanism for deleting personal data and regulating data broker activities.

Understanding the California Delete Act

The California Delete Act, formally known as “Data Broker Registration: Accessible Deletion Mechanism” (SB362), updates the state civil code to add and modify sections pertaining to data brokers for clarifying their responsibilities and processes. The new law requires data brokers, defined as businesses that collect and sell the personal information of consumers with whom they have no direct relationship, to register with the California Privacy Protection Agency.

Data Broker Responsibilities

Data brokers, under the provisions of the Delete Act, will be required to pay a registration fee, provide business contact details, data deletion links, audit reports, and clarify whether they collect information about minors, geolocation data, or reproductive health care. The new law emphasizes the obligation of data brokers to delete consumers’ personal information upon request.

Protected Personal Privacy

To protect consumer privacy, the California Privacy Protection Agency will maintain a website that educates consumers about their rights and how to exercise them. By January 1, 2026, the agency is tasked with establishing a mechanism that allows consumers to request the deletion of their personal data from all data brokers. Furthermore, data brokers will be required to process all deletion requests every 45 days from August 1, 2026, and delete any personal information they possess about the consumer within the same timeframe.

Challenges and Concerns

While the Delete Act aims to bolster consumer privacy, it has raised concerns among data brokers and industry groups. A key concern is the lack of clarity in defining the term “direct relationship” with consumers. The International Association of Privacy Professionals (IAPP) argues that the law fails to provide a clear understanding of this critical aspect.

Fines and Fraud Concerns

Data brokers who fail to register with the California Privacy Protection Agency face doubled fines of $200 per day. Some data brokers worry that deleting consumer data might leave a gap that could be exploited for fraudulent activities. The Consumer Data Industry Association has expressed concerns about potential security risks associated with data deletion measures.

Expert Perspectives and Compliance

Privacy experts and compliance professionals have differing opinions regarding the Delete Act. Joey Stanford, vice president of data privacy and compliance at Platform.sh, believes that the Act will benefit consumers by closing certain loopholes. However, he acknowledges that regulatory compliance often comes with implementation costs and potential negative impacts on corporate bottom lines.

Broader Implications and Future Regulations

The timing of the Delete Act’s implementation, just two days before the UK-US Data Bridge agreement takes effect, raises questions about potential wider implications. Additional agreements for transferring personal data between countries, like the existing one between the US and the European Union, may be necessary. However, the absence of a unified federal privacy regulation in the US, alongside the existence of separate privacy laws across different countries, creates compliance complexity.

Call for Federal Privacy Legislation

The implementation of state-level privacy regulations, including the CCPA, CPRA, and now the Delete Act, signals the need for a cohesive federal privacy law in the US. Industry experts suggest that integrating the successful components of these existing state laws could serve as a blueprint for comprehensive federal legislation. A unified federal privacy law would bring clarity and consistency, providing effective protection for consumer data across the entire country.

The Role of Nationwide Policy

While a federal law would only impact data brokers within the US, it could potentially be an influential model for other countries. Joey Stanford believes that a nationwide policy would set an example for global regulators, illustrating the importance of data privacy and creating harmonized standards. This could have far-reaching effects on protecting consumer privacy on a global scale, even beyond the US.

Conclusion

The signing of the California Delete Act into law marks a significant milestone in data privacy regulation. By defining the obligations of data brokers and establishing a transparent mechanism for deleting personal data, California is taking proactive steps to protect consumer privacy. As the compliance landscape evolves, the need for a unified federal privacy law becomes increasingly evident. A comprehensive federal framework would provide clarity, consistency, and enhanced protection for consumer data, serving as a blueprint for global privacy standards. As data becomes increasingly valuable, it is crucial to strike the right balance between protecting individual privacy and enabling responsible data-driven innovation.