Who is excluded from compliance with the California Delete Act? 

The California Delete Act excludes the following types of entities: 

• an entity covered by the federal Fair Credit Reporting Act;
• an entity covered by the Gramm-Leach-Bliley Act and implementing regulations;
• an entity covered by the Insurance Information and Privacy Protection Act;
• an entity, or a business associate of a covered entity, also exempted by the California Consumer Privacy Act. 

How can I keep my organization compliant with the California Delete Act? 

The California Delete Act brings changes to authority and sets out obligations both for data brokers and for the California Privacy Protection Agency (CPPA). 

Existing law has mandated the creation of a fund called the “Data Brokers’ Registry Fund,” which will now be administered by the California Privacy Protection Agency, and any money collected by either the CPPA or the Department of Justice under the Delete Act will have to be deposited into this fund which will then be used to offset the following costs: 

• reasonable costs of establishing and maintaining an informational internet website by the CPPA;
• costs incurred by the state courts and the California Privacy Protection Agency in connection with enforcing the California Delete Act;
• reasonable costs of establishing, maintaining, and providing access to an accessible deletion mechanism which will be designed by the CPPA by January 1, 2026. 

So we see that the regulatory authority, the California Privacy Protection Agency (CPPA), takes on this role effective January 1, 2024, and has until January 1, 2026, to establish “an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.”  More specifically, the California Privacy Protection Agency has the obligation to establish, by January 1, 2026, an accessible deletion mechanism that meets all the following requirements: 

• implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification;
• allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
• allows a consumer to selectively exclude specific data brokers from a request made;
• allows a consumer to make a request to alter a previous request after at least 45 days have passed since the consumer last made the request;
• allows a consumer to request the deletion of all personal information related to them through a single deletion request;
• allows a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request;
• allows data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer does not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in the law;
• allows a consumer to make a request using an internet service operated by the California Privacy Protection Agency;
• does not charge a consumer for making a request; 
• allows a consumer to make a request in any language spoken by any consumer for whom personal information has been collected by data brokers;
• it is readily accessible and usable by consumers with disabilities;
• it supports the ability of a consumer’s authorized agents to aid in the deletion request;
• allows the consumer, or their authorized agent, to verify the status of the deletion request;
• provides a description of all of the following:
  • the deletion permitted;
  • the process for submitting a deletion request;
  • examples of the types of information that may be deleted.

As regards the obligations of data brokers, the California Delete Act dictates that every year, by January 31, as a data broker that meets the definition outlined above, you will have to register with the California Privacy Protection Agency and do all of the following:

• pay a registration fee in an amount determined by the CPPA, which is “not to exceed the reasonable costs of establishing and maintaining the informational internet website” mentioned earlier and “the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism” described above; 
• provide the following information about your business: your name, your primary physical, email, and internet website addresses; the metrics required by the Delete Act as regards number of requests, number of days for responding to these, and requests that were denied due to applicable exceptions; whether you collect the personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health care data;
• an audit report resulted from your most recent audit “and any related materials to the California Privacy Protection Agency” - applicable as of January 1, 2029;
• a link to a page on your internet website that
  • explains how consumers can exercise their privacy rights of deleting personal information, correcting inaccurate personal information, learning what personal information is being collected and how to access that personal information, learning what personal information is being sold or shared and to whom, learning how to opt out of the sale or sharing of personal information, learning how to limit the use and disclosure of sensitive personal information; and
  • does not make use of dark patterns; 
• if and to what extent you or any of your subsidiaries are regulated by the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and implementing regulations. the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act;
• any additional information or explanation that you choose to provide about your data collection practices.

In addition to these, as a data broker, you have several other obligations that relate to disclosures of metrics both in your Privacy Policy and upon request to the regulating authority, the CPPA. What this means is that by July 1 of every year, following every calendar year in which, as a data broker, you meet the definition outlined in this overview, you will have to do the following: 

• compile the number of requests received, that are available within the accessible deletion mechanism that the CPPA will have established, as well as the requests for the consumer rights to delete, to access, to know, to opt out of the sale or sharing of personal information, and right to limit the use and disclosure of sensitive personal information;
• compile the median and the mean number of days within which you substantively responded to the requests listed previously that you received during the previous calendar year;
• disclose the metrics compiled according to the two previous points within your privacy policy posted on your internet website and accessible from a link included in your privacy policy;
• as regards the disclosure of the metrics, these have to also include the number of requests that you denied in whole or in part because of any of the following:
  • the request was not verifiable;
  • the request was not made by a consumer;
  • the request called for information exempt from deletion;
  • the request was denied on other grounds.
• in the same disclosure you will have to specify the number of requests in which deletion was not required in whole, or in part, as provided by the exemptions and applicability set out by the CCPA in Section 1798.145 and Section 1798.146. 

Starting August 1, 2026 you have to access the accessible deletion mechanism established by the CCPA at least once every 45 days and do all of the following:

• within 45 days after receiving a request, you have to process all deletion requests made and to delete all personal information related to the consumers making the requests;
• after a consumer has submitted a deletion request and you have deleted the consumer’s data you have an obligation to delete all personal information of the consumer at least once every 45 days unless the consumer requests otherwise or the deletion is not required, based on exceptions outlined by the text of the law; 
• after a consumer has submitted a deletion request and you have deleted the consumer’s data pursuant to this section, you cannot sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under the CCPA’s exemptions and applicability;
• in cases where you deny a consumer request to delete because the request cannot be verified, you have to process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided by the CCPA’s right to opt out of the sale or sharing of personal information and the exemptions and applicability set out in the same privacy law; 
• direct all service providers or contractors associated with you to delete all personal information in their possession related to the consumers making the requests;
• direct all service providers or contractors associated with you to process a request that cannot be verified as an opt-out of the sale or sharing of the consumer’s personal information;
• Beginning January 1, 2028, and every three years thereafter, you will have to undergo an audit by an independent third party to determine compliance with the California Delete Act. Once this audit has been completed you will have to “submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.” This report and all related materials will have to be maintained by you for at least six years. 

If one of the following exceptions applies, you are not required to delete a consumer’s personal information: 

• if it is reasonably necessary for you to maintain the personal information to fulfill a purpose as described by the exceptions outlined in the CCPA’s right of consumers to delete personal information; or
• the deletion is not required based on the exemptions and applicability established by the CCPA.

However, keep in mind that any personal information you retain based on these exceptions can only be used for the purposes described above and cannot be used for any other purposes, which includes but is not limited to marketing purposes. 

What data access rights does the California Delete Act grant?

The California Delete Act enforces the consumer rights granted by the California Consumer Privacy Act but with a specific focus on the right to delete which allows consumers whose data is collected and processed by data brokers to have this deleted through one single request that applies to all data brokers affected, as opposed to consumers submitting one such request with each one of the data brokers that has collected and processed the personal information of the consumer. 

How to address data subject access requests under California Delete Act?

As mentioned above, a consumer request submitted with a data broker under the California Delete Act has to be handled as follows: 

• within 45 days after receiving a request, you have to process all deletion requests made and to delete all personal information related to the consumers making the requests;
• after a consumer has submitted a deletion request and you have deleted the consumer’s data you have an obligation to delete all personal information of the consumer at least once every 45 days unless the consumer requests otherwise or the deletion is not required, based on exceptions outlined by the text of the law; 
• after a consumer has submitted a deletion request and you have deleted the consumer’s data pursuant to this section, you cannot sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under the CCPA’s exemptions and applicability;
• in cases where you deny a consumer request to delete because the request cannot be verified, you have to process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided by the CCPA’s right to opt out of the sale or sharing of personal information and the exemptions and applicability set out in the same privacy law; 
• direct all service providers or contractors associated with you to delete all personal information in their possession related to the consumers making the requests;
• direct all service providers or contractors associated with you to process a request that cannot be verified as an opt-out of the sale or sharing of the consumer’s personal information;

Enforcement and penalties

The California Delete Act grants enforcement authority to the California Privacy Protection Agency (CPPA) who is also the enforcing authority of the CCPA-CPRA, together with the Attorney General. As regards penalties, according to the California Delete Act, if you, as a data broker, fail to register, you are liable for administrative fines as follows: 

• an administrative fine of $200 for each day that you fail to register;
• an amount equal to the fees that were due during the period you failed to register;
• any expenses incurred by the regulatory authority, the California Privacy Protection Agency during the investigation and administrative action phase.

In addition to this, if you fail to comply with the requirements and obligations described above, you are liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:

• an administrative fine of $200 for each deletion request for each day you fail to delete information;
• any reasonable expenses incurred by the regulatory authority, the California Privacy Protection Agency during the investigation and administrative action phase.

FAQs about the California Delete Act