California has added another privacy law to its existing regulations. Governor Gavin Newsom signed Senate Bill 362, often referred to as the Delete Act, into law just before the October 14th deadline. This new law builds on the California Consumer Privacy Act and the California Privacy Rights Act. It mandates that data brokers must register with the California Privacy Protection Agency (CPPA), which will enforce the law.
A significant aspect of the Delete Act is the requirement for the CPPA to develop a mechanism, by January 1, 2026, that allows verified consumers to easily request the deletion and tracking of their personal data in one central place. Starting from August 1, 2026, data brokers will need to process deletion requests within 45 days of receiving a verified request.
Previously, consumers had to contact each data broker individually to request data deletion. California has around 500 such data brokers operating in the state.
State Senator Josh Becker, the bill’s author, hailed Newsom’s signature as making California a leader in consumer privacy. He emphasized that data brokers possess vast amounts of personal information and often sell sensitive data like reproductive healthcare and geolocation information to the highest bidder. The Delete Act aims to protect such sensitive information.
The new law transfers data broker registration from the California Department of Justice to the CPPA. Data brokers, as defined in the Delete Act, are companies that collect, use, and sell personal data without the consumer’s knowledge. The law also establishes a “do not track” list, preventing data brokers from collecting user data in the future.
The law also imposes transparency requirements on data brokers, including disclosing if they collect precise geolocation data, reproductive healthcare data, and personal information about minors. Reproductive healthcare data became a significant concern following the U.S. Supreme Court’s decision on Dobbs, which overturned Roe v. Wade.
The law has received mixed reactions. Supporters believe it will empower individuals to regain control of their personal data, while opponents, such as Gravy Analytics Chief Privacy Officer Jason Sarfati, are concerned about its impact on the data industry and California’s digital economy.
The Delete Act is a state law, but given California’s large population, some argue that it effectively functions as a federal law.
Implementing the single form deletion mechanism required by the Delete Act is a complex task. It raises questions about the verification of deletion requests, data collection and storage, and the potential for misuse in social engineering attacks.
While details need to be worked out, the Delete Act is now law and demands attention from those it applies to.
Does your organization have any questions about the Delete Act or other U.S. privacy laws? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for assistance.