Data brokers face new registration and audit obligations, consumer data deletion rights, and exposure to fines under California's SB 362, the Delete Act. The bill was signed into law by Gov. Gavin Newsom on Tuesday. Effective dates for the legislation run from 2024 to 2026.
Under the bill, "data broker" is generally defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Adopting definitions from the California Consumer Privacy Act (CCPA), a covered data broker is a "business" that either: has $25 million in annual revenues; buys, sells or shares personal information on 100,000 consumers or households; or derives at least half its revenues from selling or sharing consumers' personal information. Excluded from the data broker definition: entities (of any size) to the extent covered by the Fair Credit Reporting Act (FCRA) or Gramm Leach Bliley Act (GLBA), as well as certain Health Insurance Portability and Accountability Act (HIPAA) business associates and insurance entities.
Beginning in 2024, covered data brokers are to register and pay a fee to the California Privacy Protection Agency (CPPA) and disclose details about their lines of business and consumer interaction metrics. As of 2028, third party audits of covered data brokers are required. (Under current law, roughly 500 data brokers are registered with the CPPA.)
By January 1, 2026, the CPPA is charged with operating a public "accessible deletion mechanism" - a one-stop online portal where California consumers, directly or through their authorized agents, may request registered data brokers and their service providers delete "all personal information related to [the consumer] in a single request." Proposed 1798.99.86 (b)
As of August 1, 2026, covered data brokers are to regularly review and process such verifiable requests, unless a) an exception applies under Cal. Civ. C. 1798.105(d) (e.g., completing a transaction, research, legal compliance) or b) deletion is not required under Cal. Civ. C. 1798.145-6. (e.g., deidentified or aggregated information, legal compliance, medical information). Where the consumer's request is not verifiable, the request is to be treated as an opt-out from sale or sharing of data. Once a verifiable deletion request is processed, the data broker is not to share information about the consumer unless an exception applies or the consumer requests otherwise. Proposed 1798.99.86 (c),(d)
As the above requirements take effect, noncompliant data brokers may be fined $200 per day for failure to register or $200 for each day per deletion request where they do not delete data as required by law. 1798.99.82 (c) Violations of the proposed statute are subject to a 5-year statute of limitations. Proposed 1798.99.89
The new California rights should cause consumer data providers to review their compliance rationales for categories of personal data obtained without consent that they sell or share. Consumer marketing services, such as person-specific location and device information, are expected to be affected, though aggregation may be part of a strategy to retain such data. Also, data subject to GLBA continues to be treated as before, exempt from the new deletion rights. Public and private record information used for FCRA purposes, such as background screening and credit reporting, may be retained. The bill's impact on personal data used to fulfill transactional fraud and ID verification solutions, law enforcement investigations, and eligibility determinations, among other uses, remains to be seen.
The bill enhances the role of authorized agents, who are empowered to file deletion requests for consumers. Authorized agents may promote data deletion services to consumers, such as those seeking to delete undesirable public record information. Recognizing prior abuses by credit repair agents and active involvement by plaintiffs' counsel in existing consumer dispute processes, consumer data and advertising advocates attempted to add consumer protection guardrails to agent activities but were rebuffed by sponsors. Thus, covered data brokers may see substantial involvement by such agents in deletion requests. To ensure a consistent response that preserves data where permissible, covered data brokers will need new policy and consumer response documentation and process education for their consumer interaction teams.
