California once again sets the pace in consumer privacy and digital-platform regulation with the enactment of Assembly Bill 656 (“AB 656” or the “Act”), detailing new obligations for large social-media platforms to facilitate account deletion and data removal. Signed by Governor Newsom on October 8, 2025 and effective January 1, 2026, covered businesses will need to act quickly in order to comply.
In its legislative findings, AB 656 identifies that a “substantial function” of social-media platforms is user-connection, and research has documented entry barriers to account deletion (especially on mobile apps) as well as the prevalence of dark-pattern design. AB 656 builds on the framework of the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”), which already grant consumers the right to request deletion of personal information.
The Act targets large social media platforms generating more than $100 million in annual gross revenue. Those companies must now provide a clearly-and-conspicuously placed button labelled “Delete Account” within the settings menu (application, browser, or any user-accessible format). When a user clicks that button, the platform must permit completion of account deletion including deletion of personal information. Verification by way of e-mail, text, or phone call is permitted provided it is cost-effective and user-friendly. Platforms may no longer use dark patterns that interfere with a user’s ability to easily delete their account.
A deletion request means that the covered platform must delete all personal information pertaining to the user’s account or collected directly through the use of the social media platform by the user. Any contractual waiver of these rights is void and unenforceable as contrary to public policy. Large social media platforms must immediately assess whether they meet the gross revenue threshold and, if so, take the following steps:
- UX/UI redesign by ensuring that the “Delete Account” option is visible, labelled, and accessible across all formats including mobile, web, and desktop;
- Conduct data-workflow audits and map all systems, backups and processors to ensure that deletion requests result in full removal (or anonymization) of a user’s personal information;
- Review design practices so that any and all dark-pattern logic is removed (e.g., no more burying the delete option, using confusing labels like “deactivate,” or creating overly long workflows for user’s to follow);
- Update internal policy and documentation in order to integrate deletion workflows into privacy incident responses;
- Train your staff to comply with these new obligations and log metrics related to your compliance efforts.
- Monitor rule-making as further regulations and enforcement actions may be issued and taken by the California Privacy Protection Agency (“CPPA”).
Non-compliance could lead to regulatory enforcement under the CPPA, and implications under the CCPA/CPRA regime for deletion failures. To that end, social media platforms should consider not only monetary risk but also reputational risk given public attention to data-privacy issues. From a user perspective, AB 656 offers a clear, simple tool to terminate one’s account and remove associated personal data, and assurance that large social media platforms can no longer bury deletion behind menus or force indefinite retention of user data. Moreover, users will now have enhanced control over the lifecycle of their personal information and digital footprint on major social-media platforms.
AB 656 reflects California’s evolving strategy of placing user-control at the core of platform regulation. This trend is moving us beyond mere disclosure mandates and towards a world of actionable user rights. For social media platforms operating nationally (or globally) but with California users, the statute will likely serve as a model for other jurisdictions contemplating similar “delete button” legislation.
In light of all of the aforementioned, social media companies meeting the $100 million threshold should promptly perform a gap assessment of current deletion workflows. In addition, they need to ensure that their UI placement is adequate, the data-flow deletion process is seamless, and all dark pattern behaviors have been eliminated. Covered businesses may also want to integrate deletion metrics into governance dashboards in order to monitor and track deletion-request completion times, number of outstanding deletion requests, audits of backup and processor deletions. Social media platforms will also want to update consumer-facing materials like their privacy notices, terms of service, user-click flows, and support-site documentation.
AB 656 is just the beginning. Covered businesses will want to carefully monitor for litigation and regulatory guidance being promulgated by the CPPA. Early enforcement actions may focus on those platforms that fail to make the delete-button truly obvious or that fail to purge personal information as now required by the law.
