The Delete Act: California’s New Framework for Data Broker Accountability
California's Delete Act transforms data broker regulation into a comprehensive operational compliance framework. Learn who qualifies as a data broker and how to comply with registration, disclosure, deletion, audit, and ongoing governance obligations.
Understanding the New Registration, Disclosure, and Deletion Requirements
California continues to expand the operational obligations imposed on businesses that collect and monetize personal information. One of the most significant — and often misunderstood — frameworks is the state’s Data Broker Registration law, codified at Civil Code §§ 1798.99.80–1798.99.89.
While the concept of regulating data brokers is not new, recent amendments (including the 2023 Delete Act and the related CalPrivacy Data Broker Registration and Accessible Deletion Mechanism Regulations -hereinafter, the CalPrivacy Regulations-) have transformed the law into a far more operational and enforcement-driven regime. It no longer focuses solely on transparency — it now imposes registration, reporting, deletion, and audit obligations that require meaningful infrastructure and governance.
For many organizations, compliance will require more than updating a privacy policy. It will require building systems.
PRACTICE TIP: Many companies do not consider themselves “data brokers,” but may fall within scope if they lack a direct consumer relationship.
Who Is a “Data Broker”?
At the core of the law is a functional definition:
A data broker is a business that knowingly collects and sells personal information of consumers with whom it does not have a direct relationship.
See Civil Code §§ 1798.99.80 (c)
The definitions of “business,” “collects,” “sells,” “personal information,” and “consumers” cross-reference to the California Consumer Privacy Act (CCPA- Civil Code §§ 1798.140)
The concept of a “direct relationship” is central to determining whether a business qualifies as a data broker — and it is often misunderstood. It is defined in § 7601(d) of the CalPrivacy Regulations. A “direct relationship” exists only where:
A consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.
This definition imposes a clear intent requirement. It is not enough that a business merely collects data from a consumer.
Importantly, a direct relationship does not exist where the consumer interacts with the business solely to exercise privacy rights (e.g., access or deletion requests) or the interaction is limited to identity verification.
The law also clarifies that:
- Simply collecting personal information directly from a consumer does not, by itself, create a direct relationship
- A business remains a data broker with respect to personal information it sells that was collected outside of a first-party interaction (as defined in Cal. Code Regs., tit. 11, § 7001 — i.e. “First party” means a consumer-facing business with which the consumer intends and expects to interact.)
This definition is intentionally broad. It captures:
- Companies that aggregate data from third-party sources
- Entities that enrich, resell, or license consumer profiles
- Businesses operating behind the scenes of the data ecosystem
PRACTICE TIP: In practice, a company may have a direct relationship with a consumer in one context (e.g., a website interaction), but still qualify as a data broker for other datasets it acquires indirectly and sells. This reinforces the law’s focus on the origin and context of the data, not just the existence of any interaction.
At the same time, the law carves out several important exemptions, including entities to the extent they are covered under:
- The Fair Credit Reporting Act (FCRA)
- Gramm-Leach-Bliley Act (GLBA)
- Insurance Information and Privacy Protection Act
- Certain HIPAA-related activities
See Civil Code §§ 1798.99.80 (c)(2) and Civil Code §§ 1798.99.82 (b)(2)(W)
The Annual Registration Requirement and Consequences of Failing to Register
The most visible obligation is the requirement to register annually with the California Privacy Protection Agency (CalPrivacy). Civil Code §§ 1798.99.82 (a)
A business that qualifies as a data broker must:
- Register by January 31 each year
- Pay a registration fee
- Submit detailed disclosures about its data practices
This is not a one-time requirement. It is a recurring annual obligation, meaning businesses must continuously assess whether they qualify as a data broker each year.
Registration is not merely a formality. It requires both payment and extensive disclosures.
- The fee is capped at the reasonable costs of:
- Maintaining the public registry website
- Operating the centralized deletion mechanism
- These fees are deposited into the Data Brokers’ Registry Fund, which finances enforcement and infrastructure.
- The registration requires a comprehensive data inventory and disclosure exercise.
Failure to register carries meaningful consequences, including:
- $200 per day in administrative fines
- Payment of outstanding fees
- Recovery of enforcement costs
This daily accrual structure is significant. It transforms registration from a procedural obligation into a continuing compliance risk.
What Must Data Brokers Disclose at Registration?
The core of the disclosure obligation lies in the statute’s highly granular approach to data collection. Rather than allowing general or high-level descriptions, the law requires data brokers to affirmatively state whether they collect specific, enumerated categories of personal information. That forces data brokers to map and publicly describe their data practices at a level of specificity rarely seen in U.S. or foreign privacy laws. See Civil Code §§ 1798.99.82 (b)
At its most basic level, a data broker must identify itself by providing its name, physical address, email address, and website. Specifically, it must disclose:
- Legal name
- Physical address
- Email address
- Website
This eliminates anonymity in the secondary data market and ensures that every registered entity is both visible and contactable.
See Civil Code §§ 1798.99.82 (b)(2)(A)
But the requirement quickly moves beyond identity into operational transparency regarding the data collected. The statute also requires data brokers to provide detailed disclosures about the specific categories of personal information they collect, with a particular emphasis on sensitive and high-risk data. This includes whether the business collects:
- personal information of minors (less than 16 as per Cal. Code Regs., tit. 11, § 7601 (h))
- common identifiers such as names, dates of birth, ZIP codes, email addresses, and phone numbers.
- account credentials — such as logins or account numbers combined with passwords or access codes — that could enable access to a consumer’s account.
- government-issued identifiers, including Social Security numbers, driver’s license or passport numbers, tax identification numbers, and similar identity verification data.
- modern tracking identifiers, such as mobile advertising IDs, connected television identifiers, and vehicle identification numbers
- information relating to citizenship or immigration status, union membership, sexual orientation, gender identity and expression, biometric data, precise geolocation, and reproductive health information.
Together, these requirements force data brokers to provide a clear and comprehensive picture of the most sensitive types of data they collect, rather than relying on broad or ambiguous descriptions.
See Civil Code §§ 1798.99.82 (b)(2)(C)-(N)
“Reproductive health care data” is defined broadly and extends well beyond traditional medical records (see Cal. Code Regs., tit. 11, § 7601 (l).) It includes (but is not limited to):
- any information about a consumer’s interaction with goods or services related to the human reproductive system, such as searching for or using contraception, prenatal or fertility supplements, menstrual-tracking applications, or hormone therapies,
- services like fertility treatments (including sperm or egg freezing and in vitro fertilization), abortion care, vasectomies, sexual health counseling, and treatment for sexually transmitted infections or reproductive conditions — along with precise geolocation data associated with accessing those services.
- information about a consumer’s sexual history and family planning, such as disclosures made in dating applications regarding prior infections or intentions to have children.
Importantly, the scope is not limited to direct data collection; it also includes inferences drawn about a consumer based on these activities or characteristics.
PRACTICE TIP: Taken together, this definition reflects an expansive view of reproductive data, covering not only medical treatment but also behavioral signals, consumer activity, and predictive insights related to reproductive health.
Collection alone, however, is only part of the picture. The statute also requires data brokers to disclose where consumer data is ultimately flowing, with a particular focus on high-risk or sensitive recipients. This includes
- Whether the data broker has shared or sold personal information in the past year to foreign actors — defined broadly to include foreign governments or entities operating in foreign adversary jurisdictions — as well as to federal and state government agencies.
- Whether data has been shared with law enforcement, except where such disclosures were made pursuant to a subpoena or court order, signaling a distinction between voluntary data sharing and legally compelled production.
- Whether personal information has been sold or shared with developers of generative AI systems or models, reflecting growing regulatory concern around the use of consumer data in AI training and development.
To ensure baseline transparency across all business models, the law includes a fallback requirement: if a data broker does not collect certain commonly enumerated categories of data, it must instead identify up to three of the most common types of personal information it does collect.
See Civil Code §§ 1798.99.82 (b)(2)(O)-(S)
Data brokers must also report detailed metrics on consumer requests as described in Civil Code §§ 1798.99.85, specifically
(1) The total number of consumer requests received during the prior calendar year under the CCPA and Delete Act, including requests to:
- Delete personal information
- Access data
- Correct inaccuracies
- Opt out of sale or sharing
- Limit the use of sensitive personal information
(2) The number of requests that were complied with in whole or in part / denied
(3) The median and mean number of days it took to substantively respond to those requests
(4) A breakdown of denied requests by reason, including:
- The request could not be verified
- The request was not made by a consumer
- The request involved information exempt from deletion
- The request was denied on other grounds
(5) A breakdown of requests where deletion was not required, specifying:
- The number of requests denied in whole or in part under each applicable statutory exemption (e.g., §§ 1798.145 and 1798.146)
All of these metrics must be also publicly disclosed in the data broker’s privacy policy and accessible via a link on the business’s website
See Civil Code §§ 1798.99.82 (b)(2)(B)
PRACTICE TIP: In effect, the registry is not designed to just show what companies say they do — it is designed to show how well they actually perform.
The statute also requires data brokers to provide a direct link to a dedicated webpage that clearly explains how consumers can exercise their privacy rights. This page must detail the full range of rights available under the CCPA, including the ability to request deletion of personal information, correct inaccurate data, access and understand what personal information is being collected, and learn what information has been sold or shared and to whom. It must also explain how consumers can opt out of the sale or sharing of their personal information and how to limit the use and disclosure of sensitive personal information.
Importantly, the law does not treat this as a purely informational requirement. The interface through which these rights are exercised must not rely on “dark patterns” — that is, manipulative or deceptive design practices that impair user choice or decision-making.
See Civil Code §§ 1798.99.82 (b)(2)(V)
PRACTICE TIP: In practice, this means data brokers must ensure that their consumer-facing privacy tools are not only legally compliant, but also transparent, accessible, and designed in a way that enables meaningful user control rather than discouraging it.
Finally, beginning in 2029, the disclosure framework expands to include whether the data broker has undergone a required independent audit and the most recent year in which an audit report was submitted to the California Privacy Protection Agency.
See Civil Code §§ 1798.99.82 (b)(2)(U)
To prevent companies from avoiding disclosure through narrow interpretations, the law includes a backstop requirement: if a data broker does not collect certain enumerated categories (such as basic identifiers or device identifiers), it must instead identify up to three of the most common types of personal information it does collect. This ensures that every data broker provides at least some meaningful insight into its data practices, regardless of its business model.
See Civil Code §§ 1798.99.82 (b)(2)(T)
Taken together, these requirements are designed to surface not just what data is collected, but how it is used, where it is sent, and whether the business is subject to ongoing oversight — providing regulators and the public with a clearer view of the broader data ecosystem in which the broker operates.
In addition, data brokers must disclose whether they or their subsidiaries are subject to other regulatory regimes, such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, HIPAA, or insurance privacy laws. This allows regulators to better understand how different frameworks interact and whether a business may be relying on exemptions or overlapping compliance obligations.
See Civil Code §§ 1798.99.82 (b)(2)(W)
Finally, the statute permits — but does not require — data brokers to provide additional explanations about their data collection practices. While optional, such disclosures may carry legal and reputational implications, particularly if they create inconsistencies with actual practices or statements made elsewhere.
PRACTICE TIP: Taken together, these requirements transform registration into far more than a simple filing. They require businesses to conduct a detailed internal assessment of their data lifecycle, classify the types of data they collect, understand how that data flows through their systems and to third parties, and publicly commit to a description of those practices. In this way, the registration process itself becomes a form of regulatory pressure — forcing organizations to align their internal operations with externally visible representations of how they handle personal information.
The Accessible Deletion Mechanism Under the Delete Act
The Origins of the Delete Act and the Push for One-Stop Deletion
The California Delete Act (SB 362 and act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Sections 1798.99.85, 1798.99.86, 1798.99.87, and 1798.99.89 to, the Civil Code, relating to data brokers), signed into law in October 2023, significantly expanded the state’s regulation of data brokers by introducing a centralized, “one-stop” deletion system. The most transformative and innovative aspect of the Delete Act is the creation of a centralized deletion mechanism.
The Delete Act itself emerged out of growing frustration with the limitations of the CCPA, which — while granting consumers the right to request deletion — required individuals to contact companies one by one, often across hundreds of entities. Introduced by Senator Josh Becker in February 2023, SB 362 was designed to make those rights practical and usable by creating a centralized, state-administered system. The law was also shaped by broader concerns about the data broker ecosystem, including the lack of transparency around data sharing and the potential misuse of personal information by both private actors and government entities.
After significant legislative debate and industry opposition — including concerns from advertising and data industry groups about operational burdens and economic impact — the bill was amended, most notably extending the deletion processing timeline from 30 to 45 days, and ultimately signed into law by Governor Gavin Newsom in October 2023. The result is the first comprehensive “one-stop” deletion framework of its kind, marking a significant shift from individual rights on paper to a coordinated, enforceable system designed to operate at scale. If successful, this model could expand to other states, particularly those with existing data broker registration requirements.
Key features of this system include:
- No cost to consumers
- Multilingual access
- Accessibility for individuals with disabilities
- Support for authorized agents
- Ability to track request status
Once the deletion mechanism is operational, data brokers must:
- Access the system at least every 45 days
- Process deletion requests within 45 days
- Instruct service providers and contractors to delete data
- Treat unverifiable requests as opt-outs of sale/sharing
They must also:
- Continue deleting newly collected data every 45 days
- Avoid re-selling or sharing data after deletion (with limited exceptions)
System Requirements for the Accessible Deletion Mechanism
See Civil Code §§ 1798.99.86 (a)&(b)
The Delete Act does not merely require the creation of a centralized deletion platform — it prescribes in detail how that system must function. The accessible deletion mechanism must be designed to ensure that consumer rights are not only theoretically available, but practically usable, secure, and universally accessible.
At its core, the system must allow a consumer to submit a single deletion request that applies to all personal information held by registered data brokers. That request must be submitted through an internet service operated by CalPrivacy and must be available free of charge, eliminating financial barriers to exercising privacy rights.
The statute places significant emphasis on security and data minimization. Consumers must be able to submit requests through one or more privacy-protective methods determined by the Agency, and the system must allow data brokers to confirm whether a verifiable request has been made — without disclosing any additional personal information beyond what is strictly necessary. This reflects a careful balancing of authentication and privacy, ensuring that the process of verifying identity does not itself create new data exposure risks.
The system must also be designed for broad accessibility and inclusivity. It must support requests in any language spoken by consumers whose data is collected, be fully usable by individuals with disabilities, and allow consumers to act through authorized agents. In addition, consumers (or their agents) must be able to track and verify the status of their deletion requests, providing transparency into how those requests are being processed across the data broker ecosystem.
Finally, the mechanism must include clear, consumer-facing information about how the system works. This includes a description of the deletion rights provided, the process for submitting requests, and examples of the types of personal information that may be deleted. Taken together, these requirements ensure that the system is not just a technical solution, but a user-centered infrastructure designed to make privacy rights understandable, accessible, and enforceable in practice.
Ongoing Deletion, Suppression, and Audit Obligations
See Civil Code §§ 1798.99.86 ©
The Delete Act imposes not only a one-time deletion requirement, but a set of continuous operational obligations that fundamentally reshape how data brokers must manage consumer data over time.
- Beginning August 1, 2026, data brokers are required to engage with the accessible deletion mechanism on a recurring basis — at least once every 45 days — to identify and process new consumer requests.
- Once a request is received, the data broker must, within 45 days, delete all personal information associated with the consumer, including data held by its service providers and contractors.
- The obligation extends beyond the broker’s own systems: businesses must actively direct downstream recipients to delete the same data or, where applicable, to treat the request as an opt-out of the sale or sharing of personal information.
- Importantly, if a deletion request cannot be verified, the law does not allow the business to simply disregard it. Instead, the request must be treated as an opt-out, ensuring that even unverifiable requests result in meaningful limitations on data use.
The statute does provide limited exceptions. A data broker is not required to delete personal information where:
- retention is reasonably necessary to fulfill specific statutory purposes or
- where exemptions under the CCPA apply.
However, any retained data is subject to strict use limitations — it may only be used for the exempted purpose and cannot be repurposed, including for marketing or other commercial activities.
Perhaps most significantly, the law introduces a persistent suppression requirement:
- after a consumer’s data has been deleted, the data broker must continue to delete any newly acquired personal information about that consumer at least every 45 days and
- is prohibited from selling or sharing new data about the individual unless an exception applies or the consumer provides direction otherwise.
This transforms deletion from a one-time event into an ongoing compliance obligation that requires continuous monitoring and enforcement.
To reinforce accountability, the law also establishes a periodic audit requirement. Beginning January 1, 2028, data brokers must undergo an independent third-party audit every three years to assess compliance with these obligations. Upon request, audit reports and supporting materials must be submitted to CalPrivacy, and businesses are required to retain those records for at least six years.
In addition, the Agency may charge data brokers a reasonable access fee for use of the deletion mechanism, with those funds supporting the broader regulatory infrastructure.
PRACTICE TIP: Taken together, these requirements shift the burden of compliance decisively onto data brokers, requiring not only technical capability, but also sustained operational discipline to ensure that consumer data is continuously identified, deleted, and restricted in accordance with the law.
Conclusion
California’s data broker law is no longer a simple registration requirement — it is a comprehensive operational framework governing how data brokers:
- Disclose their data practices
- Respond to consumer rights
- Delete personal information
- Demonstrate ongoing compliance
For organizations in scope, the challenge is no longer primarily legal interpretation — it is execution.
Key Practical Implications
Disclosure becomes data governance
The law requires a granular, continuously updated understanding of the data environment, including what personal information is collected, where it resides, how it is classified, and how it flows across systems and third parties. This is especially complex for sensitive data categories such as biometric, geolocation, and reproductive health data.
Deletion becomes a continuous lifecycle obligation
Organizations must re-identify and delete personal information at regular intervals (at least every 45 days), not just respond to one-time requests. This requires persistent suppression mechanisms, ongoing monitoring, and safeguards to prevent re-ingestion of deleted data.
Downstream accountability is mandatory
Data brokers must ensure that service providers and contractors also delete data or honor opt-outs, extending compliance obligations across the entire data supply chain.
Engineering becomes the primary constraint
Compliance depends on building systems capable of identity resolution, recurring deletion, and data propagation across complex environments. Legal compliance is increasingly tied to data architecture maturity and engineering investment.
Operational infrastructure is required
To comply, businesses must build:
- Comprehensive data inventories
- Automated deletion workflows
- Vendor coordination mechanisms
- Audit-ready processes
Compliance and Enforcement Framework
Phased obligations
- Annual registration beginning in 2024
- Centralized deletion processing via DROP by August 1, 2026
- Independent audits every three years starting in 2028
Ongoing transparency requirements
- Annual tracking of consumer requests (received, fulfilled, denied)
- Disclosure of mean and median response times
- Public reporting in privacy policies
- Explanation of denial reasons and legal bases for retention
Audit and reporting obligations
- Independent audits every three years
- Retention of audit reports for at least six years
- Disclosure of audit completion beginning in 2029
Enforcement structure
- $200 per day for failure to register
- $200 per request per day for failure to comply with deletion
Penalties that scale rapidly with volume and time
