The California Delete Act: What it is and What it Means for America
California passed the Delete Act, Senate Bill 362, several weeks ago, adding the next layer to the state’s data privacy law, the CCPA. The core of the bill aims to give California consumers more control and access to their data subject rights, as it will create a centralized mechanism for people to have all their data deleted at once.
This means that people can exercise their data rights in bulk with the single click of a button, paving the way for more awareness of these rights and a more practical way for individuals to limit their digital footprint.
The California Privacy Protection Agency (CPPA), newly-created by the CPRA amendment to CCPA, will be setting up a website where people go to verify their identity and issue a single request for any data broker to delete their data.
This is a massively ambitious law, and if it works will likely spread to other states and influence the future of data privacy in the United States, but before we investigate its nationwide impact in more detail, let’s review the important aspects of the California Delete Act.
California Delete Act Timeline
- January 1, 2024: The California Delete Act officially goes into effect. The CPPA will take over control of the state’s data broker registry, with the information data brokers are required to report increasing significantly.
- July 1, 2024: Data brokers must begin publishing metrics about how many CCPA DSRs they received during the previous calendar year, how many of those requests they complied with and how many they denied, and both the median and mean number of days it took to respond to a request.
- January 1, 2026: This is the deadline for the CPPA to create a free, public, and easily accessible mechanism for consumers to issue a singular DSR to all data brokers in California.
- August 1, 2026: The grace period for data brokers ends; all data brokers must check and action any requests at least every 45 days. DSR fulfillment then maintains the 45-day CCPA timeline
- January 1, 2028: Data brokers must undergo audits by independent third parties once every three years and must maintain audit records for six years (so essentially, keeping the past two compliance audits on file in case the CPPA requests to see them).
CCPA Data Broker Requirements
The definition of a “data broker” does not change from the CCPA.
The requirement to register already existed prior to the Delete Act, but the law has vastly expanded what information data brokers need to give when registering. Previously, they only needed to give contact details, but now they will be required to give information such as:
- The types of data the broker collects
- How it handles DSRs
- The DSR metrics mentioned above
- Whether they collect sensitive information such as precise geolocation data, minors’ data, or reproductive health data
Data brokers will also need to register with the CPPA each year, paying an annual fee that is currently TBD.
If a data broker fails to register, they will face significant financial strain, with the daily fines jumping to $200 a day on top of a fee for failing to register the previous year as well as any potential fees the state incurs in investigating and prosecuting your organization.
Delete Act Exemptions apply for organizations covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Insurance Information and Privacy Protection Act.
What the Delete Act Means for you (and America)
The bill passed California’s Congress and was signed by Governor Gavin Newsom rather quickly once the text was finalized, despite a similar bill going nowhere in Congress in 2022. This is yet another example of data privacy taking priority in California despite the greater United States largely ignoring the bipartisan issue.
Despite California’s progress on passing landmark data privacy legislation numerous times over the past half-decade, the Delete Act had its detractors, as there was a lobbying effort against it.
Part of the business community likely viewed the bill as onerous, considering not only do data brokers need to check the mechanism every 45 days, but for any consumer who submits a request, they would need to continually delete the data on that person every 45 days ad infinitum. There have also been concerns over how the bill would affect the ad tech market, which could see a significant downturn in business if consumers widely embrace the “one-stop-shop” for consumer rights requests.
Even if California and the amended CCPA have not gone to the lengths the EU has to regulate how data brokers generally treat user data, the state is making progress with every amendment to the original 2018 bill. For as much pushback as businesses offer against these amendments, the public has shown support for an increase in data rights’ visibility and accessibility.
The dominos of American data privacy very much reward what has worked in the past, which is why so many states have passed comprehensive laws this year that share the vast majority of meaningful language and requirements. It’s why states are coalescing behind certain areas, like the fight for children’s data privacy or the fight against unchecked AI development.
Americans are sending more DSRs with each passing year, and in terms of regulatory requirements businesses could face regarding data privacy, DSR fulfillment is less burdensome than flat out requiring companies that conduct annual data maps or acquire opt-ins rather than opt-outs before processing any personal data.
Of course, compliance-conscious companies will conduct data maps anyway to get valuable insights into their entire data stack, but the majority of companies currently look at data compliance as a threshold to meet rather than as guiding principles for a strong privacy program.
The point is, data subject rights have overwhelming public support and will not break businesses if instituted and encouraged on a wider scale, a reality that makes it likely other states will follow California’s lead and pass similar amendments or legislation in the coming years.
America is still behind on data privacy, but easy wins–especially if the deployment of the California Delete Act goes smoothly–like this will pave the way for the country to make significant progress in the field.