The DELETE Act (SB 362) has passed the California Legislature and is awaiting Governor Gavin Newsom’s signature.
What do you need to know?
You may be a data broker without realizing it:
- The law applies to any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship (with carve outs for FCRA, GLBS, HIPAA and the insurance privacy protection act)
- Sells means what is does under CPRA. It isn’t just selling for money, but also for “other valuable consideration.”
By January 1, 2026, there will be a page provided by the California Privacy Protection Agency (CPPA) that provide a deletion mechanism. It will allow consumers, through a single verifiable consumer request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
If you are a data broker, you need to:
- Register with the CPPA on of before the January 31 of the year following the activity.
- Provide disclosure of: your name and contact info, reporting metrics (see below); whether you collect: (1) the information of MINORS (not under 13s); (2) precise geolocation; (3) reproductive health care data; a link to your website detailing how consumers can exercise their CPRA rights (access, deletion, correction, opt out, limited use).
- Additional metrics: number of requests received, complied with or denies; median and mean number of days for response. (This needs to be included in the privacy notice.)
- Facilitate the deletion by January 1, 2026, and thereafter, access is at least every 45 days and process all deletion requests within 45 days (including explaining any denial, directive service providers and contractors to delete it or to treat it as an opt-out if you cant verify identity).
Failure to register or comply with the obligations is punishable by fines.