The California Data Broker Law (Cal. Civ. Code §§ 1798.99.80 to 1798.99.88) defines “data brokers” as any business that knowingly collects and sells to third parties the personal information of California consumers with whom the business does not have a personal relationship.
Until recently, the Data Broker Law only required brokers to register with the California Attorney General, provide certain information on their activities, and to pay an annual registration fee. That is about to change.
On October 10th, Governor Gavin Newsome upped the ante for data brokers as well as the many businesses that rely on them for targeted advertising when he signed the California Delete Act (CDA) into law. The CDA is designed to streamline California residents’ ability to request the deletion of their personal information, and substantially increases the current regulatory burden on data brokers.
The CDA also replaces the California Attorney General with the California Privacy Protection Agency (CPPA) as the regulator with the authority to enforce it. Together with the California AG, the CPPA also enforces the California Consumer Privacy Act (CCPA).
Single Point of Deletion
Under the CDA, the California Privacy Protection Agency (CPPA) is required to establish a single, accessible, online deletion mechanism where consumers can request that their information be deleted from data broker records, which all data brokers registered with the CPPA must honor.
The CDA further directs the CPPA to put the deletion mechanism into effect by January 1, 2026. After that, brokers will be required to process deletion requests submitted via the CPPA within 45 days, and beginning August 1, 2026, they must continuously delete the personal information of requesting consumers, and not sell or share any newly collected information pertaining to those consumers. Data brokers will also be required to direct their service providers and contractors to do the same.
Additional Data Broker Obligations
The CDA also requires data brokers to provide additional information during the registration process. For example, they must now indicate whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data.
In addition, the new law requires each data broker to maintain a website free of “dark patterns” that instructs California residents on how to exercise their privacy rights. Commencing on January 1, 2028, data brokers will be required to undergo an audit every three years to determine compliance with these provisions and must also submit an audit report to the CPPA upon the agency’s written request.
The Delete Act amplifies the penalties under California’s Data Broker Registration law. As per this Act, unregistered data brokers face a daily administrative fine of $200 for each day of non-registration, a sum equal to the unpaid fees during the non-registration period, and any costs tied to administrative actions initiated by the CPPA. Moreover, data brokers are liable to a $200 fine for each deletion request per day if they neglect to erase information as mandated by the Delete Act.
The End Result
The California Delete Act will enable California consumers to request deletion of any and all personal information maintained by different data brokers with just a single deletion request. If a sizable percentage of California consumers utilize the CPPA’s deletion mechanism, it will substantially reduce the size of data broker databases. This in turn will affect the many companies that use data obtained from data brokers for targeted advertising, rendering it less effective. In the end, the extent of consumer engagement with the mechanism will determine the CDA’s ultimate effect on data monetization in California.