Decoding California’s Delete Act and regulations for data brokers

Pandectes GDPR Compliance app for Shopify Stores - Decoding California's Delete Act and regulations for data brokers - cover

Table of Contents


California, at the forefront of privacy legislation, has ushered in a new era with the enactment of the Delete Act, officially known as Senate Bill 362. Signed into law on October 10, 2023, by Governor Gavin Newsom, this legislation introduces a paradigm shift in how data brokers handle consumer information.

The Delete Act, slated to take effect on January 1, 2024, brings forth a comprehensive set of regulations designed to empower individuals to control the fate of their data. From the establishment of accessible deletion mechanisms to the introduction of persistent privacy requests, the legislation redefines the relationship between data brokers and the consumers they serve.

This article delves into the intricacies of the California Delete Act, dissecting its key provisions, implications for data brokers, and the broader landscape of data privacy. As we embark on this exploration, we unravel the layers of this groundbreaking legislation, examining how it reshapes the digital landscape and sets new standards for safeguarding personal information.

California Privacy Protection Agency (CPPA)

The California Privacy Protection Agency (CPPA) has been given a crucial responsibility in enforcing the Delete Act, a vital component of the California Privacy Rights Act. As the regulatory body tasked with overseeing compliance, the CPPA ensures that data brokers are adhering to the strict guidelines laid out in the Delete Act.

One of the critical requirements of the CPPA is to establish an “accessible deletion mechanism” by January 1, 2026. This mechanism is aimed at facilitating the efficient handling of consumer deletion requests, which is a critical aspect of protecting the privacy of Californians. With this mechanism in place, consumers can exercise greater control over their data and have greater confidence in the privacy protections afforded to them by the CPPA.

Registration of data brokers

The Delete Act has a significant provision that mandates data brokers to register with the CPPA. This registration requirement is critical to ensuring transparency and accountability in the data brokerage industry. Data brokers must provide relevant information about their operations and practices to register. This information includes details about the data sources they collect, the categories of data they maintain, and the purposes for which they use the data.

In addition to providing this information, data brokers must also pay a registration fee to contribute to the Data Brokers Registry Fund. This fund is instrumental in supporting the enforcement of the Delete Act and other initiatives to protect individuals’ data privacy rights. By requiring data brokers to register and pay a fee, the Delete Act establishes a mechanism for regulating the data brokerage industry, which is critical for safeguarding individuals’ data privacy and preventing abuses by data brokers.

Pandectes GDPR Compliance app for Shopify Stores - Decoding California's Delete Act and regulations for data brokers - keyboard

Accessible deletion mechanism

As per the Delete Act, data brokers must incorporate an “accessible deletion mechanism” into their systems. This mechanism, which the CPPA will establish, will enable consumers to submit deletion requests for their personal information easily. Starting August 1, 2026, data brokers must access this online deletion system at least once every 45 days.

This regular interaction ensures that deletion requests are promptly addressed, enhancing consumer data control. By complying with this regulation, data brokers can ensure they provide their customers with a secure and transparent data management system.

Deletion requests and consumer privacy

The Delete Act is a crucial legislation that aims to give consumers greater control over their personal information. One of the key features of this Act is the introduction of a single, verifiable mechanism that empowers consumers to request the deletion of their data. This mechanism simplifies the process for consumers, making it easier for them to assert control over their personal information.

By establishing a direct relationship between the consumer and the data broker, the Delete Act strengthens the consumer’s ability to manage the use and dissemination of their personal information. This is an essential step towards ensuring that consumers have greater control over their data and can protect their privacy in an increasingly digital world.

Accountability and independent audits

The Delete Act, a crucial piece of legislation designed to protect data privacy, mandates that all data brokers undergo independent third-party audits. These audits align with the Privacy Protection Agency’s commitment to ensuring accountability and trustworthiness in data handling practices. Starting January 2028, data brokers must undergo independent audits at regular intervals of three years.

During these audits, the data broker’s compliance with the deletion mechanisms and related provisions will be thoroughly assessed to ensure that they adhere to the highest data privacy standards. The resulting audit reports are crucial in regulatory oversight and ensure public transparency. They reinforce the commitment to data privacy and ensure that data brokers are held accountable for handling sensitive information.

Pandectes GDPR Compliance app for Shopify Stores - Decoding California's Delete Act and regulations for data brokers - bridge

Data broker’s website and consumer communication

Under the Delete Act, data brokers are required to maintain a website that is user-friendly and easily accessible to consumers. This website should be the primary channel for consumers to interact with the data broker regarding deletion requests and other privacy-related concerns. The website should provide detailed information about the data broker’s data collection practices, including the types of data collected, the sources of the data, and the purposes for which the data is used.

It should also provide clear instructions on how consumers can request the deletion of their data and how the data broker will respond to such requests. By maintaining an informative and navigable website, data brokers can promote transparency and user empowerment, which are essential for building consumer trust.

Fair Credit Reporting Act and Privacy Protection Act

The Delete Act, a recent addition to the existing federal regulations such as the Fair Credit Reporting Act and Privacy Protection Act, has brought an additional layer of protection for consumers against the reckless misuse of their personal information. With the rise of data brokers who collect and sell personal information, it has become crucial for them to navigate a complex web of regulations to ensure compliance with state and federal laws.

This intersection of laws and regulations underscores the multifaceted nature of data privacy legislation and its impact on data brokers. The Delete Act, in particular, has set stringent guidelines for data brokers to obtain explicit consumer consent before collecting and selling their data. It has also given consumers the right to request the deletion of their data. This has not only strengthened consumer privacy protection but also made data brokers more accountable for their actions.

Specific data brokers and deletion mechanism implementation

The Delete Act takes a thoughtful approach to regulating data brokers, acknowledging the nuanced differences between various entities in the industry. Rather than a one-size-fits-all approach, the Act recognizes that specific data brokers may need to adjust their deletion mechanisms depending on the nature and scope of the data they collect and manage.

This tailored approach ensures that the implementation of deletion mechanisms is effective and practical for all entities in the data brokerage ecosystem, regardless of their size or specific business practices. By recognizing the diverse needs of data brokers and providing flexibility in compliance requirements, the Delete Act is a fair and comprehensive solution to regulating the data brokerage industry.

Business practices: Knowing the collection and sale of data

The Delete Act is a crucial piece of legislation that takes a strong stance against businesses that knowingly collect and sell personal information. The law places a high value on transparency, mandating that data brokers provide clear and detailed information about their data collection and selling practices. This transparency empowers consumers to make informed decisions about the companies they interact with and entrust their personal information.

By requiring businesses to disclose their data practices, the Delete Act ensures that consumers have greater control over their personal information and are better equipped to protect their privacy and security online. Ultimately, this legislation helps establish a more fair and trustworthy digital ecosystem where individuals can feel confident that their personal information is handled responsibly and ethically.

Pandectes GDPR Compliance app for Shopify Stores - Decoding California's Delete Act and regulations for data brokers - laptop

Reproductive health care data and Medical Information Act

The Delete Act is a legislative measure that acknowledges the sensitivity of certain types of personal information, including reproductive health care data. This recognition aligns with existing legislation, such as the Medical Information Act, which also seeks to protect sensitive personal information. The Delete Act’s emphasis on safeguarding specific categories of information highlights the legislative intent to protect personal data and information that holds particular significance in an individual’s privacy.

This includes sensitive information related to reproductive health care, which is often considered highly personal and private. By recognizing the importance of protecting such information, the Delete Act ensures that individuals have greater control over their data and can exercise their right to privacy without fear of unauthorized access or misuse.

Deletion requests received and consumer requests

Data brokers have a crucial responsibility to handle deletion requests that are received from consumers carefully. Under the Delete Act, data brokers must process these requests promptly and efficiently, ensuring the timeliness of their responses. This is essential in empowering consumers to exercise their privacy rights effectively.

Any delay or failure to adequately address deletion requests may lead to non-compliance with the Delete Act and trigger subsequent regulatory consequences. Hence, data brokers must have a well-defined deletion request handling process to guarantee consumer privacy protection.

Third-party audits and compliance

The Delete Act is a comprehensive legislation that seeks to regulate data brokers and safeguard the privacy rights of individuals. The Act mandates a stringent system of third-party audits aimed at verifying data brokers’ compliance with the stipulations set forth in the legislation. These audits serve as a crucial checkpoint, evaluating the processes and practices adopted by data brokers to ensure that they adhere to the privacy regulations.

Compliance is not merely a one-time requirement but an ongoing commitment and third-party audits provide periodic assessments to ensure the sustained adherence of data brokers to privacy regulations. The audits scrutinize various aspects of data collection, storage, sharing, and disposal, and the findings are reported to the regulator to ensure that non-compliance issues are promptly addressed. The robust system of third-party audits introduced by the Delete Act is a significant step towards protecting personal data and safeguarding the privacy rights of individuals.


California’s Delete Act marks a significant milestone in the evolution of data privacy legislation. With a focus on accountability, transparency, and consumer empowerment, the Act introduces a comprehensive framework that reshapes the responsibilities and practices of data brokers. The interplay of the Delete Act with existing regulations creates a complex landscape that necessitates a nuanced approach to compliance for entities in the data brokerage industry.

As the regulatory environment evolves, data brokers must remain vigilant, adapting their practices to align with the ever-changing landscape of privacy laws and consumer expectations. The Delete Act is a testament to the ongoing efforts to balance technological advancements and protect individuals’ privacy rights.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top