California Governor Gavin Newsom signed the Delete Act yesterday, making it possible for Californians to either ask data brokers to delete their personal data or forbid them to sell or share it, with a single request. Right now, Californians have similar rights under a 2018 state law, but they had to ask each company individually, and that’s a tall order given the almost 500 data brokers operating in the state.
The California Privacy Protection Agency (CPPA) must create a way for people to make this request by January 1st, 2026. The CPPA was established in 2020 by the California Privacy Rights Act.
By August 1st, 2026, data brokers will have to check for and honor new requests every 45 days. After removing the data as requested, brokers can still gather data but will have to delete it at the same 45-day interval. However, since people in the state can make a persistent request to have their data deleted or kept private, they won’t be able to sell the data without permission. Starting January 2028, independent audits every three years will verify brokers’ compliance.
The law reuses definitions of brokers that the California Consumer Privacy Act of 2018 established, which required businesses to disclose, delete, or withhold from sharing or selling personal data as requested by individuals. Then, in 2020, the California Privacy Rights Act amended the previous law and established the CPPA.
The Los Angeles Times quoted California Senator Josh Becker, the bill’s author, as saying that brokers sell thousands of individual consumers’ data points on “reproductive healthcare, geolocation, and purchasing data to the highest bidder,” adding that “the DELETE Act protects our most sensitive information.”
The outlet went on to quote the VP of communications for the Consumer Data Industry Association, Justin Hakes, as saying that the bill could undermine fraud protections and keep small businesses from competing with the data dominance of large platforms.
The Delete Act reuses definitions of brokers that the California Consumer Privacy Act of 2018 established. It applies to companies that grossed more than $25 million in revenue the year before and “annually buys, sells, or shares the personal information of 100,000 or more consumers or households.” And it only affects those businesses that make at least 50 percent of their annual revenue from the sale of people’s personal information.
The law considers several alternative scenarios, like joint business ventures, and doesn’t just apply to single businesses that trade in personal data.