The California Delete Act, also known as SB 362 or California Senate Bill No. 362, is a state privacy law enacted on October 10, 2023, that amended California’s existing Data Brokerage Registration Law. The ‘Delete Act’ applies to Data Brokers and strengthens consumer rights by allowing Californian residents to get their personal information deleted from all registered data brokers through a single request.
The Act defines a ‘Data Broker’ in Section 1 (c) as any business that knowingly collects and sells personal information about consumers with whom it does not have a direct relationship.
This law requires Data Brokers to register with the California Privacy Protection Agency (CPPA). The CPPA must maintain a public website displaying data broker registration details and offering a system for consumers to submit deletion requests. It requires them to delete all personal information they hold about a Californian resident upon receiving a delete request.
Introduction & History
The California Delete Act builds on two earlier privacy laws, the CCPA and CPRA. The California Consumer Privacy Act of 2018 first gave Californians the right to delete and control the sale of their personal data. It was followed by the California Privacy Rights Act (CPRA) of 2020, which created the CPPA as the state’s first dedicated privacy regulatory agency.
Lawmakers realized that despite these laws, consumers still struggled to exercise their rights, especially their right to erasure or right to delete. The law was introduced because consumers had to send deletion requests individually to each broker.
This was a complicated and time-consuming process for the consumers. SB-362 simplifies this by requiring the California Privacy Protection Agency to create a single deletion mechanism called the ‘Delete Request and Opt-Out Platform’ (DROP), that will be available to consumers in 2026. This mechanism will centralize all consumer deletion requests and will allow them to file a verifiable request, track its status, and ensure data brokers comply within strict timelines.
The law reflects California’s intent to set a national benchmark for data privacy and ensure stronger enforcement against non-compliance.
Scope, Purpose & Applicability
The law applies to any data broker that does business in California, regardless of where the company is based. This includes brokers who sell information about residents in the state. The law does not apply to entities already regulated under other federal privacy frameworks, such as:
- The Fair Credit Reporting Act (FCRA)
- The Gramm-Leach-Bliley Act (GLBA)
- The Insurance Information and Privacy Protection Act
- Health information processors regulated under HIPAA
Key Requirements of the California Delete Act
The Delete Act introduces several new obligations that data brokers must follow in Sections 3, 5 & 6:
- Data brokers must register every year with the CPPA by paying a registration fee. This fee goes into the Data Brokers’ Registry Fund. The CPPA will maintain a public data broker registry where all data brokers are listed. Brokers are required to submit detailed disclosures, such as:
- A link to a privacy rights page where consumers can exercise their rights
- Whether they collect information on minors
- Precise geolocation data, or reproductive health data
- The number of deletion requests received and fulfilled in a calendar year
- The average time taken to respond
- Data brokers must publish these metrics in their privacy policies.
- The CPPA will roll out the single deletion mechanism, ‘DROP’, by January 1, 2026. Beginning August 1, 2026, data brokers will be required to:
- Access the DROP mechanism at least once every 45 days
- Process all verified deletion requests within 45 days
- Treat unverified requests as opt-outs from the sale or sharing of personal data
- Direct all contractors and service providers to comply with the same deletion requests
- Once a consumer requests deletion, data brokers are obligated to delete any new data collected about that person continuously at least every 45 days.
- Beginning January 1, 2028, every data broker must undergo a third-party compliance audit every three years. Audit reports must be retained for six years and submitted to the CPPA upon request.
- Data brokers must display a clear and visible link on their websites showing how consumers can exercise their privacy rights. They cannot use dark patterns or deceptive design that discourages or makes it difficult for consumers to make deletion requests.
Non-compliant data brokers will have to pay fines and fees, which will go to the aforementioned Data Brokers’ Registry Fund to help enforce the law and maintain the DROP mechanism.
Penalties for Non-Compliance Section 3 (c)
The California Delete Act (SB-362) imposes significant penalties.
- Data brokers that fail to register with CPPA will be fined $200 for each day they remain unregistered.
- Failing to process deletion requests also results in a fine of $200 per request per day.
- The CPPA can recover additional costs related to investigations and unpaid fees.
- Repeated violations could also lead to administrative actions, litigation, and damage to business reputation.
CPPA’s Enforcement Actions So Far
The California Privacy Protection Agency has begun strict enforcement of the Delete Act.
- Accurate Append, Inc., a Washington-based data broker, was fined $55,400 on July 28, 2025, for failing to register and pay the mandated annual fee.
- Jerico Pictures, Inc. (DBA National Public Data), a Florida-based data broker, was fined $46,000 for the same violations.
- KMA, a Connecticut-based data broker, agreed to pay $55,800 to resolve the Enforcement Division's claims that it failed to register with CPPA.
It’s clear from the above that Data Brokers are being fined for violating the provisions of the Delete Act, even if they are based outside California, but are handling California residents' data.
Building Trust Through Compliance
The California Delete Act gives consumers stronger control over their personal information and sets higher standards for data brokers. Data brokers must invest in secure data handling, deletion, and documentation processes. Businesses purchasing data from brokers must ensure the brokers are fully compliant with SB 362. Otherwise, organizations could be exposed to legal and reputational risks.
+1-844-775-0101
