California’s latest legislation, called the California Delete Act, is set to simplify the process of erasing personal online information. Starting January 2026, the California Privacy Protection Agency (CPPA) is tasked with devising a method for individuals to request data brokers to delete their information with just one inquiry.
Governor Gavin Newsom recently gave his signature to the California Delete Act, granting Californians the power to either instruct data brokers to erase their personal data or bar them from selling or sharing it, all through a single request. While a similar right existed in a 2018 state law, individuals had to approach each company separately, which was quite a feat considering there are nearly 500 data brokers in operation in the state.
We applaud @CAgovernor for signing SB 362, the CA Delete Act, which the CPPA Board unanimously voted to support in July. SB 362 is consistent with CPPA’s mission to further Californians’ privacy by making it easier for consumers to exercise their rights. #innovation pic.twitter.com/Iux44zudRG
— California Privacy Protection Agency (@CalPrivacy) October 10, 2023
How will the California Delete Act protect user data?
The CPPA, established in 2020 by the California Privacy Rights Act, is required to have this request system in place by January 1st, 2026. As of August 1st, 2026, data brokers must regularly check for and comply with new deletion requests every 45 days. After fulfilling the request, brokers can continue to collect data, but they must delete it at the same 45-day interval. However, since residents can make an ongoing request to either erase or keep their data private, selling the data without consent is off the table. Starting January 2028, independent audits will be conducted every three years to ensure brokers’ adherence to the law.
This legislation relies on the broker definitions outlined in the California Consumer Privacy Act of 2018, which mandated businesses to disclose, delete, or refrain from sharing or selling personal data as requested by individuals. In 2020, the California Privacy Rights Act further refined the law and established the CPPA.
California Senator Josh Becker, the bill’s author, emphasized that brokers often peddle thousands of individual consumers’ data points, including sensitive areas like reproductive healthcare, geolocation, and purchasing data, to the highest bidder. He stated that the California Delete Act serves as a safeguard for this highly sensitive information.
However, there are concerns raised by the VP of communications for the Consumer Data Industry Association, Justin Hakes. He believes that the bill might undermine fraud protections and potentially hinder small businesses from competing with the data giants.
The California Delete Act applies to companies with over $25 million in revenue from the previous year, dealing with the personal information of 100,000 or more consumers or households. It specifically affects businesses that generate at least half of their annual revenue from the sale of personal information.
Furthermore, the law takes into account various scenarios, including joint business ventures, and is not limited to individual businesses involved in the trade of personal data.
Meanwhile, the California Delete Act comes slightly on the heels of the news of how the Ontario Pregnancy data breach exposed millions of patient’s health data. The data privacy concerns among users in the states are growing, and the California Delete Act will most likely be welcomed by the users astThe legislation ensures transparency and accountability in handling personal information, promoting a culture of privacy-conscious practices.
Featured image credit: Gavin Newsom
