By Jan. 1, 2026, the California Privacy Protection Agency must establish a way for individuals to ask data brokers to delete their data with a single request.
10/24/2023 3:45 P.M.
2.5 minute read
In a recent move to bolster online privacy, California Gov. Gavin Newsom has signed the Delete Act, empowering Californians to regain control over their personal data by allowing them to request its deletion or forbid its sale or sharing with a single, straightforward process, according to an article from The Verge.
The new legislation will streamline the currently laborious task of navigating through nearly 500 data brokers that operate within the state under a 2018 law.
By Jan. 1, 2026, the California Privacy Protection Agency must establish a way for individuals to ask data brokers to delete their data with a single request.
Additionally, starting Aug. 1, 2026, data brokers must ensure that they honor these new requests every 45 days, a significant leap in data privacy. This means that data brokers can continue to collect data, but they will be obliged to delete it at the same 45-day intervals, effectively safeguarding the interests of California residents, according to the article.
The new rule also allows individuals to make persistent requests to either delete their data or keep it private. As a result, data brokers won’t be able to sell personal information without explicit permission. Beginning in January 2028, independent audits every three years will be conducted to verify data brokers’ compliance.
The Delete Act builds upon the foundation established by the California Consumer Privacy Act of 2018, which mandated that businesses adhere to requests from individuals regarding their personal data. The California Privacy Rights Act further refined and expanded these regulations in 2020, culminating in the establishment of the California Privacy Protection Agency (CPPA).
California Sen. Josh Becker, the author of the bill, highlighted the significance of this legislation by pointing out that data brokers have been selling sensitive information such as reproductive healthcare, geolocation, and purchasing data to the highest bidder. He emphasized that “the DELETE Act protects our most sensitive information,” giving residents greater control over their data, according to The Los Angeles Times.
However, not everyone is in full support of the Delete Act. Justin Hakes, the vice president of communications for the Consumer Data Industry Association, expressed concerns about how this bill might affect fraud protections and potentially hinder small businesses from competing with data giants.
The law’s reach is defined by the revenue and data-sharing thresholds that a business meets. It applies to companies grossing more than $25 million in the preceding year and “annually buying, selling, or sharing the personal information of 100,000 or more consumers or households.”
Additionally, the law only affects businesses that derive at least 50% of their annual revenue from selling individuals’ personal information. Furthermore, it doesn’t solely apply to single businesses dealing in personal data but also encompasses joint business ventures.
A Troutman Pepper article outlined some best practices businesses can take to ensure compliance with this and other state data privacy laws, including:
- Determine if you are a data broker and, if not, document why.
- Conduct data-mapping assessments to understand where your data comes from and where it flows.
- Conduct employee training and awareness programs to ensure staff members understand and comply with the new regulations.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.