If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act, which was signed into law by California Governor Newsom on October 10. Under the act, the California Privacy Protection Agency (CPPA) is required to set up, by 1 January 2026, an accessible deletion mechanism where consumers can request deletion via the CPPA that all data brokers then have to honor. Data brokers will have to check the CPPA mechanism to process all deletion requests every 45 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 45 days.
The California Delete Act could profoundly impact how data brokers handle personal information, and subsequently impact the businesses that partner with data brokers for targeted advertising.
Where we were
Until the recent passage of the California Delete Act, data brokers seemed to remain a foot away from the fire: California Civil Code § 1798.99.80, et seq., just require data brokers to register with the Attorney General and pay an annual registration fee. In registering with the Attorney General, data brokers are required to provide its name, primary physical, email, and internet website addresses.
What the California Delete Act is changing
The California Delete Act will add additional obligations by introducing a single “accessible deletion mechanism”, provided online by the CPPA. Consumers will be able to use such mechanism to request that every data broker that maintains any personal information about the consumer delete such personal information held by the data brokers or associated service providers or contractors. The data brokers will be required to process deletion requests that are made through the CPPA mechanism within 45 days of receiving them, and beginning 1 August 2026, continuously delete the personal information of the requesting consumer and not sell or share new personal information of the consumer. Data brokers will also be required to direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the requesting consumer. This means that California consumers will be able to request deletion of any and all personal information maintained by different data brokers with just a single deletion request.
The act also requires data brokers to provide additional information to the CPPA when registering as data brokers, including to specify whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data. Data brokers will also be required to maintain a website free of dark patterns that details how consumers may exercise their privacy rights. Beginning 1 January 2028, and every three years thereafter, data brokers will be required to undergo an audit by an independent third party to determine compliance with the proposed provisions, as well as to submit an audit report to the CPPA upon the CPPA’s written request.
The California Delete Act will also replace the Attorney General with the CPPA as the authority tasked with enforcing the Data Broker Law. The CPPA is the same agency that implements and, together with the California Attorney General, enforces the CCPA.
What this means
Should California consumers extensively use this deletion mechanism, this could reduce the size of a data broker’s database. Partnering businesses that rely heavily on data brokers for their marketing initiatives might feel a ripple effect with less effective targeted advertising.
Data monetization in California faces another blow as data brokers will be subject to additional obligations under the streamlined deletion mechanism for California consumers. The extent of consumer engagement with the mechanism will play a determining role in the impact of the law.