Search for:

In brief

If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act, which was signed into law by California Governor Newsom on October 10. Under the act, the California Privacy Protection Agency (CPPA) is required to set up, by 1 January 2026, an accessible deletion mechanism where consumers can request deletion via the CPPA that all data brokers then have to honor. Data brokers will have to check the CPPA mechanism to process all deletion requests every 45 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 45 days.

The California Delete Act could profoundly impact how data brokers handle personal information, and subsequently impact the businesses that partner with data brokers for targeted advertising.


Where we were

Until the recent passage of the California Delete Act, data brokers seemed to remain a foot away from the fire: California Civil Code § 1798.99.80, et seq., just require data brokers to register with the Attorney General and pay an annual registration fee. In registering with the Attorney General, data brokers are required to provide its name, primary physical, email, and internet website addresses. 

What the California Delete Act is changing

The California Delete Act will add additional obligations by introducing a single “accessible deletion mechanism”, provided online by the CPPA. Consumers will be able to use such mechanism to request that every data broker that maintains any personal information about the consumer delete such personal information held by the data brokers or associated service providers or contractors. The data brokers will be required to process deletion requests that are made through the CPPA mechanism within 45 days of receiving them, and beginning 1 August 2026, continuously delete the personal information of the requesting consumer and not sell or share new personal information of the consumer. Data brokers will also be required to direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the requesting consumer. This means that California consumers will be able to request deletion of any and all personal information maintained by different data brokers with just a single deletion request. 

The act also requires data brokers to provide additional information to the CPPA when registering as data brokers, including to specify whether they collect the personal information of minors, consumers’ precise geolocation, and consumers’ reproductive health care data. Data brokers will also be required to maintain a website free of dark patterns that details how consumers may exercise their privacy rights. Beginning 1 January 2028, and every three years thereafter, data brokers will be required to undergo an audit by an independent third party to determine compliance with the proposed provisions, as well as to submit an audit report to the CPPA upon the CPPA’s written request.

The California Delete Act will also replace the Attorney General with the CPPA as the authority tasked with enforcing the Data Broker Law. The CPPA is the same agency that implements and, together with the California Attorney General, enforces the CCPA.

What this means

Should California consumers extensively use this deletion mechanism, this could reduce the size of a data broker’s database. Partnering businesses that rely heavily on data brokers for their marketing initiatives might feel a ripple effect with less effective targeted advertising.

Looking forward 

Data monetization in California faces another blow as data brokers will be subject to additional obligations under the streamlined deletion mechanism for California consumers. The extent of consumer engagement with the mechanism will play a determining role in the impact of the law. 

Author

Lothar Determann has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto. He is a member of the Firm's International/Commercial Practice Group and the TMT and Healthcare industry groups.

Author

Cynthia Cole is an Intellectual Property Partner in Baker McKenzie's Palo Alto office, as well as a former CEO and General Counsel. Before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in digital transformation, data privacy, and cybersecurity strategy. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields. She acts as outside general counsel to a number of executive teams and boards of directors.

Author

Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.

Author

Helena Engfeldt helps companies around the world expand their businesses internationally especially by taking privacy law compliance global. She is a partner in Baker McKenzie's International/Commercial Practice Group in San Francisco. She is licensed to practice law in California, New York and Washington.

Author

Michelle Shin is an associate in the International Commercial Group and is based in our San Francisco office. She advises US and multinational companies on data privacy compliance, intellectual property, and consumer protection laws.

Author

Mariana Oliver is an Associate in Baker McKenzie, Chicago office.

Author

Manisha Reddy is an Associate in Baker McKenzie, Chicago office.

Write A Comment